Announcement Announcement Module
Collapse
No announcement yet.
403 error even though user is authenticated Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • 403 error even though user is authenticated

    When using a jdbc-user-service i am getting a 403 error after logging in with good credentials. Yet when attempting to log in with bad credentials i am shown my loginfailed page (which is what we want).

    i tested the http block in my security-context by using the generic user-service and it worked fine.

    Please help me understand what is wrong and how to fix it. Also please explain what clues brought you to your conclusion.

    i am including my code.
    sql (authority table) :
    Code:
    -- ----------------------------
    -- Table structure for `authorities`
    -- ----------------------------
    DROP TABLE IF EXISTS `authorities`;
    CREATE TABLE `authorities` (
      `client_email_address` varchar(60) NOT NULL,
      `authority` varchar(50) NOT NULL
    ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
    customer table
    Code:
    SET FOREIGN_KEY_CHECKS=0;
    
    -- ----------------------------
    -- Table structure for `customer`
    -- ----------------------------
    DROP TABLE IF EXISTS `customer`;
    CREATE TABLE `customer` (
      `client_id` int(7) unsigned NOT NULL AUTO_INCREMENT,
      `client_name_first` varchar(40) NOT NULL,
      `client_name_last` varchar(40) NOT NULL,
      `client_name_middle_initial` char(1) DEFAULT NULL,
      `client_phone_home` varchar(14) DEFAULT NULL,
      `client_phone_cell` varchar(14) DEFAULT NULL,
      `client_addr_shipping_line_one` varchar(80) NOT NULL,
      `client_addr_shipping_line_two` varchar(80) DEFAULT NULL,
      `client_addr_shipping_city` varchar(30) NOT NULL,
      `client_addr_shipping_state` char(2) NOT NULL,
      `client_addr_shipping_zip` char(5) NOT NULL,
      `client_addr_shipping_country_code` char(2) NOT NULL DEFAULT 'US',
      `client_addr_billing_line_one` varchar(80) NOT NULL,
      `client_addr_billing_line_two` varchar(80) DEFAULT NULL,
      `client_addr_billing_city` varchar(30) NOT NULL,
      `client_addr_billing_state` char(2) NOT NULL,
      `client_addr_billing_zip` char(5) NOT NULL,
      `client_addr_billing_country_code` char(2) NOT NULL DEFAULT 'US',
      `client_status_code` smallint(1) unsigned NOT NULL DEFAULT '0',
      `client_date_created` date NOT NULL,
      `client_email_address` varchar(60) NOT NULL,
      `client_password` varchar(16) NOT NULL,
      `enabled` tinyint(1) NOT NULL,
      PRIMARY KEY (`client_id`,`client_email_address`),
      UNIQUE KEY `idx_clientEmail` (`client_email_address`) USING BTREE
    ) ENGINE=InnoDB AUTO_INCREMENT=9 DEFAULT CHARSET=latin1;
    my security context is
    Code:
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans" 
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans
    	http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
    	http://www.springframework.org/schema/security
    	http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
        <http auto-config="true">
                <intercept-url pattern="/members/*" access="ROLE_ADMIN" />
                <form-login login-page="/login.xhtml" authentication-failure-url="/loginfailed.xhtml" />
        </http>
        
        <authentication-manager>
            <authentication-provider>
                <jdbc-user-service data-source-ref="mysqlDataSource" 
    		   users-by-username-query="
    		      select client_email_address, client_password, enabled  
    		      from customer where client_email_address=?"  
    		   authorities-by-username-query="
    		      select au.authority, c.client_email_address
                          from customer c, authorities au 
    		      where au.client_email_address = c.client_email_address and c.client_email_address  =?"             
                />            
            </authentication-provider>
        </authentication-manager>
    
    
    <!-- ================ OLD WAY ================================================== 
        <authentication-manager>
                <authentication-provider>
                        <user-service>
                                <user name="rexryan" password="jets" authorities="ROLE_ADMIN" />
                                <user name="djeter" password="17684514" authorities="ROLE_ADMIN" />
                        </user-service>
                </authentication-provider>
        </authentication-manager>
    -->
    </beans:beans>
    my authentication bean
    Code:
    package security;
    
    import java.io.IOException;
    import javax.enterprise.context.RequestScoped;
    import javax.faces.context.ExternalContext;
    import javax.faces.context.FacesContext;
    import javax.inject.Named;
    import javax.servlet.RequestDispatcher;
    import javax.servlet.ServletException;
    import javax.servlet.ServletRequest;
    import javax.servlet.ServletResponse;
    
    @Named
    @RequestScoped
    public class AuthenticationBean {
        
        public String doLogin() throws IOException, ServletException{
            ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
            RequestDispatcher dispatcher = ((ServletRequest) context.getRequest()).getRequestDispatcher("/j_spring_security_check");
            dispatcher.forward((ServletRequest) context.getRequest(), (ServletResponse) context.getResponse());
            FacesContext.getCurrentInstance().responseComplete();        
            return null;        
        }
    
        public String doLogout() {
            FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
            return "/logout.xhtml";
        }    
    }
    i will attach my shortened log file below...

  • #2
    here is my shortened log file (i hope i pulled the helpful info)
    Code:
    INFO: [31/03/12 04:04:43:043 EDT] DEBUG context.SecurityContextPersistenceFilter: SecurityContextHolder now cleared, as request processing completed
    INFO: [31/03/12 04:04:43:043 EDT] DEBUG intercept.FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /members/index.xhtml; Attributes: [ROLE_ADMIN]
    INFO: [31/03/12 04:04:43:043 EDT] DEBUG intercept.FilterSecurityInterceptor: Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@ffff6aba: Principal: org.springframework.security.core.userdetails.User@ac78c08f: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: [email protected]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: a5bf43173b732a74bdeac9279de2; Granted Authorities: [email protected]
    INFO: [31/03/12 04:04:43:043 EDT] DEBUG vote.AffirmativeBased: Voter: org.springframework.security.access.vote.RoleVoter@44392c06, returned: -1
    INFO: [31/03/12 04:04:43:043 EDT] DEBUG vote.AffirmativeBased: Voter: [email protected]e8, returned: 0
    INFO: [31/03/12 04:04:43:043 EDT] DEBUG access.ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler
    org.springframework.security.access.AccessDeniedException: Access is denied
    	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
    	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:205)
    	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:114)
    	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
    	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:217)
    	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:279)
    	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
    	at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
    	at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
    	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
    	at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
    	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
    	at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
    	at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
    	at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:849)
    	at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746)
    	at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045)
    	at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:228)
    	at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
    	at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
    	at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
    	at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
    	at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
    	at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
    	at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
    	at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
    	at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
    	at java.lang.Thread.run(Thread.java:662)
    INFO: [31/03/12 04:04:43:043 EDT] DEBUG context.SecurityContextPersistenceFilter: SecurityContextHolder now cleared, as request processing completed

    Comment

    Working...
    X