Java Technology

Spring Security – Access Denied SpEL Changes

If you use Spring Security to lock down a web application and you use the hasAnyRole or hasAnyAuthority you are likely using a comma separated list of roles or authorities. If you upgrade to Spring Framework 5.3.13 or higher your roles will not parse correctly if the entire comma separated list is contained in single quotes.

For example, this works with Spring Framework 5.3.12 and lower

 <intercept-url pattern="/account/**" access="hasAnyRole('ROLE_ADMIN,ROLE_WEB_SITE_USER')" requires-channel="${requires-channel}"/>

Upgrading to Spring Framework 5.3.13 and higher you will need to change to

 <intercept-url pattern="/account/**" access="hasAnyRole('ROLE_ADMIN','ROLE_WEB_SITE_USER')" requires-channel="${requires-channel}"/>

Without this change, your roles or authorities will not be parsed correctly and access will be denied.

This is a result of this change in 5.3.13

    SpEL vararg method invocation fails if string literal contains a comma #27582

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.