Manav Chauhan (Migrated from SEC-1017) said:
I am using “org.springframework.security.vote.UnanimousBased” with follwoing voters
and have the following constraint on a method say ‘getName’
I am logged as a User with ROLE_TWO and CUSTOM_ADMIN permission. But I get Access denied because Role Voter fails after it finds out that I do not have ROLE_ONE and does not check for ROLE_TWO instead throws Access Denied.
Luke Taylor said:
This isn’t a bug, but the documented behaviour of the UnanimousBased AccessDecisionManager (read the Javadoc for the class).
The issue has been dealt with and discussed before – search Jira for “UnanimousBased”, and please do a search before raising new issues.