Announcement Announcement Module
Collapse
No announcement yet.
Annotation PreAuthorize is not working properly. Tutorial spring security + jsf Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Annotation PreAuthorize is not working properly. Tutorial spring security + jsf

    Hi,

    I modified spring security tutorial for use java server faces and xhtml pages.
    I have the next problem:

    class: bigbank.BankService
    problem: @PreAuthorize(...) is not working propertly. When you login with any role and enter on listAccounts.xhtml page, clic on any operation, always obtain 403 Error.
    url netbeans project on DropBox to dowload: https://dl.dropbox.com/u/80642164/Tu...g-security.zip

    Code:
    public interface BankService {
    
        public Account readAccount(Long id);
    
        public Account[] findAccounts();
    
        @PreAuthorize(
                "hasRole('ROLE_SUPERVISOR') or " +
                "hasRole('ROLE_TELLER') and (#account.balance + #amount >= -#account.overdraft)" )
        public Account post(Account account, double amount);
    }
    console output:

    Code:
    [...]
    Advertencia: #{postAccounts2.post}: org.springframework.security.access.AccessDeniedException: Access is denied
    javax.faces.FacesException: #{postAccounts2.post}: org.springframework.security.access.AccessDeniedException: Access is denied
    	at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:118)
    	at org.springframework.faces.webflow.FlowActionListener.processAction(FlowActionListener.java:71)
    	at org.springframework.faces.model.SelectionTrackingActionListener.processAction(SelectionTrackingActionListener.java:55)
    	at javax.faces.component.UICommand.broadcast(UICommand.java:315)
    	at javax.faces.component.UIData.broadcast(UIData.java:1093)
    [...]
    Información: 13:18:53.466 [http-thread-pool-8080(3)] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
    org.springframework.security.access.AccessDeniedException: Access is denied
    	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) ~[spring-security-core-3.1.3.RELEASE.jar:3.1.3.RELEASE]
    [...]
    Other files:

    /WEB-INF/applicationContext-security.xml
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    
    <beans:beans xmlns="http://www.springframework.org/schema/security"
                 xmlns:beans="http://www.springframework.org/schema/beans"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
        <debug />
        <global-method-security pre-post-annotations="enabled" />
    
        <http pattern="/resources/**" security="none"/>
        <http pattern="/loggedout.xhtml" security="none"/>
        <http pattern="/timeout.xhtml" security="none"/>
    
        <http use-expressions="true">
            <intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')"/>
            <intercept-url pattern="/secure/**" access="isAuthenticated()" />
            <!--
               Allow all other requests. In a real application you should
               adopt a whitelisting approach where access is not allowed by default
            -->
            <intercept-url pattern="/**" access="permitAll" />
            <form-login />
            <logout logout-success-url="/loggedout.xhtml" delete-cookies="JSESSIONID"/>
            <remember-me />
            <!--
                Uncomment to enable X509 client authentication support
                    <x509 />
            -->
            <!-- Uncomment to limit the number of sessions a user can have -->
            <session-management invalid-session-url="/timeout.xhtml">
                <!--<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />-->
            </session-management>
    
        </http>
    
        <!--
        Usernames/Passwords are
            rod/koala
            dianne/emu
            scott/wombat
            peter/opal
        -->
        <beans:bean id="encoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"/>
    
        <authentication-manager>
            <authentication-provider>
                <password-encoder ref="encoder"/>
                <user-service>
                    <user name="rod" password="4efe081594ce25ee4efd9f7067f7f678a347bccf2de201f3adf2a3eb544850b465b4e51cdc3fcdde" authorities="supervisor, user, teller" />
                    <user name="dianne" password="957ea522524a41cbfb649a3e293d56268f840fd5b661b499b07858bc020d6d223f912e3ab303b00f" authorities="user,teller" />
                    <user name="scott" password="fb1f9e48058d30dc21c35ab4cf895e2a80f2f03fac549b51be637196dfb6b2b7276a89c65e38b7a1" authorities="user" />
                    <user name="peter" password="e175750688deee19d7179d444bfaf92129f4eea8b4503d83eb8f92a7dd9cda5fbae73638c913e420" authorities="user" />
                </user-service>
            </authentication-provider>
        </authentication-manager>
    
    </beans:beans>
    /WEB-INF/applicationContext-business.xml

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    
    <beans xmlns="http://www.springframework.org/schema/beans"
           xmlns:security="http://www.springframework.org/schema/security"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
        <bean id="bankDao" class="bigbank.BankDaoStub"/>
    
        <bean id="seedData" class="bigbank.SeedData">
            <property name="bankDao" ref="bankDao"/>
        </bean>
    
        <bean id="bankService" class="bigbank.BankServiceImpl">
            <constructor-arg ref="bankDao"/>
             <!--This will add a security interceptor to the bean-->
    <!--        <security:intercept-methods>
                <security:protect method="bigbank.BankService.*" access="IS_AUTHENTICATED_REMEMBERED" />
                <security:protect method="bigbank.BankService.post" access="ROLE_TELLER" />
                <security:protect method="bigbank.BankService.findAccounts" access="IS_AUTHENTICATED_ANONYMOUSLY, IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED"/>
            </security:intercept-methods>  -->
        </bean>
    
    </beans>
    /WEB-INF/web.xml
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    
    <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    
        <display-name>Spring Security Tutorial Application</display-name>
    
        <context-param>
            <param-name>javax.faces.FACELETS_LIBRARIES</param-name>
            <param-value>/WEB-INF/springsecurity.taglib.xml</param-value>
        </context-param>
        
        <!--
        - Location of the XML file that defines the root application context
        - Applied by ContextLoaderListener.
        -->
        <context-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>
                /WEB-INF/applicationContext-business.xml
                /WEB-INF/bank-servlet.xml
                /WEB-INF/applicationContext-security.xml
                <!--/WEB-INF/faces-config.xml-->
            </param-value>
        </context-param>
    
        <context-param>
            <param-name>webAppRootKey</param-name>
            <param-value>tutorial.root</param-value>
        </context-param>
    
        <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        </filter>
    
        <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>
    
        <!--
          - Loads the root application context of this web app at startup.
        -->
        <listener>
            <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
        </listener>
    
        <!--
        - Publishes events for session creation and destruction through the application
        - context. Optional unless concurrent session control is being used.
        -->
        <listener>
            <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
        </listener>
    
        <!--
        - Provides core MVC application controller. See bank-servlet.xml.
        -->
    <!--    <servlet>
            <servlet-name>bank</servlet-name>
            <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
            <load-on-startup>1</load-on-startup>
        </servlet>
    
        <servlet-mapping>
            <servlet-name>bank</servlet-name>
            <url-pattern>/*</url-pattern>
            <url-pattern>*.xhtml</url-pattern>
        </servlet-mapping>-->
    
    
        <context-param>
            <param-name>javax.faces.DEFAULT_SUFFIX</param-name>
            <param-value>.xhtml</param-value>
        </context-param>
    
        <servlet>
            <servlet-name>Faces Servlet</servlet-name>
            <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
            <load-on-startup>1</load-on-startup>
        </servlet>
        <servlet-mapping>
            <servlet-name>Faces Servlet</servlet-name>
            <url-pattern>*.xhtml</url-pattern>
        </servlet-mapping>
        <welcome-file-list>
            <welcome-file>index.xhtml</welcome-file>
        </welcome-file-list>
    </web-app>

  • #2
    Solved: role case sensitive and with the exact word

    Solution:

    hasRole ('ROLE_SUPERVISOR') takes the role case sensitive and with the exact word.

    Replace:
    supervisor => ROLE_SUPERVISOR
    teller => ROLE_TELLER
    user => ROLE_USER

    Code:
    <authentication-manager>
            <authentication-provider>
                <password-encoder ref="encoder"/>
                <user-service>
                    <user name="rod" password="4efe081594ce25ee4efd9f7067f7f678a347bccf2de201f3adf2a3eb544850b465b4e51cdc3fcdde" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
                    <user name="dianne" password="957ea522524a41cbfb649a3e293d56268f840fd5b661b499b07858bc020d6d223f912e3ab303b00f" authorities="ROLE_USER,ROLE_TELLER" />
                    <user name="scott" password="fb1f9e48058d30dc21c35ab4cf895e2a80f2f03fac549b51be637196dfb6b2b7276a89c65e38b7a1" authorities="ROLE_USER" />
                    <user name="peter" password="e175750688deee19d7179d444bfaf92129f4eea8b4503d83eb8f92a7dd9cda5fbae73638c913e420" authorities="ROLE_USER" />
                </user-service>
            </authentication-provider>
        </authentication-manager>
    Solved:
    https://dl.dropbox.com/u/80642164/Tu..._corregido.zip

    Comment

    Working...
    X