Announcement Announcement Module
Collapse
No announcement yet.
Authorization without authentication part 2 Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authorization without authentication part 2

    Hello everyone,

    In my previous post I asked for authorization without authentication in spring security, I'm still working on that, I tried to understand the way to use it because in my particular case I'm using an external service for authentication. So, I need to solve the authorization process.

    I did a proof of concept in order to implement this according to my understanding, this was after reading the documentation involved. The point is that this is not working as expected, let me share this example with you:

    Security settings
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
    	xmlns:security="http://www.springframework.org/schema/security"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans
              http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
              http://www.springframework.org/schema/security
              http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
    	<security:http use-expressions="true" entry-point-ref="http403ForbiddenEntryPoint">
    		<security:anonymous enabled="false" />
    		<security:intercept-url pattern="index.jsp" access="permitAll" />
    		<security:intercept-url pattern="home.html" access="hasRole('ROLE_ADMIN')" />
    		<security:intercept-url pattern="excel.html" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
    		<security:intercept-url pattern="denied.jsp" access="permitAll" />
    		<security:custom-filter position="PRE_AUTH_FILTER" ref="meivFilter" />
    	</security:http>
    
    	<bean id="http403ForbiddenEntryPoint"
    		class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
    
    	<bean id="meivFilter"
    		class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
    		<property name="principalRequestHeader" value="Host" />
    		<property name="authenticationManager" ref="authenticationManager" />
    	</bean>
    
    	<bean id="preauthAuthProvider"
    	class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    		<property name="preAuthenticatedUserDetailsService">
    			<bean id="userDetailsServiceWrapper"
    				class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
    				<property name="userDetailsService" ref="userDetailsService" />
    			</bean>
    		</property>
    	</bean>
    
    	<security:authentication-manager alias="authenticationManager">
    		<security:authentication-provider
    			ref="preauthAuthProvider" />
    	</security:authentication-manager>
    
    	<bean id="userDetailsService" class="com.gm.gpsc.meiv.security.UserServiceImpl" />
    
    </beans>
    In order to test it, as you can see, I use in RequestHeaderAuthenticationFilter as principalRequestHeader attribute, Host header value which is present as default header value. Just for testing. Because in the future I would read a value from the header.

    This is the userDetailService I did in ordet to get user roles.
    Code:
    public class UserServiceImpl implements UserDetailsService {
    	
    	private boolean accountNonExpired = true;
    	private boolean accountNonLocked = true;
    	private boolean credentialsNonExpired = true;
    	private boolean enabled = true;
    	
    	@Override
    	public UserDetails loadUserByUsername(String userId)
    			throws UsernameNotFoundException {
    		 GrantedAuthority[] grantedAuthority = new GrantedAuthority[1];  
    		 grantedAuthority[0] = new GrantedAuthorityImpl("ROLE_USER");
    		 Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); 
    		 authorities.add(grantedAuthority[0]);
    	    
    	    return new User(userId, "x",enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);   		
    	}
    
    }
    When I run this example the settings are loaded successfully, then when I try to reach the first pattern, home.html, I can reach that page which is wrong, because according to my rule I have ROLE_USER and as you can see above I need ROLE_ADMIN.

    For the second pattern I could get access too but in that case it makes sense because ROLE_USER is include as rule.

    For the first situation I change home.html for /home.html and I got 403 Access denied. But If I use the same pattern for the second option excel, it means /excel.html, I get the same error (403).

    I don't understand what's going on here, maybe someone can explain me where I'm wrong.

    I'd appreciate your help because I am so confused with this and tired of reading the documentation without getting anywhere.

    Thanks in advance,

    Luis.

  • #2
    Gets your UserDetailsService ever called?

    Comment


    • #3
      Hello,

      Thanks for replying, Finally I get it works but I have a doubt. I realized something else, this is regarding principalRequestHeader attribute, in RequestHeaderAuthenticationFilter class, when we define it in order to get a value from the header. The point is, when I deploy my application, when the context is loading, this is looking for that attribute (principalRequestHeader) and I get org.springframework.security.web.authentication.pr eauth.PreAuthenticatedCredenti​alsNotFoundExceptio n: USER_ID header not found in request. Why it is reading the header in that moment? Why do I get this error? I mean, the authentication is not performed yet, how should it work? According to my understanding this should be verified when a request is sent by the external authentication service after login.

      Any clue about it will be appreciated.

      Regards,

      Luis.

      Comment


      • #4
        The stacktrace of the exception must give you a hint, which component triggers the request.
        Use a debugger,

        Comment

        Working...
        X