sec:authorize, configuration and roles with version 3.1.2

[javierhe]

Using spring-security, I have a custom UserDetailsService, returning the following UserDetails:

Code:

    ...
    HashSet<SimpleGrantedAuthority> authSet = new HashSet<SimpleGrantedAuthority>();
    authSet.add(new SimpleGrantedAuthority("ROLE_USER"));

    if(user.isAdmin()){
        authSet.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
    }

    return new User(user.getUsername(), user.getPassword(), 
        user.isActive(), !user.isExpired(), !user.isCredentialsExpired(),
        !user.isLocked(), authSet);

In the security config file, I have the following:

Code:

    <http use-expressions="true">
        <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
        ...

And in a JSP page, the following code:

Code:

    <sec:authorize access="hasRole('ROLE_ADMIN')">
        <h4><a href="/admin/balances">Admin</a></h4>
    </sec:authorize>

With spring-security-3.1.1 everything is working as expected, but with versions 3.1.2 & 3.1.3, users with ADMIN_ROLE can't see the link neither has access to the URL directly in the browser.

Please, could you tell me if I'm doing something wrong? Or maybe could be a bug?
I'm looking at release notes for the new versions but can't find any specific mention about if something changed about this.

Thanks in advance.

[javierhe]

The problem seems to be related with the custom SignInAdapter. Initially, I was using the following code:

Code:

UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword(), null);

I've changed the code to save the whole User object as the principal:

Code:

UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());

I'm wondering why it seems to work sometimes with the previous code, but now it's working with every recent version of spring-security.