Problem with ROLES

[diminuta]

Hi,

I have a webapp that uses Spring Security (3.1), and I have 3 different roles (ROLE_ADMIN, ROLE_CONS, ROLE_S_CEN)

When I log in with an user who has the role ROLE_ADMIN everything works as expected, but when I log in with another who has the ROLE_CONS role, it doesn't work...

Here's my security-context.xml

Code:

<?xml version="1.0" encoding="ISO-8859-1"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

	<!-- preauthentication -->    
    <security:global-method-security pre-post-annotations="enabled">
    </security:global-method-security>
    
   <security:http auto-config="false" use-expressions="true" entry-point-ref="http403EntryPoint" access-denied-page="/autenticacion/accesodenegado">
   		<security:intercept-url pattern="/" access="permitAll"/>
   		<security:intercept-url pattern="/403.jsp" access="permitAll"/>
   		<!-- Allow non-secure access to static resources  -->
   		<security:intercept-url pattern="/resources/**" access="permitAll"/>
   		<security:intercept-url pattern="/autenticacion/**" access="permitAll"/>
   		<!-- URLs que dependen de perfiles -->
   		<security:intercept-url pattern="/gestion/facturas/**" access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN','ROLE_CONS')"/>
   		<security:intercept-url pattern="/gestion/tarifas/**" access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN','ROLE_CONS')"/>
   		<security:intercept-url pattern="/gestion/envios/**" access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN')"/>
   		<security:intercept-url pattern="/gestion/perfiles/**" access="hasRole('ROLE_ADMIN')"/>
   		<security:intercept-url pattern="/gestion/usuarios/**" access="hasRole('ROLE_ADMIN')"/>
   		<security:intercept-url pattern="/consulta/**" access="hasAnyRole('ROLE_CONS','ROLE_ADMIN','ROLE_S_CEN')"/>
   		<security:intercept-url pattern="/importacion/**" access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN')"/>
   		<!-- Pantalla a la que redirige el logout -->   		
   		<security:logout logout-success-url="/"/>
	</security:http>
    
	<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
    </bean>
    
    <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
        <security:filter-chain-map path-type="ant">
            <security:filter-chain pattern="/**" filters="j2eePreAuthFilter"/>
        </security:filter-chain-map>
    </bean>
    
 
    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref='preAuthenticatedAuthenticationProvider'/>
    </security:authentication-manager>

    <bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
        <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"/>
    </bean>

    <bean id="preAuthenticatedUserDetailsService"
            class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService"/>
    
    
    <bean id="j2eePreAuthFilter" class="es.myapp.security.MyAppUserJ2eePreAuthenticatedProcessingFilter">
    	<property name="authenticationManager" ref="authenticationManager"/>
    	<property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
    	<property name="continueFilterChainOnUnsuccessfulAuthentication" value="false"/>
    </bean>
  
  <bean id="authenticationDetailsSource" class="org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource">
    <property name="mappableRolesRetriever" ref="j2eeMappableRolesRetriever"/>
    <property name="userRoles2GrantedAuthoritiesMapper" ref="j2eeUserRoles2GrantedAuthoritiesMapper"/>
  </bean>
  
  <bean id="j2eeMappableRolesRetriever" class="org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever">
  </bean>
  
   <bean id="j2eeUserRoles2GrantedAuthoritiesMapper" class="org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper">
    <property name="attributePrefix" value="test"/>
  </bean>


</beans>

And my menu.jsp

Code:

<%@ taglib uri="http://www.springframework.org/tags" prefix="s"%>
<%@ taglib uri="/WEB-INF/security.tld"  prefix="sec"%>
<div class="inner">	
	<sec:authorize access="isAuthenticated()">
		<ul id="menu">
			<li>
				<a href="#"><span id="padre" class="abierto"><s:message code="menu.conexion.capri"/></span></a>
				<div class="sub_menu">
					<ul>
						<sec:authorize access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN')">
							<li>
					  			<a href="<s:url value="/importacion/datos"/>"><span><s:message code="menu.importacion.importarDatos"/></span></a>
					  		</li>
				  		</sec:authorize>
				  		<sec:authorize access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN')">
					  		<li>
					  			<a href="<s:url value="/gestion/envios"/>"><span><s:message code="menu.gestion.envios"/></span></a>
					  		</li>
				  		</sec:authorize>
				  		<sec:authorize access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN','ROLE_CONS')">
					  		<li>
					  			<a href="<s:url value="/consulta/envios"/>"><span><s:message code="menu.consulta.envios"/></span></a>
					  		</li>
				  		</sec:authorize>
				  		<sec:authorize access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN')">			  		
					  		<li>
						  		    <a href="<s:url value="/gestion/facturas"/>"><span><s:message code="menu.gestion.facturas"/></span></a>
					  		</li>
				  		</sec:authorize>
				  		<sec:authorize access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN','ROLE_CONS')">			  		
					  		<li>
					  			<a href="<s:url value="/gestion/tarifas"/>"><span><s:message code="menu.gestion.tarifas"/></span></a>
					  		</li>
				  		</sec:authorize>
				  					  		
					  		<li>
					  			<a href="<s:url value="/gestion/envios/verpaginarecibir"/>"><span><s:message code="menu.recibir.envios"/></span></a>
					  		</li>
				  			  		
					</ul>
				</div>
			</li>
			<sec:authorize access="hasRole('ROLE_ADMIN')">
				<li>
					<a href="#"><span id="padre" class="abierto"><s:message code="menu.usuarios"/></span></a>
					<div class="sub_menu">
						<ul>	  		
					  		<sec:authorize access="hasRole('ROLE_ADMIN')">			  		
						  		<li>
						  			<a href="<s:url value="/gestion/usuarios"/>"><span><s:message code="menu.gestion.usuarios"/></span></a>
						  		</li>
					  		</sec:authorize>
					  		<sec:authorize access="hasRole('ROLE_ADMIN')">				  		
						  		<li>
						  			<a href="<s:url value="/gestion/perfiles"/>"><span><s:message code="menu.gestion.perfiles"/></span></a>
						  		</li>			  		
					  		</sec:authorize>	
				  		</ul>
				  	</div>					  		
				</li>		
			</sec:authorize>
		</ul>	
	</sec:authorize>
</div>

When I log in with the user that has the ROLE_CONS role I'm only allowed to see the pages and urls with no security, but not those which ROLE_CONS is allowed ROLE_CONS to see...

I have already checked that the user is properly authenticated and it has the ROLE_CONS as an authority...

Any ideas?