jdbc-user-service empty roles

[raster3]

Am using jdbc-user-service for authentication provider.
I have a Users table and a Roles table.
This is working fine.
However what I noticed is that if a user does not have any roles (authorities) and we try logging in as such a user a business method having a annotation @PreAuthorize("#user.loginId == authentication.name or hasRole('ROLE_ADMIN') or (#user.supervisor.loginId == authentication.name and hasRole('ROLE_SUPERVISOR'))")
then one gets an exception informing you that the credentials are bad.
Seems like a bug. Hope someone can look at it.

Meanwhile I have moved ahead and need some other advice.
However I would like to allow users to have empty roles. Since spring security appears to require that a user must have at least one authority or role I have gotten around this using this approach.

Code:

public class MySecurityJdbcDaoImpl extends JdbcDaoImpl {

	

	@Override
	protected List<GrantedAuthority> loadUserAuthorities(String username) {
		List<GrantedAuthority> authorities=super.loadUserAuthorities(username);
		if(authorities.size()==0)
		{
			authorities.add(new GrantedAuthorityImpl("ROLE_EMPTY"));
		}
		return authorities;
	}

	

}

What do you think?
It appears to work.

[Rob Winch]

This should work. You could also modify your sql to return a constant for the roles (meaning you won't have to write any code, but it will execute an additional sql statement). An example is provided in this thread.

[raster3]

You misunderstood. Or i didnt explain properly enough.
Most of the users dont have roles. So I dont want them to have entries in the roles table but there are some users like administrators who have roles.

[Rob Winch]

Sorry you are correct, I did misread it. If the user has no roles, then there is suppose to be an exception. I still feel like your approach is a reasonable one. An alternative solution would be to override JdbcDaoImpl.loadUserByUsername but that would not be as clean as overriding loadUserAuthorities as you have.