Problem with custom access decision manager and intercept-url(access)

[mortenoh]

Hi

I have a custom access decision manager bean, and have added three voters, AuthenticatedVoter, RoleVoter and a custom voter.

My http looks like this:

Code:

<http auto-config="true" use-expressions="true" access-decision-manager-ref="accessDecisionManager">
	<logout logout-url="/logout" logout-success-url="/" />
	<form-login login-page="/login" default-target-url="/" />
	<intercept-url pattern="/login" access="permitAll()" />
	<intercept-url pattern="/**" access="isAuthenticated()" />
</http>

And my accessDecisionManager bean looks like:

Code:

<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
	<beans:property name="decisionVoters">
		<beans:list>
			<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
			<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
			<beans:bean class="net.mortenoh.spring.security.FridayAccessVoter" />
		</beans:list>
	</beans:property>
</beans:bean>

And this is not working, the isAuthenticated() part of the intercept-url does not seem to work in this configuration.

If I use @PreAuthorize("isAuthenticated()") on my controller, it asks for a login.

If I remove the reference to the access decision manager, and remove the annotation from the controller (which leaves only the access part of the intercept url), it works fine.

I'm guessing this is related to anonymousUser, but I'm not sure how to fix it. Is the default access decision manager using another voter I'm not aware of?

Regards,
Morten

[pmularien]

UnanimousBased means that every voter must return success (think boolean AND operation), otherwise access will be denied. This is typically not what you want, and certainly not in this scenario (as the access rule of isAuthenticated would block anonymous users).

I suspect the annotation on the controller isn't related. Depending on your configuration an annotation on a controller is likely to have no effect at all.

[Luke Taylor]

You also need an expression voter if you are want to be able to use expressions with a custom AccessDecisionManager.

P.S. If possible, don't just say "it doesn't work" when posting a question. Post the log output with the error (enable debug loggins first).

[mortenoh]

Hi,

Thanks! I added:

Code:

<beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter" />

And it does the job.

Btw, I used UnanimousBased since this was only a sample application, and had no real work application.

The next time, I will try to add some more error reporting.

Thanks again for your help.

Regards,
Morten