Announcement Announcement Module
No announcement yet.
Access denied even though Role has the required permission Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access denied even though Role has the required permission


    First of all thank you for all those lines of code that you share as open source.. I just wish you had them documented better so that we can get them to work as expected with less frustration and time wasted! I did read the reference manual and chapters from Spring Pro and Spring Recipes by the way, and I actually ignored that @Secured and <protect-pointcut> just wasted 4 hours of my time without working at all.. at least I learned something about AOP.. that it is very difficult to debug and you'd better stay away from it Well, that was the thanking and ranting that I needed to get out of my system. Now to the point.

    I've got the access decision maker to work and it can deny or allow access using its role voter when the method is protected only by access="ROLE_BLAH", the problem arises when the method is protected by access="ROLE_BLAHER,ACL_BLAH". The decision is always to deny access even though I can see in the DB that there is an ACE with the permission ACE_BLAH for the ROLE_BLAHER on the Object that I am accessing (with hard coded id=1 for testing, so I can't be mistaken, and I see this 1 in the field OBJECT_ID). I suspect that the problem is related to that I give the access to a GrantedAuthoritySid, specially that when I place a break point in the method getAuthorities of my UserDetails implementating class it is never encountered.

    SO: Is there any more special tricks that I need to know about for making ACL work using a ROLEs as SIDs? Or do you have any other suggestions about where the problem could be?

    I wish that I get any reply soon because I've exceeded the time of the task at hand by 300% and it was all due to my decision to use Spring Security ACL.. I can't blame you because after all you are kind enough to share all of this as Open Source.

    I use Spring Security 2.0.8 on Apache Tomcat 6.0 and IceFaces 1.8 as presentation MVC framework. My DB is MySQL 6.

  • #2
    Anybody?? PLEASE!!


    • #3
      Access denied even though Role has the required permission


      Can you please give some more information from your applicationcontext-security.xml regarding how you are using rolevoter and how you are preventing access?



      • #4

        First of all thank you nishish for your attention and reply.. could you please ask Ben Alex and Luke Taylor what is the trick in this function of JdbcAclService:

         ***public Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, List<Sid> sids) throws NotFoundException {
         *******for (int i = 0; i < objects.size(); i++) {
         ***********if (!result.containsKey(objects.get(i))) {
         ***************throw new NotFoundException("Unable to find ACL information for object identity '"
         *******************+ objects.get(i).toString() + "'");
         *******return result;
        because I've traced down to it and I saw that even though the result contains the ACL required as returned from the DB it throws the exception. This is the second time this function gives me hard time and I don't even know why it stopped throwing the NotFoundException the first time (it was doing so while I was creating the ACL as explained in the post:

        I could send you the long XML file and all the java files but I'm telling you that the problem is here.. I actually spent some time checking how equals and hashcode of ObjectIdentityImpl works and I was suprised that the hashcode returned was different for the object in the result and the object in the array sent as a parameter to the function.. which explains why containskey returns false.. but why is the hashcode different?


        • #5
          If you look at the implementation of equals and hashCode for ObjectIdentityImpl, they assume that the java type and identifier are both equal for the objects under test. Have you verified this?