Spring Security 3 specify multiple intercept-url access roles

Question

I am trying to setup Spring 3 security using JDBC auth. Everything is working fine apart from when I try to specify multiple access roles to an intercept-url. Eg I want anyone w

Answer 1

I had the same issue but used expressions to get around this issue:

You should embed

use-expressions="true"

in your existing config. So:

<security:http auto-config="true" access-denied-page="/denied.jsp" >

becomes

<security:http auto-config="true" access-denied-page="/denied.jsp" use-expressions="true">

And then:

<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />

Answer 2

I am not sure about this problem, actually I am using it currently in my project and don't see an issue. try removing the space after the "," I mean try using ROLE_USER,ROLE_ADMIN

Answer 3

I decided to downgrade to Spring Security 2.0.5 without changing anything else to check whether this was a bug in 3, and lo-and-behold it was!

I think I also found a related open bug here - https://jira.springsource.org/browse/SEC-1342

Solution - use 2.0.5 if want to use this feature.

Answer 4

I had the same problem when was trying to migrate from Spring 3.x to 4.x. Finally I found that parameter "use-expressions" of "http" tag became "true" by default in Spring 4.x instead of false (as it was in old versions).

P.S. This question is very old for now, but I found this in Google. So somebody else can find it too and this info might be useful then.

Answer 5

I had the same problem and found the answer here.
Use that line to grant access to user with both roles:
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')" />
If you want to grant access to user with one of the listed roles, use:
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')" />

Also, you need to add ability to use SpEL in your security *.xml, add use-expressions="true" to <http> tag.