I’m learning to use Spring Security and I’ve integrated it in a web application. I’m using Spring and Spring Security version 3.1.2.

If I specify access="ROLE_USER" in the security configuration, the authentication, works correctly, that is I first receive a 401 and after logging in, I’m able to access the resources.

<http>
    <http-basic />
    <logout />
    <intercept-url
        pattern="/exports/**"
        access="ROLE_USER" />
</http>

However, if I switch to EL, my check doesn’t work anymore:

<http use-expressions="true">
    <http-basic />
    <logout />
    <intercept-url
        pattern="/exports/**"
        access="hasRole('USER')" />
</http>

I thought that those two configuration were equivalent, but the second one is not authorising to view the resource (403 error).

Looking at the logs:

DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@844f42c6: Principal: org.springframework.security.core.userdetails.User@c052d588: Username: test; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_USER

DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@1a15597, returned: -1

DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler

If I understand right, the WebExpressionVoter is voting against me, despite the authentication worked.

What am I missing?