Announcement Announcement Module
Collapse
No announcement yet.
Problem with ROLES Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with ROLES

    Hi,

    I have a webapp that uses Spring Security (3.1), and I have 3 different roles (ROLE_ADMIN, ROLE_CONS, ROLE_S_CEN)

    When I log in with an user who has the role ROLE_ADMIN everything works as expected, but when I log in with another who has the ROLE_CONS role, it doesn't work...

    Here's my security-context.xml

    Code:
    <?xml version="1.0" encoding="ISO-8859-1"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
           xmlns:security="http://www.springframework.org/schema/security"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
           http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
    	<!-- preauthentication -->    
        <security:global-method-security pre-post-annotations="enabled">
        </security:global-method-security>
        
       <security:http auto-config="false" use-expressions="true" entry-point-ref="http403EntryPoint" access-denied-page="/autenticacion/accesodenegado">
       		<security:intercept-url pattern="/" access="permitAll"/>
       		<security:intercept-url pattern="/403.jsp" access="permitAll"/>
       		<!-- Allow non-secure access to static resources  -->
       		<security:intercept-url pattern="/resources/**" access="permitAll"/>
       		<security:intercept-url pattern="/autenticacion/**" access="permitAll"/>
       		<!-- URLs que dependen de perfiles -->
       		<security:intercept-url pattern="/gestion/facturas/**" access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN','ROLE_CONS')"/>
       		<security:intercept-url pattern="/gestion/tarifas/**" access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN','ROLE_CONS')"/>
       		<security:intercept-url pattern="/gestion/envios/**" access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN')"/>
       		<security:intercept-url pattern="/gestion/perfiles/**" access="hasRole('ROLE_ADMIN')"/>
       		<security:intercept-url pattern="/gestion/usuarios/**" access="hasRole('ROLE_ADMIN')"/>
       		<security:intercept-url pattern="/consulta/**" access="hasAnyRole('ROLE_CONS','ROLE_ADMIN','ROLE_S_CEN')"/>
       		<security:intercept-url pattern="/importacion/**" access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN')"/>
       		<!-- Pantalla a la que redirige el logout -->   		
       		<security:logout logout-success-url="/"/>
    	</security:http>
        
    	<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
        </bean>
        
        <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
            <security:filter-chain-map path-type="ant">
                <security:filter-chain pattern="/**" filters="j2eePreAuthFilter"/>
            </security:filter-chain-map>
        </bean>
        
     
        <security:authentication-manager alias="authenticationManager">
            <security:authentication-provider ref='preAuthenticatedAuthenticationProvider'/>
        </security:authentication-manager>
    
        <bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
            <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"/>
        </bean>
    
        <bean id="preAuthenticatedUserDetailsService"
                class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService"/>
        
        
        <bean id="j2eePreAuthFilter" class="es.myapp.security.MyAppUserJ2eePreAuthenticatedProcessingFilter">
        	<property name="authenticationManager" ref="authenticationManager"/>
        	<property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
        	<property name="continueFilterChainOnUnsuccessfulAuthentication" value="false"/>
        </bean>
      
      <bean id="authenticationDetailsSource" class="org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource">
        <property name="mappableRolesRetriever" ref="j2eeMappableRolesRetriever"/>
        <property name="userRoles2GrantedAuthoritiesMapper" ref="j2eeUserRoles2GrantedAuthoritiesMapper"/>
      </bean>
      
      <bean id="j2eeMappableRolesRetriever" class="org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever">
      </bean>
      
       <bean id="j2eeUserRoles2GrantedAuthoritiesMapper" class="org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper">
        <property name="attributePrefix" value="test"/>
      </bean>
    
    
    </beans>
    And my menu.jsp

    Code:
    <%@ taglib uri="http://www.springframework.org/tags" prefix="s"%>
    <%@ taglib uri="/WEB-INF/security.tld"  prefix="sec"%>
    <div class="inner">	
    	<sec:authorize access="isAuthenticated()">
    		<ul id="menu">
    			<li>
    				<a href="#"><span id="padre" class="abierto"><s:message code="menu.conexion.capri"/></span></a>
    				<div class="sub_menu">
    					<ul>
    						<sec:authorize access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN')">
    							<li>
    					  			<a href="<s:url value="/importacion/datos"/>"><span><s:message code="menu.importacion.importarDatos"/></span></a>
    					  		</li>
    				  		</sec:authorize>
    				  		<sec:authorize access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN')">
    					  		<li>
    					  			<a href="<s:url value="/gestion/envios"/>"><span><s:message code="menu.gestion.envios"/></span></a>
    					  		</li>
    				  		</sec:authorize>
    				  		<sec:authorize access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN','ROLE_CONS')">
    					  		<li>
    					  			<a href="<s:url value="/consulta/envios"/>"><span><s:message code="menu.consulta.envios"/></span></a>
    					  		</li>
    				  		</sec:authorize>
    				  		<sec:authorize access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN')">			  		
    					  		<li>
    						  		    <a href="<s:url value="/gestion/facturas"/>"><span><s:message code="menu.gestion.facturas"/></span></a>
    					  		</li>
    				  		</sec:authorize>
    				  		<sec:authorize access="hasAnyRole('ROLE_ADMIN','ROLE_S_CEN','ROLE_CONS')">			  		
    					  		<li>
    					  			<a href="<s:url value="/gestion/tarifas"/>"><span><s:message code="menu.gestion.tarifas"/></span></a>
    					  		</li>
    				  		</sec:authorize>
    				  					  		
    					  		<li>
    					  			<a href="<s:url value="/gestion/envios/verpaginarecibir"/>"><span><s:message code="menu.recibir.envios"/></span></a>
    					  		</li>
    				  			  		
    					</ul>
    				</div>
    			</li>
    			<sec:authorize access="hasRole('ROLE_ADMIN')">
    				<li>
    					<a href="#"><span id="padre" class="abierto"><s:message code="menu.usuarios"/></span></a>
    					<div class="sub_menu">
    						<ul>	  		
    					  		<sec:authorize access="hasRole('ROLE_ADMIN')">			  		
    						  		<li>
    						  			<a href="<s:url value="/gestion/usuarios"/>"><span><s:message code="menu.gestion.usuarios"/></span></a>
    						  		</li>
    					  		</sec:authorize>
    					  		<sec:authorize access="hasRole('ROLE_ADMIN')">				  		
    						  		<li>
    						  			<a href="<s:url value="/gestion/perfiles"/>"><span><s:message code="menu.gestion.perfiles"/></span></a>
    						  		</li>			  		
    					  		</sec:authorize>	
    				  		</ul>
    				  	</div>					  		
    				</li>		
    			</sec:authorize>
    		</ul>	
    	</sec:authorize>
    </div>
    When I log in with the user that has the ROLE_CONS role I'm only allowed to see the pages and urls with no security, but not those which ROLE_CONS is allowed ROLE_CONS to see...

    I have already checked that the user is properly authenticated and it has the ROLE_CONS as an authority...

    Any ideas?
Working...
X