security:anonymous granted-authority changed bahaviour between 3.1.1 and 3.1.2

**federicolifia** · Nov 1st, 2012, 01:49 PM

Hi. I'm using this configuration

Code:

<security:anonymous granted-authority="ROLE_INVITADO,ROLE_PROFILE_INVITADO,ROLE_GRUPO_PUBLICO" username="invitado" />

So the guest has 3 roles. Up until spring 3.1.1.RELEASE if I did

Code:

SecurityContextHolder.getContext().getAuthentication().getAuthorities()

I got 3 authorities (as expected).

In Spring 3.1.2.RELEASE I get only one authority and it's value is

Code:

"ROLE_INVITADO,ROLE_PROFILE_INVITADO,ROLE_GRUPO_PUBLICO"

So those 3 comma separated values are not being split in 3.1.2 as they were in 3.1.1.
I'm not sure if it was originally intended to support mutiple roles separating them by comma or not. Was it? Is it now? Any othe way to set that up? Is this a bug in 3.1.2?

I don't see this change in the version changes, maybe it was an unintended consecuence of some other change.

**federicolifia** · Nov 2nd, 2012, 01:30 PM

Spring Security 3.1.3 apparently works as 3.1.1 (correctly).

**Rob Winch** · Nov 2nd, 2012, 03:58 PM

This bug still looks like it is present in 3.1.3. The issue is with the AuthenticationConfigBuilder when SEC-1909 was resolved. I have logged SEC-2072 to track this

Thread: security:anonymous granted-authority changed bahaviour between 3.1.1 and 3.1.2

Thread Tools

Display

security:anonymous granted-authority changed bahaviour between 3.1.1 and 3.1.2

Posting Permissions