Hi,

i have a problem when i try to add multiple roles to access to an url of my application.

I have defined the path and the both roles which should have access to the path.

    public void onInit(@Observes SecurityConfigurationEvent event) {
        SecurityConfigurationBuilder builder = event.getBuilder();
        builder
               .http()
                .forPath("/web/*")
                    .authorizeWith()
                        .role(ADMIN_ROLE_NAME, USER_ROLE_NAME)
                    .authenticateWith()
                    .form()
                    .loginPage("/login")
        .build();
    }

If only one role is added in .role(...) it works perfect but if i add two or more roles it doesn't work. After debugging i found the problem in the RolePathAuthorizer file. Following shows the method in that file.

    @Override
    protected boolean doAuthorize(PathConfiguration pathConfiguration, HttpServletRequest request, HttpServletResponse response) {
        AuthorizationConfiguration authorizationConfiguration = pathConfiguration.getAuthorizationConfiguration();
        String[] allowedRoles = authorizationConfiguration.getAllowedRoles();


        if (allowedRoles != null) {
            Identity identity = getIdentity();


            for (String roneName : allowedRoles) {
                if (!hasRole(identity, this.partitionManager, roneName)) {
                    return false;
                }
            }
        }


        return true;
    }

The line 12 is IMHO wrong, because if you have 2 roles and the user matches only the 2nd role the check returns false for the first role and the 2nd role which matches for the user is never checked.

I think inverting the if clause and returning false at the end of the method would solve the problem.

Is this a bug or have i missed something in the configuration?