Announcement Announcement Module
No announcement yet.
Authorization fails when using GBAC in spring security 3.0 Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authorization fails when using GBAC in spring security 3.0

    I am working with CAS integration with my web application with Spring security 3.0 framework.I created a secured page which will be accessed only if the user has ROLE_SUPERVISOR role.

    When using "usersByUsernameQuery" value="select username,password,enabled from users where username=?" Everything worked perfect.

    when using "groupAuthoritiesByUsernameQuery", am able to retrieve the groups of the user logged in. For example. it says the GRANTED Authorities are Administrators,Supervisors which comes from the group_permission table. But when i try to access the secured page, it is showing ACCESS DENIED. It seems like the actual roles/permisssions which i assigned to the groups (For e.g ROLE_SUPERVISOR to Supervisors) is not reflected or validated properly.

    Am i missing anything? Please help me out.

  • #2
    I found the answer myself, I am supposed to override this method in my custom jdbcImplentation class

    protected List<GrantedAuthority> loadGroupAuthorities(String username) {
    return getJdbcTemplate().query(groupAuthoritiesByUsername Query, new String[] {username}, new RowMapper() {
    public Object mapRow(ResultSet rs, int rowNum) throws SQLException {
    String roleName = rs.getString("permissionname");
    GrantedAuthorityImpl authority = new GrantedAuthorityImpl(roleName);
    return authority;


    • #3
      Glad to hear you solved it! A good way to debug / diagnose this is to enable logging of the Spring Security components so that you can see what roles the user has been assigned upon login.


      • #4
        Thanks pmularien,

        I saw the details of the Granted Authorities by using request.getUserPrincipal(); It showed me the group names instead of role names in the GRANTED AUTHORITY property.I came across this link

        This helped me.


        • #5
          Integrating groups

          I am currently reading the Spring Security 3 book, and while it has been good so far I am having a little bit of trouble integrating a mysql database and using groups. I disabled "enableAuthorities", enabled groups, and created the tables that are needed; however, I cannot log into some parts of my page as an admin, even though I belong to that group. It seems "Authorities" are being use over groups. Any ideas or leads would be really appreciated.