SEC-1443: Jsr250Voter will return access denied for allowed roles #1684

spring-issuemaster opened this Issue Mar 19, 2010 · 1 comment


None yet

1 participant


Andrei Ciobanu (Migrated from SEC-1443) said:

Method vote() from will return ACCESS_DENIED if the FIRST role from definition does not exists in authentication.getAuthorities() list.

public int vote(Authentication authentication, Object object, Collection definition) {
for (ConfigAttribute attribute : definition) {

        if (supports(attribute)) {
            // Attempt to find a matching granted authority
            for (GrantedAuthority authority : authentication.getAuthorities()) {
                if (attribute.getAttribute().equals(authority.getAuthority())) {
                    return ACCESS_GRANTED;
            // No match - deny access
            return ACCESS_DENIED; // <-------- will return ACCESS_DENIED too soon
    return ACCESS_ABSTAIN;

Luke Taylor said:

Thanks for spotting this. I've modified the voter to deny access only if no matching role is found. If no JSR-250 attributes are found, it will abstain.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment