Announcement Announcement Module
Collapse
No announcement yet.
UserDetails.getAuthorities never executed Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • UserDetails.getAuthorities never executed

    I'm trying to implement spring security 3.1.0.M1 and I'm unable to get my application to set the Authentication.getPrincipal to my custom UserDetails implementation. It always returns a principal of "guest" when I try to get the logged in user. See getLoggedInUser method below.

    In Users.java (UserDetails impl) the getAuthorities method never gets called and maybe that's why the user_role doesn't get assigned.

    to Maybe I've misconfigured something...I've attached an outline of my implementation hoping someone can spot my error. Thanks for the assistance!

    security context file:
    Code:
    <global-method-security secured-annotations="enabled">
    </global-method-security>
    <http security="none" pattern="/services/rest-api/1.0/**" />
    <http security="none" pattern="/preregistered/**" />
    <http access-denied-page="/auth/denied.html">
        <intercept-url
            pattern="/**/*.xhtml"
            access="ROLE_NONE_GETS_ACCESS" />
        <intercept-url
            pattern="/auth/**"
            access="ROLE_ANONYMOUS,ROLE_USER" />
        <intercept-url
            pattern="/auth/*"
            access="ROLE_ANONYMOUS" />
         <intercept-url
            pattern="/**"
            access="ROLE_USER" />
        <form-login
            login-processing-url="/j_spring_security_check.html"
            login-page="/auth/login.html"
            default-target-url="/registered/home.html"
            authentication-failure-url="/auth/login.html?_dc=45" />
        <logout logout-url="/auth/logout.html"
                logout-success-url="/" />
        <anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
        <remember-me user-service-ref="userManager" key="valid key here"/>
    </http>
    <!-- Configure the authentication provider -->
    <authentication-manager>
        <authentication-provider user-service-ref="userManager">
                <password-encoder ref="passwordEncoder" />
        </authentication-provider>
    </authentication-manager>
    UserDetails Implementation (Users.java):
    Code:
    public class Users implements Serializable, UserDetails {
    //user db fields here....
        public Collection<GrantedAuthority> getAuthorities() {
         List<GrantedAuthority> auth = new ArrayList<GrantedAuthority>();
            auth.add(new GrantedAuthorityImpl("ROLE_USER"));
            return auth;
    }
    user-service-ref="userManager" (UserManagerImpl.java):
    Code:
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
        Users user = null;
        try {
            user = userDAO.findByUsername(username);
        } catch (DataAccessException ex) {
            throw new UsernameNotFoundException("Invalid login", ex);
        }
        if (user == null) {
            throw new UsernameNotFoundException("User not found.");
        }
        return user;
    }

  • #2
    Can you describe your workflow to reproduce this (what URLs do you request and what happens)? Did you request a protected page and were you asked to login? Did UserManagerImpl.loadUserByUsername get invoked? Any url that matches ROLE_ANONYMOUS will not require login and until you login the Authentication will be an AnonymousAuthenticationToken. Once you have authenticated the result of UserManagerImpl.loadUserByUsername should be used for determining the users roles.

    Comment


    • #3
      Thanks for the reply rwinch. Here is the flow.

      1. enter userId/pwd on login.html
      2. then I redirect to /j_spring_security_check.html (JSF dispatch)
      3. then UserManagerImpl.loadUserByUsername gets execute and does a DB select based on user and populates Users.java.
      4. then I check the SecurityContextHolder.getContext().getAuthenticati on() and check to see if the Authentication.getPrincipal returns an instance of Users Object and if it does then I redirect the user to the home page (/home.html). Currently, the user's Authentication.getPrincipal returns a String of "guest" and since its not an instance of my Users.java, the user stays on the login.html

      Comment


      • #4
        more follow-up, it looks like I'm getting a BadCredentialsException. The credentials entered by the user match exactly whats in the database and I don't see the Spring code that compares the j_password value against that of the users.getPassword from the db, any ideas on how to troubleshoot this?

        Comment


        • #5
          This is resolved...the encoding scheme wasn't matching the decoding of the password from the database.

          Comment

          Working...
          X