LDAP SwitchUserFilter: Access denied due to single ROLE_PREVIOUS_ADMINISTRATOR

**nestoru** · Nov 1st, 2011, 03:50 PM

Hello,

I have a spring project which uses LDAP for authentication and authorization. We want to provide impersonation capability to simulate another user which allows for easier testing. Instead of providing my own custom filter I wanted to use Spring provided SwitchUserFilter so I went ahead and configured as below (showing just the new lines I have added to my current project)

PHP Code:


<beans:bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">

      <beans:constructor-arg><beans:ref bean="ldapUserSearch"/></beans:constructor-arg>

      <beans:property name="userDetailsMapper" ref="customUserDetailsContextMapper" />

    </beans:bean>





    <beans:bean id="ldapUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">

        <beans:constructor-arg type="String"><beans:value>ou=people,o=nestorurquiza</beans:value></beans:constructor-arg>

        <beans:constructor-arg type="String"><beans:value>mail={0}</beans:value></beans:constructor-arg>

        <beans:constructor-arg><beans:ref bean="ldapContextSource"/></beans:constructor-arg>

    </beans:bean>



    <beans:bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">

            <beans:property name="userDetailsService" ref="ldapUserDetailsService" />

            <beans:property name="switchUserUrl" value="/admin/switchUser" />

            <beans:property name="exitUserUrl" value="/admin/switchUserExit" />

            <beans:property name="targetUrl" value="/login" />

    </beans:bean>



    <custom-filter  after="FILTER_SECURITY_INTERCEPTOR" ref="switchUserProcessingFilter" />





    <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />





    <beans:bean id="ldapContextSource" class="org.springframework.ldap.core.support.LdapContextSource">



        <beans:property name="url" value="${ldap.url}" />

        <beans:property name="userDn" value="${ldap.userDn}" />

        <beans:property name="password" value="${ldap.password}" />

    </beans:bean>



    <beans:bean id="ldapAuthProvider"

            class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">

      <beans:constructor-arg>

        <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">

          <beans:constructor-arg ref="ldapContextSource"/>

          <beans:property name="userDnPatterns">

            <beans:list><beans:value>mail={0},ou=people,o=nestorurquiza</beans:value></beans:list>

          </beans:property>

        </beans:bean>

      </beans:constructor-arg>

      <beans:constructor-arg>

        <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">

          <beans:constructor-arg ref="ldapContextSource"/>

          <beans:constructor-arg value="ou=groups,o=nestorurquiza"/>

        </beans:bean>

      </beans:constructor-arg>

    </beans:bean>



    <beans:bean id="ldapContextSource" class="org.springframework.ldap.core.support.LdapContextSource">



        <beans:property name="url" value="${ldap.url}" />

        <beans:property name="userDn" value="${ldap.userDn}" />

        <beans:property name="password" value="${ldap.password}" />

    </beans:bean>

I then login as an admin and go to /admin/switchUser?j_username=nurquiza@nestorurquiza.com URL. From log traces it is clear the user is switched however the roles are not apparently update as the only one showing up is ROLE_PREVIOUS_ADMINISTRATOR resulting in "access denied" error. Any ideas why?

2011-11-01 11:21:37,714 DEBUG [org.springframework.security.access.hierarchicalro les.RoleHierarchyImpl] - 127.0.0.1 CA1F20B7B07AB5F50630B3C176C342FD getReachableGrantedAuthorities() - From the roles [ROLE_PREVIOUS_ADMINISTRATOR] one can reach [ROLE_PREVIOUS_ADMINISTRATOR] in zero or more steps.
2011-11-01 11:21:37,715 DEBUG [org.springframework.security.access.vote.Affirmati veBased] - 127.0.0.1 CA1F20B7B07AB5F50630B3C176C342FD Voter: org.springframework.security.web.access.expression .WebExpressionVoter@6744b491, returned: -1
2011-11-01 11:21:37,715 DEBUG [org.springframework.security.web.access.DefaultWeb InvocationPrivilegeEvaluator] - 127.0.0.1 CA1F20B7B07AB5F50630B3C176C342FD FilterInvocation: URL: /admin/home denied for org.springframework.security.authentication.Userna mePasswordAuthenticationToken@90033f5d: Principal: com.nestorurquiza.security.LdapUserDetails@798f7df ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: CA1F20B7B07AB5F50630B3C176C342FD; Granted Authorities: ROLE_PREVIOUS_ADMINISTRATOR
org.springframework.security.access.AccessDeniedEx ception: Access is denied

Thanks,
-Nestor

**nestoru** · Nov 4th, 2011, 09:35 AM

I solved this. The reason for failure was that we are using uniquemember instead of the default member attribute. So that property had to be set. Here are the bits working for me. Hopefully will help others:

PHP Code:


<beans:bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
  <beans:constructor-arg><beans:ref bean="ldapUserSearch"/></beans:constructor-arg>
  <beans:constructor-arg><beans:ref bean="ldapAuthoritiesPopulator"/></beans:constructor-arg>
  <beans:property name="userDetailsMapper" ref="customUserDetailsContextMapper" />
</beans:bean>

<beans:bean id="ldapUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg type="String"><beans:value>ou=people,o=nestorurquiza</beans:value></beans:constructor-arg>
    <beans:constructor-arg type="String"><beans:value>mail={0}</beans:value></beans:constructor-arg>
    <beans:constructor-arg><beans:ref bean="ldapContextSource"/></beans:constructor-arg>
</beans:bean>

<beans:bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
        <beans:property name="userDetailsService" ref="ldapUserDetailsService" />
        <beans:property name="switchUserUrl" value="/admin/switchUser" />
        <beans:property name="exitUserUrl" value="/admin/switchUserExit" />
        <beans:property name="targetUrl" value="/login" />
    </beans:bean>

    <beans:bean id="ldapAuthProvider"
            class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
      <beans:constructor-arg>
        <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
          <beans:constructor-arg ref="ldapContextSource"/>
          <beans:property name="userDnPatterns">
            <beans:list><beans:value>mail={0},ou=people,o=nestorurquiza</beans:value></beans:list>
          </beans:property>
        </beans:bean>
      </beans:constructor-arg>
      <beans:constructor-arg ref="ldapAuthoritiesPopulator"/>
    </beans:bean>

    <beans:bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
          <beans:constructor-arg ref="ldapContextSource"/>
          <beans:constructor-arg value="ou=groups,o=nestorurquiza"/>
          <beans:property name="groupSearchFilter" value="uniquemember={0}" />
    </beans:bean>

<custom-filter  after="FILTER_SECURITY_INTERCEPTOR" ref="switchUserProcessingFilter" />

Thread: LDAP SwitchUserFilter: Access denied due to single ROLE_PREVIOUS_ADMINISTRATOR

Thread Tools

Display

LDAP SwitchUserFilter: Access denied due to single ROLE_PREVIOUS_ADMINISTRATOR

Posting Permissions