Announcement Announcement Module
Collapse
No announcement yet.
roles checking never triggered Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • roles checking never triggered

    Hi all,

    I'm facing a weird behaviour.

    My application checks identity but does'nt check role. Ever had an example like that ?

    here is my config

    web.xml
    Code:
    	<filter>
    		<filter-name>authenticationFilter</filter-name>
    		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    	</filter>
    	<servlet>
    		<servlet-name>jerseyspring</servlet-name>
    		<servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>
    		<init-param>
    			<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
    			<param-value>true</param-value>
    		</init-param>
    		<load-on-startup>1</load-on-startup>
    	</servlet>
    	<servlet-mapping>
    		<servlet-name>jerseyspring</servlet-name>
    		<url-pattern>/*</url-pattern>
    	</servlet-mapping>
    	<filter-mapping>
    		<filter-name>authenticationFilter</filter-name>
    		<url-pattern>/*</url-pattern>
    	</filter-mapping>
    servlet.xml
    Code:
        <bean id="authenticationFilter"
              class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
              <property name="authenticationManager" ref="authenticationManager"/>
              <property name="authenticationEntryPoint" ref="defaultEntryPoint"/>
        </bean>
    
        <sec:http entry-point-ref="defaultEntryPoint" auto-config="true" realm="diveintojee.org">
    		<sec:http-basic/>
    		<sec:intercept-url pattern="/**/protected" access="ROLE_ADMIN" />
    		<sec:access-denied-handler ref="defaultAccessDeniedHandler" />
        </sec:http>
    
    	<sec:authentication-manager alias="authenticationManager">
    		<sec:authentication-provider>
    			<sec:user-service>
    				<sec:user name="bob" password="bob" authorities="ROLE_USER" />
    				<sec:user name="visitor" password="visitor" authorities="ROLE_USER,ROLE_ADMIN" />
    			</sec:user-service>
    		</sec:authentication-provider>
    	</sec:authentication-manager>
    protected resource
    Code:
    	@GET
    	@Path("/protected")
    	@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
    	public Response returnProtectedResource() throws Throwable {
    
    		final Advert criteria = new Advert();
    
    		// very important phone number !!!!!
    		criteria.setPhoneNumber("0033606060606");
    
    		final List<Advert> results = this.facade.findAdvertsByCriteria(criteria);
    
    		final GenericEntity<List<Advert>> entity = new GenericEntity<List<Advert>>(results) {
    		};
    
    		if (CollectionUtils.isEmpty(results)) AdvertController.LOGGER.info("No results found");
    
    		return Response.ok(entity).build();
    
    	}
    When I send a GET request at uri /advert/protected with basic auth "bob:anything" I get a http 401 (which is correct).
    When I send a GET request at uri /advert/protected with basic auth "bob:bob" I get a http 200 (which is totally wrong as bob doesn't have ROLE_ADMIN authority).

    Last, the logs :
    Code:
    DEBUG [email protected] [email protected]cationFilter - Basic Authentication Authorization header found for user 'bob'
    DEBUG [email protected] org.springframework.security.authentication.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
    DEBUG [email protected] [email protected]cationFilter - Authentication success: org.springframework.security.authentication.UsernamePasswordAuthe[email protected]: Principal:
     [email protected]: Username: bob; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [P
    ROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthentication[email protected]: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_USER
    INFO [email protected] org.diveintojee.poc.web.AdvertController - No results found
    Any help would be much appreciated cause I'm stuck really, can't figure out where my mistake is.

    Thx,

    Louis GUEYE

  • #2
    can you show your "defaultAccessDeniedHandler" code?

    Comment


    • #3
      Originally posted by rohan123 View Post
      can you show your "defaultAccessDeniedHandler" code?
      Hi rohan thanks for replying ! Here is my code :

      Code:
      @Component(AccessDeniedHandlerImpl.BEAN_ID)
      public class AccessDeniedHandlerImpl implements AccessDeniedHandler {
      
          public static final String BEAN_ID = "defaultAccessDeniedHandler";
      
          @Autowired
          private ExceptionConverter exceptionConverter;
      
          /**
           * @see org.springframework.security.web.access.AccessDeniedHandler#handle(javax.servlet.http.HttpServletRequest,
           *      javax.servlet.http.HttpServletResponse, org.springframework.security.access.AccessDeniedException)
           */
          @Override
          public void handle(final HttpServletRequest request, final HttpServletResponse response,
                  final AccessDeniedException accessDeniedException) throws IOException, ServletException {
              response.sendError(exceptionConverter.resolveHttpStatus(accessDeniedException),
                  exceptionConverter.resolveMesage(request, accessDeniedException));
          }
      
      }
      And the relevant ExceptionConverter part :
      Code:
          /**
           * @param th
           * @return
           */
          public int resolveHttpStatus(final Throwable th) {
              if (th == null)
                  return HttpServletResponse.SC_OK;
              // th.printStackTrace();
              if (th instanceof NotFoundException)
                  return HttpServletResponse.SC_NOT_FOUND;
              if (th instanceof AuthenticationException)
                  return HttpServletResponse.SC_UNAUTHORIZED;
              if (th instanceof AccessDeniedException)
                  return HttpServletResponse.SC_FORBIDDEN;
              if (th instanceof IllegalArgumentException || th instanceof ValidationException
                  || th instanceof BusinessException)
                  return HttpServletResponse.SC_BAD_REQUEST;
              if (th instanceof IllegalStateException)
                  return HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
              if (th instanceof WebApplicationException && ((WebApplicationException) th).getResponse() != null)
                  return ((WebApplicationException) th).getResponse().getStatus();
              return HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
          }
      Also if you'd rather navigate through a complete source code you can browse it on github : https://github.com/lgueye/jbehave-poc.
      You can run the code with
      Code:
      mvn clean install -Pembedded
      .

      Regards,

      Louis.
      Last edited by [email protected]; Dec 12th, 2011, 01:01 PM.

      Comment


      • #4
        Change your component scan path to jbehave, your handler is in web so

        Comment


        • #5
          Originally posted by rohan123 View Post
          Change your component scan path to jbehave, your handler is in web so
          My handler is in web and I scan web. The factory finds it otherwise it would fail creating a context at runtime : it doesn't.
          It just doesn't invoke the code where it should check for bob's authorities. It returns a http 200 status. To him everything is fine.

          Comment

          Working...
          X