Announcement Announcement Module
Collapse
No announcement yet.
Access denied Exception Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access denied Exception

    I develop a web application similar to sample Tutorial war and it works fine But when i access the admin page it results in Access Denied Exception.
    I am using PreAuthentication which goes thru fine and User class is able to add Role
    Here is the code snippet from applicationContext-acegi-security.xml
    Code:
    <http auto-config="false"
         lowercase-comparisons="false" 
        access-decision-manager-ref="accessDecisionManager"  
        access-denied-page="/error.jsp"
        entry-point-ref="authenticationEntryPoint" 
        session-fixation-protection="none" > 
        <intercept-url pattern="/admin/**" access="ROLE_NAMS_ADMIN"/>             
        </http>
    Using Eclipse debugger i verified the role is added to User class which implements UserDetails. But the never went to getAuthority() method of WSSOGrantedAuthority class i.e.
    Code:
    public class User extends NamsUser implements UserDetails,Serializable {
        	public static final class WssoGrantedAuthority implements GrantedAuthority {
                              public String getAuthority() {
    		    logger.debug("In  getAuthority method role="+role );
    			return role;
    		}
    
    }
    }
    Also it never went to getAuthorities() method of User class. Not sure why debugger doesnt go thru these methods.

    Here is exception stack trace which treats it as Anonymous User even after successfull authentication.
    Code:
    [DEBUG,DefaultFilterInvocationDefinitionSource,AJPRequestHandler-RMICallHandler-7] Candidate is: '/admin/index.jsp'; pattern is /admin/**; matched=true
    [DEBUG,DefaultFilterInvocationDefinitionSource,AJPRequestHandler-RMICallHandler-7] Candidate is: '/admin/index.jsp'; pattern is /admin/**; matched=true
    [DEBUG,AbstractSecurityInterceptor,AJPRequestHandler-RMICallHandler-7] Secure object: FilterInvocation: URL: /admin/index.jsp; ConfigAttributes: [ROLE_NAMS_ADMIN]
    [DEBUG,AbstractSecurityInterceptor,AJPRequestHandler-RMICallHandler-7] Secure object: FilterInvocation: URL: /admin/index.jsp; ConfigAttributes: [ROLE_NAMS_ADMIN]
    [DEBUG,AbstractSecurityInterceptor,AJPRequestHandler-RMICallHandler-7] Previously Authenticated: org.springframework.security.providers.anonymous.AnonymousAuthenticationToken@6faa8e27: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: com.boeing.nmt.nams.security.User@ffffffff [hashCode='0' ]; Granted Authorities: ROLE_ANONYMOUS
    [DEBUG,AbstractSecurityInterceptor,AJPRequestHandler-RMICallHandler-7] Previously Authenticated: org.springframework.security.providers.anonymous.AnonymousAuthenticationToken@6faa8e27: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: com.boeing.nmt.nams.security.User@ffffffff [hashCode='0' ]; Granted Authorities: ROLE_ANONYMOUS
    [DEBUG,ExceptionTranslationFilter,AJPRequestHandler-RMICallHandler-7] Access is denied (user is anonymous); redirecting to authentication entry point
    org.springframework.security.AccessDeniedException: Access is denied
            at org.springframework.security.vote.AffirmativeBased.decide(AffirmativeBased.java:68)
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            at java.lang.reflect.Method.invoke(Method.java:585)
            at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
            at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
            at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
            at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
            at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
            at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
            at $Proxy5.decide(Unknown Source)
            at org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:262)
            at org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
            at org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
            at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:371)
            at org.springframework.security.ui.ExceptionTranslationFilter.doFilterHttp(ExceptionTranslationFilter.java:101)
            at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
            at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:371)
            at org.springframework.security.providers.anonymous.AnonymousProcessingFilter.doFilterHttp(AnonymousProcessingFilter.java:105)
            at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
            at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:371)
            at org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter.doFilterHttp(SecurityContextHolderAwareRequestFilter.java:91)
            at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
            at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:371)
            at org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
            at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
            at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:371)
            at org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:174)
            at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:183)
            at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)
            at com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:15)
            at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
            at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
            at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:620)
            at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:369)
            at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:865)
            at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:447)
            at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:302)
            at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:190)

  • #2
    Why do you think preauthentication is working - there doesn't appear to be a preauthentication filter in the stack.

    If you are posting log excerpts please add a larger section of the debug log file (as an attachment) not just the part with the exception (this exception is in fact a debug message and doesn't explain anything other than that the user is not authenticated - see the FAQ). With the contextual information for the whole request sequence, it is relatively easy to establish what's happening. With just snippets of information, it becomes guesswork.

    Comment

    Working...
    X