Announcement Announcement Module
Collapse
No announcement yet.
manual authentication with annotations ("Access is denied ") Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • manual authentication with annotations ("Access is denied ")

    Hello everyone,
    i need a advice, i already checke many samples and tried to understand the problem but all of the samples use filters and im note sure if i need them.


    in my case i dont have a web app and dont do a weblogin, thats why i try to create the SecurityContextHolder by hand. i get my user details from the openesb bus thats where i check the passwords and so on, this is not necessary anymore in spring.

    1st i create the security context for the local thread

    Code:
    authResult = new PreAuthenticatedAuthenticationToken(userDetails, "", userDetails.getAuthorities());
    	    		SecurityContextHolder.getContext().setAuthentication(authResult);

    i think this is working fine because i see the grantedAuthorities later in the log.(see below)

    after i initialized the SecurityContextHolder i wire my ejb bean to the spring bean, i think maybe the problem is here in

    my applicationContext.xml

    Code:
          <bean id="_authenticationManager"
                    class="org.springframework.security.providers.ProviderManager">
                    <property name="providers">
                        <list>
                            <ref local="preAuthenticatedAuthenticationProvider"/>
                        </list>
                    </property>
            </bean>
    
            <bean id="preAuthenticatedAuthenticationProvider" 
                    class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
    		<property name="preAuthenticatedUserDetailsService"
    			ref="preAuthenticatedUserDetailsService" />
    	</bean>
    
    	<bean id="preAuthenticatedUserDetailsService"
    		class="org.springframework.security.providers.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService" />
    
               <security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>
    the problem is that when i use annotations in my spring code

    Code:
       @Secured("admin") 
          public void print2(){
            .....
          }
    i get a "Access denied" error

    Code:
    Caused by: org.springframework.security.AccessDeniedException: Access is denied
            at org.springframework.security.vote.AbstractAccessDecisionManager.checkAllowIfAllAbstainDecisions(AbstractAccessDecisionManager.java:58)
            at org.springframework.security.vote.AffirmativeBased.decide(AffirmativeBased.java:73)
            at org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:262)
            at org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:63)
            at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
            at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
            at $Proxy90.print2(Unknown Source)
            at com.tmp.bosch.dev.evaluation.serverbean.ServerBeanEndPoint.getPrincipal(ServerBeanEndPoint.java:55)
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            at java.lang.reflect.Method.invoke(Method.java:597)
            at com.sun.enterprise.security.application.EJBSecurityManager.runMethod(EJBSecurityManager.java:1067)
            at com.sun.enterprise.security.SecurityUtil.invoke(SecurityUtil.java:176)
            at com.sun.ejb.containers.BaseContainer.invokeBeanMethod(BaseContainer.java:4005)
            at com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:483)
            at com.sun.ejb.containers.interceptors.InterceptorManager.intercept(InterceptorManager.java:205)
            at com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:3978)
            at com.sun.ejb.containers.WebServiceInvocationHandler.invoke(WebServiceInvocationHandler.java:189)
            ... 34 more
    RuntimeException thrown from the JAX-WS. No <detail> found.

    the point is the GrantedAuthority looks fine .. i checked them and "admin" is available there.
    Code:
     GrantedAuthority[] g = SecurityContextHolder.getContext().getAuthentication().getAuthorities();
    the security log looks also fine, but there is no deny or permit, but i see the granted authorities.

    security.log
    Code:
    2008-12-16 14:59:44,749 INFO  [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: Validated configuration attributes
    2008-12-16 14:59:44,764 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource: Adding security method [CacheKey[com.tmp.bosch.dev.evaluation.serverbean.SpringbeanImpl; public void com.tmp.bosch.dev.evaluation.serverbean.SpringbeanImpl.print1()]] with attribute [[admin]]
    2008-12-16 14:59:44,811 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource: Adding security method [CacheKey[com.tmp.bosch.dev.evaluation.serverbean.SpringbeanImpl; public abstract void com.tmp.bosch.dev.evaluation.serverbean.Springbean.print1()]] with attribute [[admin]]
    2008-12-16 14:59:44,811 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: Secure object: ReflectiveMethodInvocation: public abstract void com.tmp.bosch.dev.evaluation.serverbean.Springbean.print1(); target is of class [com.tmp.bosch.dev.evaluation.serverbean.SpringbeanImpl]; ConfigAttributes: [admin]
    2008-12-16 14:59:44,811 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: Previously Authenticated: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken@fa79fc8b: Principal: org.springframework.security.userdetails.User@0: Username: philipp; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: admin; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: admin
    2008-12-16 14:59:44,811 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: Authorization successful
    2008-12-16 14:59:44,811 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: RunAsManager did not change Authentication object
    2008-12-16 14:59:44,811 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource: Adding security method [CacheKey[com.tmp.bosch.dev.evaluation.serverbean.SpringbeanImpl; public abstract void com.tmp.bosch.dev.evaluation.serverbean.Springbean.print2()]] with attribute [[admin]]
    2008-12-16 14:59:44,811 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: Secure object: ReflectiveMethodInvocation: public abstract void com.tmp.bosch.dev.evaluation.serverbean.Springbean.print2(); target is of class [com.tmp.bosch.dev.evaluation.serverbean.SpringbeanImpl]; ConfigAttributes: [admin]
    2008-12-16 14:59:44,811 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: Previously Authenticated: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken@fa79fc8b: Principal: org.springframework.security.userdetails.User@0: Username: philipp; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: admin; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: admin

    any one a advice for me ?


    thanks in advance

    Philipp

  • #2
    First off, don't use names like "_authenticationManager" (i.e. beginning with an underscore) for your beans as these are used internally by the namespace. Follow the approach explained in the namespace chapter on how to use the AuthenticationManager and custom AuthenticationProvider beans.

    The key to the problem is probably in the error:

    Code:
    Caused by: org.springframework.security.AccessDeniedException: Access is denied
            at org.springframework.security.vote.AbstractAccessDecisionManager.checkAllowIfAllAbstainDecisions(AbstractAccessDecisionManager.java:58)
    Meaning that none of the default voters (the RoleVoter is the class that matters here) in the AccessDecisionManager voted. RoleVoter by default looks for the prefix "ROLE_" on the attributes for the secured method. So it is ignoring "admin". Therefore access is being denied because the default is to deny access if all voters abstain. You should either add the "ROLE_" prefix to your roles or configure your own AccessDecisionManger with a RoleVoter configured with an empty prefix. You can set this on the global-method-security namespace element.

    Comment


    • #3
      Hey Luke,
      u are right.
      thanks for your assistance!

      I renamed my GrantedAuthorities vom "admin" to "ROLE_ADMIN" and changed my annotation to @RolesAllowed("ROLE_ADMIN")

      I also changed my applicationContext.xml config

      Code:
      <?xml version="1.0" encoding="UTF-8"?>
      <beans xmlns="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:aop="http://www.springframework.org/schema/aop"
             xmlns:context="http://www.springframework.org/schema/context"
             xmlns:flow="http://www.springframework.org/schema/webflow-config"
             xmlns:jms="http://www.springframework.org/schema/jms"
             xmlns:jee="http://www.springframework.org/schema/jee"
             xmlns:lang="http://www.springframework.org/schema/lang"
             xmlns:osgi="http://www.springframework.org/schema/osgi"
             xmlns:tx="http://www.springframework.org/schema/tx"
             xmlns:util="http://www.springframework.org/schema/util"
             xmlns:p="http://www.springframework.org/schema/p"
             xmlns:security="http://www.springframework.org/schema/security"
      
             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
             http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.5.xsd
             http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd
             http://www.springframework.org/schema/webflow-config http://www.springframework.org/schema/webflow-config/spring-webflow-config-1.0.xsd
             http://www.springframework.org/schema/jms http://www.springframework.org/schema/jms/spring-jms-2.5.xsd
             http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-2.5.xsd
             http://www.springframework.org/schema/lang http://www.springframework.org/schema/lang/spring-lang-2.5.xsd
             http://www.springframework.org/schema/osgi http://www.springframework.org/schema/osgi/spring-osgi.xsd
             http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.5.xsd
             http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.5.xsd
             http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
          
            <bean id="preAuthenticatedAuthenticationProvider" 
                      class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
                       <security:custom-authentication-provider />
      		<property name="preAuthenticatedUserDetailsService"
      			ref="preAuthenticatedUserDetailsService" />
      	</bean>
      
      	<bean id="preAuthenticatedUserDetailsService"
      		class="org.springframework.security.providers.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService" />
      
              <security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>
      		
          <bean id="springbean" class="com.tmp.bosch.dev.evaluation.serverbean.SAMPLEBEAN_CHANGEIT"></bean>
                      
      
          
      </beans>

      and now its working fine. - It's easy when u know that there is a name convention" -

      Thanks again !

      best regards

      Philipp

      Comment

      Working...
      X