SEC-2962: SecurityContextHolderAwareRequestFilter default rolePrefix

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.groovy

@@ -17,17 +17,27 @@ package org.springframework.security.config.annotation.web.configurers
 
 import groovy.transform.CompileStatic
 
-import org.springframework.context.annotation.Configuration
-import org.springframework.security.authentication.AuthenticationTrustResolver;
+import javax.servlet.ServletException
+import javax.servlet.ServletRequest
+import javax.servlet.ServletResponse
+
+import org.springframework.mock.web.MockFilterChain
+import org.springframework.mock.web.MockHttpServletRequest
+import org.springframework.mock.web.MockHttpServletResponse
+import org.springframework.security.authentication.AuthenticationTrustResolver
+import org.springframework.security.authentication.TestingAuthenticationToken
 import org.springframework.security.config.annotation.AnyObjectPostProcessor
 import org.springframework.security.config.annotation.BaseSpringSpec
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
+import org.springframework.security.core.context.SecurityContext
+import org.springframework.security.core.context.SecurityContextHolder
 import org.springframework.security.web.AuthenticationEntryPoint
-import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
-import org.springframework.security.web.csrf.CsrfLogoutHandler;
+import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository
+import org.springframework.security.web.csrf.CsrfLogoutHandler
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
 
 /**
@@ -64,6 +74,28 @@ class ServletApiConfigurerTests extends BaseSpringSpec {
 			filter.logoutHandlers.collect { it.class } == [CsrfLogoutHandler, SecurityContextLogoutHandler]
 	}
 
+
+	def 'SEC-2926: Role Prefix is set'() {
+		setup:
+			loadConfig(ServletApiConfig)
+			MockFilterChain chain = new MockFilterChain() {
+				public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
+					assert request.isUserInRole("USER")
+
+					super.doFilter(request,response)
+				}
+			}
+			MockHttpServletRequest request = new MockHttpServletRequest(method:'GET')
+			SecurityContext context = SecurityContextHolder.createEmptyContext()
+			context.setAuthentication(new TestingAuthenticationToken("user", "pass", "ROLE_USER"))
+			request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, context)
+
+		when:
+			springSecurityFilterChain.doFilter(request, new MockHttpServletResponse(), chain)
+		then:
+			chain.request != null
+	}
+
 	@CompileStatic
 	@EnableWebSecurity
 	static class ServletApiConfig extends WebSecurityConfigurerAdapter {

config/src/test/groovy/org/springframework/security/config/http/SecurityContextHolderAwareRequestConfigTests.groovy

@@ -17,26 +17,27 @@ package org.springframework.security.config.http
 
 import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML
 
-import org.springframework.beans.factory.parsing.BeanDefinitionParsingException
-import org.springframework.security.TestDataSource
-import org.springframework.security.authentication.ProviderManager
-import org.springframework.security.authentication.RememberMeAuthenticationProvider
-import org.springframework.security.config.ldap.ContextSourceSettingPostProcessor;
-import org.springframework.security.core.userdetails.MockUserDetailsService
-import org.springframework.security.util.FieldUtils
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest
+import javax.servlet.http.HttpServletResponse
+
+import org.springframework.mock.web.MockFilterChain
+import org.springframework.mock.web.MockHttpServletRequest
+import org.springframework.mock.web.MockHttpServletResponse
+import org.springframework.security.authentication.TestingAuthenticationToken
+import org.springframework.security.core.context.SecurityContext
+import org.springframework.security.core.context.SecurityContextHolder
 import org.springframework.security.web.access.ExceptionTranslationFilter
-import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
-import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler;
-import org.springframework.security.web.authentication.logout.LogoutFilter
+import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler
-import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl
-import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl
-import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
-import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter
-import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices
-import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
-import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
 
 /**
@@ -142,4 +143,29 @@ class SecurityContextHolderAwareRequestConfigTests extends AbstractHttpConfigTes
 		securityContextAwareFilter.logoutHandlers[1].class == CookieClearingLogoutHandler
 		securityContextAwareFilter.logoutHandlers[1].cookiesToClear == ['JSESSIONID']
 	}
+
+	def 'SEC-2926: Role Prefix is set'() {
+		setup:
+		httpAutoConfig () {
+
+		}
+		createAppContext(AUTH_PROVIDER_XML)
+
+		MockFilterChain chain = new MockFilterChain() {
+			public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
+				assert request.isUserInRole("USER")
+
+				super.doFilter(request,response)
+			}
+		}
+		MockHttpServletRequest request = new MockHttpServletRequest(method:'GET')
+		SecurityContext context = SecurityContextHolder.createEmptyContext()
+		context.setAuthentication(new TestingAuthenticationToken("user", "pass", "ROLE_USER"))
+		request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, context)
+
+		when:
+		springSecurityFilterChain.doFilter(request, new MockHttpServletResponse(), chain)
+		then:
+		chain.request != null
+	}
 }

web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilter.java

@@ -76,7 +76,7 @@ public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
 	// ~ Instance fields
 	// ================================================================================================
 
-	private String rolePrefix;
+	private String rolePrefix = "ROLE_";
 
 	private HttpServletRequestFactory requestFactory;