Announcement Announcement Module
Collapse
No announcement yet.
LDAP SwitchUserFilter: Access denied due to single ROLE_PREVIOUS_ADMINISTRATOR Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP SwitchUserFilter: Access denied due to single ROLE_PREVIOUS_ADMINISTRATOR

    Hello,

    I have a spring project which uses LDAP for authentication and authorization. We want to provide impersonation capability to simulate another user which allows for easier testing. Instead of providing my own custom filter I wanted to use Spring provided SwitchUserFilter so I went ahead and configured as below (showing just the new lines I have added to my current project)

    PHP Code:
    <beans:bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
          <
    beans:constructor-arg><beans:ref bean="ldapUserSearch"/></beans:constructor-arg>
          <
    beans:property name="userDetailsMapper" ref="customUserDetailsContextMapper" />
        </
    beans:bean>


        <
    beans:bean id="ldapUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
            <
    beans:constructor-arg type="String"><beans:value>ou=people,o=nestorurquiza</beans:value></beans:constructor-arg>
            <
    beans:constructor-arg type="String"><beans:value>mail={0}</beans:value></beans:constructor-arg>
            <
    beans:constructor-arg><beans:ref bean="ldapContextSource"/></beans:constructor-arg>
        </
    beans:bean>

        <
    beans:bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
                <
    beans:property name="userDetailsService" ref="ldapUserDetailsService" />
                <
    beans:property name="switchUserUrl" value="/admin/switchUser" />
                <
    beans:property name="exitUserUrl" value="/admin/switchUserExit" />
                <
    beans:property name="targetUrl" value="/login" />
        </
    beans:bean>

        <
    custom-filter  after="FILTER_SECURITY_INTERCEPTOR" ref="switchUserProcessingFilter" />


        <
    intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />


        <
    beans:bean id="ldapContextSource" class="org.springframework.ldap.core.support.LdapContextSource">

            <
    beans:property name="url" value="${ldap.url}/>
            <
    beans:property name="userDn" value="${ldap.userDn}/>
            <
    beans:property name="password" value="${ldap.password}/>
        </
    beans:bean>

        <
    beans:bean id="ldapAuthProvider"
                
    class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
          <
    beans:constructor-arg>
            <
    beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
              <
    beans:constructor-arg ref="ldapContextSource"/>
              <
    beans:property name="userDnPatterns">
                <
    beans:list><beans:value>mail={0},ou=people,o=nestorurquiza</beans:value></beans:list>
              </
    beans:property>
            </
    beans:bean>
          </
    beans:constructor-arg>
          <
    beans:constructor-arg>
            <
    beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
              <
    beans:constructor-arg ref="ldapContextSource"/>
              <
    beans:constructor-arg value="ou=groups,o=nestorurquiza"/>
            </
    beans:bean>
          </
    beans:constructor-arg>
        </
    beans:bean>

        <
    beans:bean id="ldapContextSource" class="org.springframework.ldap.core.support.LdapContextSource">

            <
    beans:property name="url" value="${ldap.url}/>
            <
    beans:property name="userDn" value="${ldap.userDn}/>
            <
    beans:property name="password" value="${ldap.password}/>
        </
    beans:bean
    I then login as an admin and go to /admin/switchUser?j_username=[email protected] URL. From log traces it is clear the user is switched however the roles are not apparently update as the only one showing up is ROLE_PREVIOUS_ADMINISTRATOR resulting in "access denied" error. Any ideas why?

    2011-11-01 11:21:37,714 DEBUG [org.springframework.security.access.hierarchicalro les.RoleHierarchyImpl] - 127.0.0.1 CA1F20B7B07AB5F50630B3C176C342FD getReachableGrantedAuthorities() - From the roles [ROLE_PREVIOUS_ADMINISTRATOR] one can reach [ROLE_PREVIOUS_ADMINISTRATOR] in zero or more steps.
    2011-11-01 11:21:37,715 DEBUG [org.springframework.security.access.vote.Affirmati veBased] - 127.0.0.1 CA1F20B7B07AB5F50630B3C176C342FD Voter: org.springframework.security.web.access.expression .WebExpressionVoter@6744b491, returned: -1
    2011-11-01 11:21:37,715 DEBUG [org.springframework.security.web.access.DefaultWeb InvocationPrivilegeEvaluator] - 127.0.0.1 CA1F20B7B07AB5F50630B3C176C342FD FilterInvocation: URL: /admin/home denied for org.springframework.security.authentication.Userna mePasswordAuthenticationToken@90033f5d: Principal: com.nestorurquiza.security.LdapUserDetails@798f7df ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: CA1F20B7B07AB5F50630B3C176C342FD; Granted Authorities: ROLE_PREVIOUS_ADMINISTRATOR
    org.springframework.security.access.AccessDeniedEx ception: Access is denied
    Thanks,
    -Nestor

  • #2
    I solved this. The reason for failure was that we are using uniquemember instead of the default member attribute. So that property had to be set. Here are the bits working for me. Hopefully will help others:

    PHP Code:
    <beans:bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
      <
    beans:constructor-arg><beans:ref bean="ldapUserSearch"/></beans:constructor-arg>
      <
    beans:constructor-arg><beans:ref bean="ldapAuthoritiesPopulator"/></beans:constructor-arg>
      <
    beans:property name="userDetailsMapper" ref="customUserDetailsContextMapper" />
    </
    beans:bean>

    <
    beans:bean id="ldapUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
        <
    beans:constructor-arg type="String"><beans:value>ou=people,o=nestorurquiza</beans:value></beans:constructor-arg>
        <
    beans:constructor-arg type="String"><beans:value>mail={0}</beans:value></beans:constructor-arg>
        <
    beans:constructor-arg><beans:ref bean="ldapContextSource"/></beans:constructor-arg>
    </
    beans:bean>

    <
    beans:bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
            <
    beans:property name="userDetailsService" ref="ldapUserDetailsService" />
            <
    beans:property name="switchUserUrl" value="/admin/switchUser" />
            <
    beans:property name="exitUserUrl" value="/admin/switchUserExit" />
            <
    beans:property name="targetUrl" value="/login" />
        </
    beans:bean>

        <
    beans:bean id="ldapAuthProvider"
                
    class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
          <
    beans:constructor-arg>
            <
    beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
              <
    beans:constructor-arg ref="ldapContextSource"/>
              <
    beans:property name="userDnPatterns">
                <
    beans:list><beans:value>mail={0},ou=people,o=nestorurquiza</beans:value></beans:list>
              </
    beans:property>
            </
    beans:bean>
          </
    beans:constructor-arg>
          <
    beans:constructor-arg ref="ldapAuthoritiesPopulator"/>
        </
    beans:bean>

        <
    beans:bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
              <
    beans:constructor-arg ref="ldapContextSource"/>
              <
    beans:constructor-arg value="ou=groups,o=nestorurquiza"/>
              <
    beans:property name="groupSearchFilter" value="uniquemember={0}" />
        </
    beans:bean>

    <
    custom-filter  after="FILTER_SECURITY_INTERCEPTOR" ref="switchUserProcessingFilter" /> 

    Comment

    Working...
    X