How to use sec authorize access hasRole ROLES for checking multiple Roles

Question

I want to display some content conditionally based on Roles using Spring Security JSP taglibs  But in Spring Security 3 1 x  is checking for only one role   I can use  but ifAllGranted is deprecated   Any help

User · Answer

you can try in this way if you are using thymeleaf

sec:authorize="hasAnyRole(T(com.orsbv.hcs.model.SystemRole).ADMIN.getName(),
               T(com.orsbv.hcs.model.SystemRole).SUPER_USER.getName(),'ROLE_MANAGEMENT')"

this will return true if the user has the mentioned roles,false otherwise.

Please note you have to use sec tag in your html declaration tag like this

<html xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">

User · Answer

dimas s answer is not logically consistent with your question  ifAllGranted cannot be directly replaced with hasAnyRole   From the Spring Security 3    4 migration guide   Old    lt sec authorize ifAllGranted  ROLE ADMIN ROLE USER  gt       lt p gt Must have ROLE ADMIN and ROLE USER lt  p gt   lt  sec authorize gt    New  SPeL     lt sec authorize access  hasRole  ROLE ADMIN   and hasRole  ROLE USER    gt       lt p gt Must have ROLE ADMIN and ROLE USER lt  p gt   lt  sec authorize gt    Replacing ifAllGranted directly with hasAnyRole will cause spring to evaluate the statement using an OR instead of an AND   That is  hasAnyRole will return true if the authenticated principal contains at least one of the specified roles  whereas Spring s  now deprecated as of Spring Security 4  ifAllGranted method only returned true if the authenticated principal contained all of the specified roles   TL DR  To replicate the behavior of ifAllGranted using Spring Security Taglib s new authentication Expression Language  the hasRole  ROLE 1   and hasRole  ROLE 2   pattern needs to be used

User · Answer

i used hasAnyRole  ROLE ADMIN   ROLE USER   but i was getting bean creation below error   Error creating bean with name      org springframework security web access intercept FilterSecurityInterceptor 0   Cannot create inner bean   inner bean   of type  org springframework security web access expression ExpressionBasedFilterInvocationSecurityMetadataSource  while setting bean property  securityMetadataSource   nested exception is org springframework beans factory BeanCreationException  Error creating bean with name   inner bean  2   Instantiation of bean failed  nested exception is org springframework beans BeanInstantiationException  Could not instantiate bean class  org springframework security web access expression ExpressionBasedFilterInvocationSecurityMetadataSource   Constructor threw exception  nested exception is java lang IllegalArgumentException  Expected a single expression attribute for   user      then i tried   access  hasRole  ROLE ADMIN   or hasRole  ROLE USER    and it s working fine for me   as one of my user is admin as well as user    for this you need to add use-expressions  true  auto-config  true  followed by http tag    lt http use-expressions  true  auto-config  true   gt       lt  http gt

User · Answer

Within Spring Boot 2 4 it is sec authorize  quot hasAnyRole  ROLE ADMIN    Ensure that you have  thymeleaf-extras-springsecurity5  in your dependencies  Also make sure that you include the namespace xmlns sec  quot http   www thymeleaf org extras spring-security quot   in your html

User · Answer

There is a special security expression in spring security      hasAnyRole list of roles  - true if the user has been granted any of   the roles specified  given as a comma-separated list of strings     I have never used it but I think it is exactly what you are looking for   Example usage    lt security authorize access  hasAnyRole  ADMIN    DEVELOPER    gt           lt  security authorize gt    Here is a link to the reference documentation where the standard spring security expressions are described  Also  here is a discussion where I described how to create custom expression if you need it

[java] How to use <sec:authorize access="hasRole('ROLES)"> for checking multiple Roles?

Examples related to java

Examples related to spring

Examples related to spring-mvc

Examples related to spring-security