Spring Security
  1. Spring Security
  2. SEC-1017

org.springframework.security.vote.UnanimousBased

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Invalid
    • Affects Version/s: None
    • Fix Version/s: 3.0.0 M1
    • Component/s: None
    • Labels:
      None

      Description

      I am using "org.springframework.security.vote.UnanimousBased" with follwoing voters

      1) roleVoter
      2) customVoter

      and have the following constraint on a method say 'getName'

      getName = ROLE_ONE, ROLE_TWO, CUSTOM_ADMIN, CUSTOM_READ

      I am logged as a User with ROLE_TWO and CUSTOM_ADMIN permission. But I get Access denied because Role Voter fails after it finds out that I do not have ROLE_ONE and does not check for ROLE_TWO instead throws Access Denied.

        Activity

        Hide
        Luke Taylor added a comment -

        This isn't a bug, but the documented behaviour of the UnanimousBased AccessDecisionManager (read the Javadoc for the class).

        The issue has been dealt with and discussed before - search Jira for "UnanimousBased", and please do a search before raising new issues.

        Show
        Luke Taylor added a comment - This isn't a bug, but the documented behaviour of the UnanimousBased AccessDecisionManager (read the Javadoc for the class). The issue has been dealt with and discussed before - search Jira for "UnanimousBased", and please do a search before raising new issues.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Manav Chauhan
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: