Skip to content

mvcMatchers().hasAuthority() denies an access even when a user has an authority #6948

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
php-coder opened this issue Jun 3, 2019 · 3 comments
Closed

mvcMatchers().hasAuthority() denies an access even when a user has an authority #6948

php-coder opened this issue Jun 3, 2019 · 3 comments
Assignees
@fhanik
Labels
status: invalid An issue that we don't feel is valid

Comments

@php-coder
Copy link
Contributor

php-coder commented Jun 3, 2019
edited
Loading

Summary

.mvcMatchers("/collection/{slug}/estimation").hasAuthority("ADD_SERIES_PRICE") should always give an access to a user with ADD_SERIES_PRICE authority.

But I see that the user has access to one page and doesn't have to another:

URL have access?
/collection/admin/estimation Yes
/collection/paid/estimation No

Actual Behavior

User with permission doesn't have access to a page whilst this page matches the pattern.

Expected Behavior

User with permission should have access to a page that matches the pattern.

Note that the behavior is correct when URL-pattern in the rule doesn't have path variables. For instance:
.mvcMatchers("/collection/estimation").hasAuthority("ADD_SERIES_PRICE")
works as expected.

Configuration

See https://github.com/php-coder/mystamps/blob/bc3fe55ea8748c0231f45e6f403419e6b0a02df8/src/main/java/ru/mystamps/web/support/spring/security/SecurityConfig.java#L71-L132

Version

  • Spring Security 4.2.12.RELEASE
  • Spring Framework 4.3.24.RELEASE
  • Spring Boot 1.5.21.RELEASE

Sample

http
  .authorizeRequests()
    .mvcMatchers("/collection/{slug}/estimation").hasAuthority("ADD_SERIES_PRICE")

Steps to reproduce

  • clone the repo
$ git clone https://github.com/php-coder/mystamps
$ cd mystamps
$ git checkout bc3fe55ea8748c0231f45e6f403419e6b0a02df8
$ mvn spring-boot:run
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 3, 2019
@fhanik
Copy link
Contributor

fhanik commented Jun 4, 2019
edited
Loading

I've simplified the code down to only have the actual matcher we're talking about present.

https://github.com/fhanik/spring-security-community/tree/master/samples/spring-sec-iss-6948

I'm unable to reproduce the issue. I also did downgrade to your versions of Spring Boot and Spring Security

Can you take a look at my sample and see if you can reproduce the behavior?

@fhanik fhanik added status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 4, 2019
@fhanik fhanik self-assigned this Jun 4, 2019
@fhanik
Copy link
Contributor

fhanik commented Jun 4, 2019
edited
Loading

I debugged your code, and found that this expression is being invoked.

And that is used by a @PreAuthorize that is invoked from here

Please reopen if you still believe it's a bug.

@fhanik fhanik closed this as completed Jun 4, 2019
@php-coder
Copy link
Contributor Author

@fhanik Thank you, Filip, for debugging the code!!

I'm so sorry that you had to do it and I missed the bug in my own code :( I've totally forgot about this check.

@rwinch rwinch added status: invalid An issue that we don't feel is valid and removed status: waiting-for-feedback We need additional information before we can continue labels Jun 4, 2019
@php-coder php-coder mentioned this issue Jun 15, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fhanik fhanik

Labels
status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@php-coder @rwinch @fhanik @spring-projects-issues