spring-projects · rwinch · Dec 7, 2018 · Dec 6, 2018
diff --git a/...rk/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java b/...rk/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java
@@ -255,7 +255,13 @@ protected AccessDecisionManager accessDecisionManager() {
 		if (jsr250Enabled()) {
 			decisionVoters.add(new Jsr250Voter());
 		}
-		decisionVoters.add(new RoleVoter());
+		RoleVoter roleVoter = new RoleVoter();
+		GrantedAuthorityDefaults grantedAuthorityDefaults =
+				getSingleBeanOrNull(GrantedAuthorityDefaults.class);
+		if (grantedAuthorityDefaults != null) {
+			roleVoter.setRolePrefix(grantedAuthorityDefaults.getRolePrefix());
+		}
+		decisionVoters.add(roleVoter);
 		decisionVoters.add(new AuthenticatedVoter());
 		return new AffirmativeBased(decisionVoters);
 	}

diff --git a/...curity/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.java b/...curity/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.java
@@ -34,6 +34,7 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.PermissionEvaluator;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
 import org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor;
@@ -514,4 +515,42 @@ static class CustomAuthorityService {
 			public void customPrefixRoleUser() {}
 		}
 	}
+
+	@Test
+	@WithMockUser(authorities = "USER")
+	public void grantedAuthorityDefaultsWithEmptyRolePrefix() {
+		this.spring.register(EmptyRolePrefixGrantedAuthorityConfig.class).autowire();
+
+		EmptyRolePrefixGrantedAuthorityConfig.CustomAuthorityService customService = this.spring.getContext()
+				.getBean(EmptyRolePrefixGrantedAuthorityConfig.CustomAuthorityService.class);
+
+		assertThatThrownBy(() -> this.service.securedUser())
+				.isInstanceOf(AccessDeniedException.class);
+
+		customService.emptyPrefixRoleUser();
+		// no exception
+	}
+
+	@EnableGlobalMethodSecurity(securedEnabled = true)
+	static class EmptyRolePrefixGrantedAuthorityConfig {
+		@Bean
+		public GrantedAuthorityDefaults ga() {
+			return new GrantedAuthorityDefaults("");
+		}
+
+		@Bean
+		public CustomAuthorityService service() {
+			return new CustomAuthorityService();
+		}
+
+		@Bean
+		public MethodSecurityServiceImpl methodSecurityService() {
+			return new MethodSecurityServiceImpl();
+		}
+
+		static class CustomAuthorityService {
+			@Secured("USER")
+			public void emptyPrefixRoleUser() {}
+		}
+	}
 }