Polish Contribution

Issue gh-13215

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java

@@ -63,22 +63,13 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 
 	private final Supplier<RoleHierarchy> roleHierarchy;
 
-	private final String rolePrefix;
+	private String rolePrefix = "ROLE_";
 
 	/**
 	 * Creates an instance.
 	 * @param context the {@link ApplicationContext} to use
 	 */
 	public AuthorizeHttpRequestsConfigurer(ApplicationContext context) {
-		String[] grantedAuthorityDefaultsBeanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class);
-		if (grantedAuthorityDefaultsBeanNames.length == 1) {
-			GrantedAuthorityDefaults grantedAuthorityDefaults = context.getBean(grantedAuthorityDefaultsBeanNames[0],
-					GrantedAuthorityDefaults.class);
-			this.rolePrefix = grantedAuthorityDefaults.getRolePrefix();
-		}
-		else {
-			this.rolePrefix = "ROLE_";
-		}
 		this.registry = new AuthorizationManagerRequestMatcherRegistry(context);
 		if (context.getBeanNamesForType(AuthorizationEventPublisher.class).length > 0) {
 			this.publisher = context.getBean(AuthorizationEventPublisher.class);
@@ -88,6 +79,11 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 		}
 		this.roleHierarchy = SingletonSupplier.of(() -> (context.getBeanNamesForType(RoleHierarchy.class).length > 0)
 				? context.getBean(RoleHierarchy.class) : new NullRoleHierarchy());
+		String[] grantedAuthorityDefaultsBeanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class);
+		if (grantedAuthorityDefaultsBeanNames.length > 0) {
+			GrantedAuthorityDefaults grantedAuthorityDefaults = context.getBean(GrantedAuthorityDefaults.class);
+			this.rolePrefix = grantedAuthorityDefaults.getRolePrefix();
+		}
 	}
 
 	/**
@@ -292,7 +288,7 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 		 */
 		public AuthorizationManagerRequestMatcherRegistry hasRole(String role) {
 			return access(withRoleHierarchy(AuthorityAuthorizationManager
-					.hasAuthority(AuthorizeHttpRequestsConfigurer.this.rolePrefix + role)));
+					.hasAnyRole(AuthorizeHttpRequestsConfigurer.this.rolePrefix, new String[] { role })));
 		}
 
 		/**
@@ -304,7 +300,8 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 		 * customizations
 		 */
 		public AuthorizationManagerRequestMatcherRegistry hasAnyRole(String... roles) {
-			return access(withRoleHierarchy(AuthorityAuthorizationManager.hasAnyRole(roles)));
+			return access(withRoleHierarchy(
+					AuthorityAuthorizationManager.hasAnyRole(AuthorizeHttpRequestsConfigurer.this.rolePrefix, roles)));
 		}
 
 		/**

config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java

@@ -477,8 +477,19 @@ public class AuthorizeHttpRequestsConfigurerTests {
 	}
 
 	@Test
-	public void getWhenRoleUserConfiguredAsGrantedAuthorityDefaultThenRespondsWithOk() throws Exception {
-		this.spring.register(GrantedAuthorityDefaultConfig.class, BasicController.class).autowire();
+	public void getWhenCustomRolePrefixAndRoleHasDifferentPrefixThenRespondsWithForbidden() throws Exception {
+		this.spring.register(GrantedAuthorityDefaultHasRoleConfig.class, BasicController.class).autowire();
+		// @formatter:off
+		MockHttpServletRequestBuilder requestWithUser = get("/")
+				.with(user("user")
+						.authorities(new SimpleGrantedAuthority("ROLE_USER")));
+		// @formatter:on
+		this.mvc.perform(requestWithUser).andExpect(status().isForbidden());
+	}
+
+	@Test
+	public void getWhenCustomRolePrefixAndHasRoleThenRespondsWithOk() throws Exception {
+		this.spring.register(GrantedAuthorityDefaultHasRoleConfig.class, BasicController.class).autowire();
 		// @formatter:off
 		MockHttpServletRequestBuilder requestWithUser = get("/")
 				.with(user("user")
@@ -487,6 +498,21 @@ public class AuthorizeHttpRequestsConfigurerTests {
 		this.mvc.perform(requestWithUser).andExpect(status().isOk());
 	}
 
+	@Test
+	public void getWhenCustomRolePrefixAndHasAnyRoleThenRespondsWithOk() throws Exception {
+		this.spring.register(GrantedAuthorityDefaultHasAnyRoleConfig.class, BasicController.class).autowire();
+		// @formatter:off
+		MockHttpServletRequestBuilder requestWithUser = get("/")
+				.with(user("user")
+						.authorities(new SimpleGrantedAuthority("CUSTOM_PREFIX_USER")));
+		MockHttpServletRequestBuilder requestWithAdmin = get("/")
+				.with(user("user")
+						.authorities(new SimpleGrantedAuthority("CUSTOM_PREFIX_ADMIN")));
+		// @formatter:on
+		this.mvc.perform(requestWithUser).andExpect(status().isOk());
+		this.mvc.perform(requestWithAdmin).andExpect(status().isOk());
+	}
+
 	@Test
 	public void getWhenExpressionHasIpAddressLocalhostConfiguredIpAddressIsLocalhostThenRespondsWithOk()
 			throws Exception {
@@ -571,7 +597,7 @@ public class AuthorizeHttpRequestsConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
-	static class GrantedAuthorityDefaultConfig {
+	static class GrantedAuthorityDefaultHasRoleConfig {
 
 		@Bean
 		GrantedAuthorityDefaults grantedAuthorityDefaults() {
@@ -585,6 +611,22 @@ public class AuthorizeHttpRequestsConfigurerTests {
 
 	}
 
+	@Configuration
+	@EnableWebSecurity
+	static class GrantedAuthorityDefaultHasAnyRoleConfig {
+
+		@Bean
+		GrantedAuthorityDefaults grantedAuthorityDefaults() {
+			return new GrantedAuthorityDefaults("CUSTOM_PREFIX_");
+		}
+
+		@Bean
+		SecurityFilterChain myFilterChain(HttpSecurity http) throws Exception {
+			return http.authorizeHttpRequests((c) -> c.anyRequest().hasAnyRole("USER", "ADMIN")).build();
+		}
+
+	}
+
 	@Configuration
 	@EnableWebSecurity
 	static class NoRequestsConfig {