From 7f2f12c428855f9972f2c439f37f9e2f7309b179 Mon Sep 17 00:00:00 2001
From: Mohammad Sadeq Dousti <3616518+msdousti@users.noreply.github.com>
Date: Tue, 15 Jan 2019 18:29:34 +0330
Subject: [PATCH] hasRole should not be called on a string with "ROLE_" prefix
 (#6353)

Removed "ROLE_" from UrlAuthorizationConfigurer

This fixes IllegalArgumentException: ROLE_ANONYMOUS should not start
with ROLE_ since ROLE_
---
 .../UrlAuthorizationConfigurer.java           |  2 +-
 .../UrlAuthorizationConfigurerTests.java      | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java
index 88ac8eb547..be57fc3450 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java
@@ -344,7 +344,7 @@ public final class UrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
 		 * @return the {@link UrlAuthorizationConfigurer} for further customization
 		 */
 		public StandardInterceptUrlRegistry anonymous() {
-			return hasRole("ROLE_ANONYMOUS");
+			return hasRole("ANONYMOUS");
 		}
 
 		/**
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurerTests.java
index 2a598af47a..4e64462369 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurerTests.java
@@ -41,6 +41,7 @@ import static org.assertj.core.api.Assertions.assertThat;
 
 /**
  * @author Rob Winch
+ * @author M.S. Dousti
  *
  */
 public class UrlAuthorizationConfigurerTests {
@@ -203,6 +204,24 @@ public class UrlAuthorizationConfigurerTests {
 		}
 	}
 
+	@Test
+	public void anonymousUrlAuthorization() {
+		loadConfig(AnonymousUrlAuthorizationConfig.class);
+	}
+
+	@EnableWebSecurity
+	@Configuration
+	static class AnonymousUrlAuthorizationConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		public void configure(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.apply(new UrlAuthorizationConfigurer<>(null)).getRegistry()
+					.anyRequest().anonymous();
+			// @formatter:on
+		}
+	}
+
 	public void loadConfig(Class<?>... configs) {
 		this.context = new AnnotationConfigWebApplicationContext();
 		this.context.register(configs);