User connected can’t access to the page even if he has the expected roles to access to it

All user connected with the good roles and authorities and they can’t access to the page with errors 403 access denied for this user :

@SuppressWarnings("unchecked")
    public Professor getConnectedProf() {
        Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        String username;
        if (principal instanceof UserDetails) {
            username = ((UserDetails)principal).getUsername();
        } else {
            username = principal.toString();
        }
        Collection<SimpleGrantedAuthority> authorities = (Collection<SimpleGrantedAuthority>) SecurityContextHolder.getContext().getAuthentication().getAuthorities();
        for (SimpleGrantedAuthority simpleGrantedAuthority : authorities) {
            logger.info("the authorité for the current user is = " + simpleGrantedAuthority.getAuthority());
        }

        logger.info("this the username of the connected user : " + username);
        return sp.getProfByMatricule(username);
    }

this return those value :

18:12:50.097 [http-nio-8080-exec-9] INFO  c.o.m.AppInitializer#148 the authorité for the current user is = ADMIN
18:12:50.098 [http-nio-8080-exec-9] INFO  c.o.m.AppInitializer#148 the authorité for the current user is = DEPCHEF
18:12:50.098 [http-nio-8080-exec-9] INFO  c.o.m.AppInitializer#148 the authorité for the current user is = PROF
18:12:50.098 [http-nio-8080-exec-9] INFO  c.o.m.AppInitializer#148 the authorité for the current user is = USER
18:12:50.099 [http-nio-8080-exec-9] INFO  c.o.m.AppInitializer#151 this the username of the connected user : admin

And my security.xml is like this :

<http auto-config="true">
        <intercept-url pattern="/" access="hasRole('PROF')"/>
        <intercept-url pattern="/index" access="hasAnyRole('PROF','ADMIN','DEPCHEF','CHEF')"/>
        <intercept-url pattern="/mission" access="hasAnyRole('ADMIN','USER')"/>
        <intercept-url pattern="/mission/*" access="hasAnyRole('ADMIN','USER')"/>
        <intercept-url pattern="/addMission/*" access="hasRole('PROF')"/>
        
        <form-login login-page="/login" default-target-url="/index" authentication-failure-url="/login?error" username-parameter="username" password-parameter="password"/>
        
        <logout logout-success-url="/login?logout" />
    </http>

and when I try to get /index I get the 403 access denied.

HTTP Status 403 – Forbidden
Type Status Report

Message Access is denied

Description The server understood the request but refuses to authorize it.

Apache Tomcat/9.0.36

Answer

hasRole() doesn’t seem to work when moving from Spring 3 to Spring 4. Using hasAuthority() worked for me,