Announcement Announcement Module
Collapse
No announcement yet.
Access Denied - Spring Security Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access Denied - Spring Security

    I went through the similar links in this forum but my only difference between my application and them is, my applicationContext-security.xml. Please find my below applicationContext-security.xml:
    <?xml version="1.0" encoding="UTF-8"?>


    <global-method-security secured-annotations="enabled">
    </global-method-security>
    <http auto-config="true">
    <intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
    <intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
    <intercept-url pattern="/*.action" access="ROLE_USER" />

    <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <!--
    Uncomment to enable X509 client authentication support
    <x509 />
    -->
    <!-- Uncomment to limit the number of sessions a user can have
    <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/>
    -->
    </http>
    <!--
    <authentication-provider>
    <password-encoder hash="md5"/>
    <user-service>
    <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
    <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" />
    <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" />
    <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
    </user-service>
    </authentication-provider>
    -->
    <authentication-provider user-service-ref="userService" />
    <jdbc-user-service id="userService" data-source-ref="dataSource"
    users-by-username-query="SELECT username, password,is_active FROM THGINV_ASN_USER where username=?"
    authorities-by-username-query="SELECT username, password,is_active FROM THGINV_ASN_USER where username=?" />
    </beans:beans>

    It will be great if you could please help me out.

    Thanks in advance
    Sachin.

  • #2
    How is is_active stored in the database. Spring Security needs it as boolean true or false. If its is something other than 0 or 1 in the database table, Spring Security will deny the user from access. You could alternately implement your own custom dao and plug it in place of default JdbcDaoImpl implementation. In your custom dao, you could read is_active as String and before you construct the UserDetails object, convert the string to boolean as indicated below.

    Additionally your authorities-by-username-query does not look right to me. What Spring security needs is the role like ROLE_USER, ROLE_TELLER as mentioned in your bean definition above. I am not sure whether is_active property translates to the roles defined earlier.


    See the default JdbcDaoImpl.


    /**
    * Query object to look up a user.
    */
    private class UsersByUsernameMapping extends MappingSqlQuery {
    protected UsersByUsernameMapping(DataSource ds) {
    super(ds, usersByUsernameQuery);
    declareParameter(new SqlParameter(Types.VARCHAR));
    compile();
    }

    protected Object mapRow(ResultSet rs, int rownum) throws SQLException {
    String username = rs.getString(1);
    String password = rs.getString(2);
    boolean enabled = rs.getBoolean(3);
    UserDetails user = new User(username, password, enabled, true, true, true,
    new GrantedAuthority[] {new GrantedAuthorityImpl("HOLDER")});

    return user;
    }
    }
    Last edited by vbose; Jun 26th, 2008, 10:14 AM.

    Comment


    • #3
      Access - Denied Spring Security

      Hi there,
      I appreciate your vital reply. As per your I want to let you know that is_active stores boolean in the database i.e., 0/1. Do you still suggest me to override the Daoimpl? My work is completely stopped at the final stage. It will be great if you could please help me to solve this problem.

      Thanks
      Sachin

      Comment


      • #4
        Please see the default query implementation of JdbcDaoImpl to get the authorities for Spring security authorization.

        public static final String DEF_AUTHORITIES_BY_USERNAME_QUERY =
        "SELECT username,authority " +
        "FROM authorities " +
        "WHERE username = ?";


        /**
        * Query object to look up a user's authorities.
        */
        private class AuthoritiesByUsernameMapping extends MappingSqlQuery {
        protected AuthoritiesByUsernameMapping(DataSource ds) {
        super(ds, authoritiesByUsernameQuery);
        declareParameter(new SqlParameter(Types.VARCHAR));
        compile();
        }

        protected Object mapRow(ResultSet rs, int rownum) throws SQLException {
        String roleName = rolePrefix + rs.getString(2);
        GrantedAuthorityImpl authority = new GrantedAuthorityImpl(roleName);

        return authority;
        }
        }


        I hope the above code fragments will give insight into what is happening above with respect to roles. Do you have any other table that stores user roles. In the above query, authority property is nothing but roles defined for the user. In your case, it could be ROLE_USER, ROLE_TELLER etc.

        The rolePrefix in the code could be anything. Since you are using ROLE_ for ROLE_USER , ROLE_TELLER etc, then the rolePrefix has to be ROLE_.
        Last edited by vbose; Jun 26th, 2008, 11:14 AM.

        Comment


        • #5
          Access - Denied Spring Security

          Hi,
          I have user types in the same table (like Super,Admin,Client,Vendor). I have made the slight change in my applicationContext-security.xml:

          <authentication-provider user-service-ref="userService" />
          <jdbc-user-service id="userService" data-source-ref="dataSource"
          users-by-username-query="SELECT username, password,is_active FROM THGINV_ASN_USER where username=?"
          authorities-by-username-query="SELECT username, user_type,is_active FROM THGINV_ASN_USER where username=?"/>

          When I update the user_type from "Super" to "ROLE_USER" it's working perfectly fine. Now Can you please let me know how make it work when the user_type are Super,Admin,Client or Vendor. I tired to use rolPrefix "ROLE_" even that is not working.

          Thanks in advance
          Sachin


          ------------------------------------------------------------------------
          Originally posted by vbose View Post
          Please see the default query implementation of JdbcDaoImpl to get the authorities for Spring security authorization.

          public static final String DEF_AUTHORITIES_BY_USERNAME_QUERY =
          "SELECT username,authority " +
          "FROM authorities " +
          "WHERE username = ?";


          /**
          * Query object to look up a user's authorities.
          */
          private class AuthoritiesByUsernameMapping extends MappingSqlQuery {
          protected AuthoritiesByUsernameMapping(DataSource ds) {
          super(ds, authoritiesByUsernameQuery);
          declareParameter(new SqlParameter(Types.VARCHAR));
          compile();
          }

          protected Object mapRow(ResultSet rs, int rownum) throws SQLException {
          String roleName = rolePrefix + rs.getString(2);
          GrantedAuthorityImpl authority = new GrantedAuthorityImpl(roleName);

          return authority;
          }
          }


          I hope the above code fragments will give insight into what is happening above with respect to roles. Do you have any other table that stores user roles. In the above query, authority property is nothing but roles defined for the user. In your case, it could be ROLE_USER, ROLE_TELLER etc.

          The rolePrefix in the code could be anything. Since you are using ROLE_ for ROLE_USER , ROLE_TELLER etc, then the rolePrefix has to be ROLE_.

          Comment


          • #6
            <intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
            <intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
            <intercept-url pattern="/*.action" access="ROLE_USER" />

            Make sure you configure the role names as stored in the database in the above said url pattern.

            Comment


            • #7
              Access - Denied Spring Security

              Hello,
              Thanks again for your reply. Please find the url-pattern which is similar to the same url-pattern replied by you:

              <http auto-config="true">
              <intercept-url pattern="/secure/extreme/**"
              access="ROLE_SUPERVISOR"/>
              <intercept-url pattern="/secure/**"
              access="IS_AUTHENTICATED_REMEMBERED" />
              <intercept-url pattern="/*.action" access="ROLE_USER"/>

              </http>
              - which didn't work.
              And as per your suggestion I replaced the roles in url-pattern as per the database:

              <http auto-config="true">
              <intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
              <intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
              <intercept-url pattern="/*.action" access="ROLE_USER"/>
              <intercept-url pattern="/*.action" access="super"/>

              </http>
              - This case also I got an exception while starting-up the server.
              Kindly please let me know your further suggestion to solve this issue.

              Thanks alot
              Sachin.

              Comment

              Working...
              X