Create single point of defining the default role prefix

[andrei-ivanov]

If one wants to change the default role prefix this must be done in more than one place and this can lead to errors if one of them is forgotten.
Currently I set it in 4 places:

<bean id="defaultMethodSecurityExpressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
    <property name="defaultRolePrefix" value="ROLE:" />
</bean>

<bean id="defaultWebSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
    <property name="defaultRolePrefix" value="ROLE:" />
</bean>

<bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter">
    <property name="rolePrefix" value="ROLE:" />
</bean>

<bean id="daoUserDetailsService" class="custom.DaoUserDetailsServiceImpl">
    <property name="rolePrefix" value="ROLE:" />
</bean>

Some strategy should be created to set the default role in a single place and the other components should use it.

[rwinch]

@andrei-ivanov Thanks for creating this! I don't suppose you are interested in creating a PR too?

[andrei-ivanov]

I can try. Any suggestions of component? :)

[rwinch]

This would be something easy to change as we think more about it. However, perhaps something like org.springframework.security.config.core.GrantedAuthorityDefaults makes sense?

[andrei-ivanov]

Uf, I'm afraid I got caught with a new project that started and I don't think I'll be able to implement this myself.
I hope you or someone else can :)

[eddumelendez]

@rwinch so the expected configuration would be something like this?

<bean id="defaultMethodSecurityExpressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
    <property name="defaultRolePrefix" ref="grantedAuthorityDefaults" />
</bean>

<bean id="defaultWebSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
    <property name="defaultRolePrefix" ref="grantedAuthorityDefaults" />
</bean>

<bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter">
    <property name="rolePrefix" ref="grantedAuthorityDefaults" />
</bean>

<bean id="grantedAuthorityDefaults" class="org.springframework.security.config.core.GrantedAuthorityDefaults">
    <property name="rolePrefix" ref="ROLE:" />
</bean>

[andrei-ivanov]

I think the top 3 beans should use the grantedAuthorityDefaults bean by default, without manual configuration :-)

[rwinch]

@eddumelendez Thanks for the question. @andrei-ivanov is right. If GrantedAuthorityDefaults is defined it would be used by default with no need to define the other beans.

If user's explicitly define DefaultMethodSecurityExpressionHandler (or any of the other beans), then they would need to specify defaultRolePrefix explicitly.

[eddumelendez]

@andrei-ivanov @rwinch Thanks, I will take it into account.