Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1384: DefaultWebInvocationPrivilegeEvaluator bypass the accessDecisionManager when authorities are empty #1627

spring-issuemaster opened this Issue Jan 24, 2010 · 1 comment


None yet
1 participant

Ferdinand Marques Nunes (Migrated from SEC-1384) said:

defaultWebInvocationPrivilegeEvaluator.isAllowed(...) always return false when authorities are empty.

Here is the simple security configuration used:

<http access-decision-manager-ref="accessDecisionManager">
    <intercept-url pattern="/images/**" filters="none" />
    <intercept-url pattern="/scripts/**" filters="none" />
    <intercept-url pattern="/styles/**" filters="none" />
    <intercept-url pattern="/csmprobe.html*" filters="none" />
    <intercept-url pattern="/login.htm*" access="ROLE_ANONYMOUS" />
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
    <form-login login-page="/login.htm"
        authentication-failure-url="/login.htm?login_error=1" />
    <logout />

    manager-password="${ldap.managerPassword}" />

<authentication-manager alias="authenticationManager">
    <ldap-authentication-provider user-search-filter="(uid={0})"
        group-search-base="${ldap.groups}" />

<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <beans:property name="decisionVoters">
            <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
            <beans:bean class="org.springframework.security.access.vote.RoleVoter" />

Users with no authorities have access to all pages (IS_AUTHENTICATED_FULLY) according to the filter configuration but defaultWebInvocationPrivilegeEvaluator.isAllowed(...) says the opposite. The implementation has this check:

    if (authentication == null || authentication.getAuthorities().isEmpty()) {
        return false;

authentication.getAuthorities().isEmpty() should be removed to allow decision voters do their work.

Ferdinand Marques Nunes said:

My workaround consists to implement the UserDetailsContextMapper and add to the authorities collection a default role (any dummy value prefixed by 'ROLE_').

@spring-issuemaster spring-issuemaster added this to the 3.0.2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment