Announcement Announcement Module
Collapse
No announcement yet.
@PreAuthorize() is not working when i am using customAuthenticationManager Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • @PreAuthorize() is not working when i am using customAuthenticationManager

    Please bare with me i am new to spring... following is the issue along with the code snippet.

    I am using customAuthenticationManager and setting my controller object with @PreAuthorize("hasRole('ROLE_USER')") tag, but when i try to access the controller its directly able to access even i have no valid role. Following is the code snippet.

    spring-security.xml
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xmlns:security="http://www.springframework.org/schema/security"
    	xmlns:p="http://www.springframework.org/schema/p" 
    	xsi:schemaLocation="http://www.springframework.org/schema/beans 
    	   		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    			http://www.springframework.org/schema/security 
    			http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    	
            <security:global-method-security pre-post-annotations="enabled">
    		<security:expression-handler ref="expressionHandler" />
    	</security:global-method-security>
            <bean id="expressionHandler"
    	class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
    		<property name = "roleHierarchy" ref="roleHierarchy"/>
    	</bean>
    	<security:http auto-config="false" use-expressions="true" access-denied-page="/access-denied.html"
    			entry-point-ref="authenticationEntryPoint" >
    		<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
    	</security:http>
     	<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
      		p:authenticationManager-ref="customAuthenticationManager"
      		p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
      		p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" />
    	<bean id="customAuthenticationManager" class="com.CustomAuthenticationManager" />
     	<bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
     		p:defaultFailureUrl="/app/user/role" />
     		
     	<bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
     		p:defaultTargetUrl="/app/user/role" />
     	<bean id="authenticationEntryPoint"  class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
    	 	p:loginFormUrl="/index.html"/>
            <bean id="roleHierarchy"  class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    	    <property name="hierarchy">
    	        <value>
    	            ROLE_ADMIN 
    	            ROLE_USER > ROLE_VISITOR
    	        </value>
    	    </property>
    	</bean>
    	<security:authentication-manager/>
    </beans>
    web.xml
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    	<filter>
    	        <filter-name>springSecurityFilterChain</filter-name>
    	        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    	</filter>
    	
    	<filter-mapping>
    	        <filter-name>springSecurityFilterChain</filter-name>
    	        <url-pattern>/*</url-pattern>
    	</filter-mapping>
    	<context-param>
    		<param-name>contextConfigLocation</param-name>
    		<param-value>
    		/WEB-INF/spring-security.xml
    		/WEB-INF/mvc-dispatcher-servlet.xml
    		</param-value>
    	</context-param>	
    	<servlet>
    		<servlet-name>mvc-dispatcher</servlet-name>
    		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    		<load-on-startup>1</load-on-startup>
    	</servlet>	
    	<servlet-mapping>
    		<servlet-name>mvc-dispatcher</servlet-name>
    		<url-pattern>/app/*</url-pattern>
    	</servlet-mapping>
    	<listener>
    		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    	</listener>	
    </web-app>
    controller.java
    Code:
    @Controller
    @RequestMapping("/user")
    public class UserController {
        @RequestMapping(value = "/role", method = RequestMethod.GET)
        @PreAuthorize("hasRole('ROLE_USER')")
        public @ResponseBody String getUserRoleData() {
             System.out.println("My Authorities: "+ SecurityContextHolder.getContext().getAuthentication());
            return "{'key':'Test'}";
        }
    }
    It will be a gr8 help from your side if you can help me identifying the issue,
    Thanks in advance,

  • #2
    Attaching the Logs
    Debug Logs
    Code:
    2012-05-26 03:10:29,668 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#getFilters(195) - Converted URL to lowercase, from: '/app/user/role'; to: '/app/user/role'
    2012-05-26 03:10:29,668 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#getFilters(202) - Candidate is: '/app/user/role'; pattern is /**; matched=true
    2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(375) - /app/user/role at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
    2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.context.HttpSessionSecurityContextRepository#readSecurityContextFromSession(130) - No HttpSession currently exists
    2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.context.HttpSessionSecurityContextRepository#loadContext(88) - No SecurityContext was available from the HttpSession: null. A new one will be created.
    2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(375) - /app/user/role at position 2 of 8 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
    2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(375) - /app/user/role at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
    2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(375) - /app/user/role at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
    2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(375) - /app/user/role at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
    2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.authentication.AnonymousAuthenticationFilter#doFilter(67) - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
    2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(375) - /app/user/role at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
    2012-05-26 03:10:29,670 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(375) - /app/user/role at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
    2012-05-26 03:10:29,670 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(375) - /app/user/role at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
    2012-05-26 03:10:29,670 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource#lookupAttributes(173) - Converted URL to lowercase, from: '/app/user/role'; to: '/app/user/role'
    2012-05-26 03:10:29,670 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.access.intercept.FilterSecurityInterceptor#beforeInvocation(182) - Public object - authentication not attempted
    2012-05-26 03:10:29,670 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(362) - /app/user/role reached end of additional filter chain; proceeding with original chain
    2012-05-26 03:10:29,670 +0530 [] DEBUG [qtp970799122-37] org.springframework.web.servlet.DispatcherServlet#doService(693) - DispatcherServlet with name 'mvc-dispatcher' processing GET request for [testapp/app/user/role]
    2012-05-26 03:10:29,670 +0530 [] DEBUG [qtp970799122-37] org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping#getHandlerInternal(221) - Mapping [/user/role] to HandlerExecutionChain with handler [com.controller.UserController@5bfd9b49] and 2 interceptors
    2012-05-26 03:10:29,671 +0530 [] DEBUG [qtp970799122-37] org.springframework.web.servlet.DispatcherServlet#doDispatch(769) - Last-Modified value for [testapp/app/user/role] is: -1
    2012-05-26 03:10:29,671 +0530 [] DEBUG [qtp970799122-37] org.springframework.web.bind.annotation.support.HandlerMethodInvoker#invokeHandlerMethod(173) - Invoking request handler method: public java.lang.String com.controller.UserController.getUserRoleData()
    2012-05-26 03:10:29,672 +0530 [] DEBUG [qtp970799122-37] org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter#writeWithMessageConverters(981) - Written [/home.html] as "text/html" using [org.springframework.http.converter.StringHttpMessageConverter@1653033e]
    2012-05-26 03:10:29,672 +0530 [] DEBUG [qtp970799122-37] org.springframework.web.servlet.DispatcherServlet#doDispatch(824) - Null ModelAndView returned to DispatcherServlet with name 'mvc-dispatcher': assuming HandlerAdapter completed request handling
    2012-05-26 03:10:29,672 +0530 [] DEBUG [qtp970799122-37] org.springframework.web.servlet.DispatcherServlet#processRequest(674) - Successfully completed request
    2012-05-26 03:10:29,672 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.access.ExceptionTranslationFilter#doFilter(100) - Chain processed normally
    2012-05-26 03:10:29,672 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.context.HttpSessionSecurityContextRepository#saveContext(338) - SecurityContext is empty or anonymous - context will not be stored in HttpSession. 
    2012-05-26 03:10:29,673 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.context.SecurityContextPersistenceFilter#doFilter(89) - SecurityContextHolder now cleared, as request processing completed

    Comment


    • #3
      Got the solution,....... this might help someone who are facing the similar issues....

      In spring_security.xml add the mvc annotation before global annotation,

      Code:
      <mvc:annotation-driven />
       /*Before we set global annotation*/
              <security:global-method-security pre-post-annotations="enabled">
      		<security:expression-handler ref="expressionHandler" />
      	</security:global-method-security>
      and remove mvc annotation from mvc-dispatcher-servlet.xml

      Comment


      • #4
        Thanks Satish

        This is just really really tricky, I have done same and it worked.
        Amazingly I didn't believe earlier but it's true!!.


        Originally posted by satish.bellapu View Post
        Got the solution,....... this might help someone who are facing the similar issues....

        In spring_security.xml add the mvc annotation before global annotation,

        Code:
        <mvc:annotation-driven />
         /*Before we set global annotation*/
                <security:global-method-security pre-post-annotations="enabled">
        		<security:expression-handler ref="expressionHandler" />
        	</security:global-method-security>
        and remove mvc annotation from mvc-dispatcher-servlet.xml

        Comment

        Working...
        X