OnDemand
(Nico M)
1
Hi,
when i use @RolesAllowed({SecurityRoles.ADMIN_SESSION_VIEW}) in a view, do i need to add ROLE_ prefix to the users auth?
I am confused because i read about Spring Security adds ROLE_ automatically.
So how is it correct using ROLE_ADMIN or is ADMIN enough as a auth
user.getUserRoles().add(new UserRole("ROLE_ADMIN_VIEW"));
vs
user.getUserRoles().add(new UserRole("ADMIN_VIEW"));
or doesnt it matter, as long the annotation matches the set role? As far as i got it Spring security does not handle the access, its up to Vaadin?
Spring Security’s ROLE_ prefix has historical reasons. This was to distinguish between authorities and roles.
You can remove it to make it consistant everywhere:
@Bean
GrantedAuthorityDefaults grantedAuthorityDefaults() {
return new GrantedAuthorityDefaults("");
}
1 Like
OnDemand
(Nico M)
3
Hi Simon, thank you. So the only important thing is, that the AuthContext`s Authorities matches the String in the RolesAllowed-Annotation, right?
The roles in the RolesAllowed annotation are without ROLE_ yes.
1 Like