roles checking never triggered
Hi all,
I'm facing a weird behaviour.
My application checks identity but does'nt check role. Ever had an example like that ?
here is my config
web.xml
servlet.xmlCode:<filter> <filter-name>authenticationFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <servlet> <servlet-name>jerseyspring</servlet-name> <servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class> <init-param> <param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name> <param-value>true</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>jerseyspring</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> <filter-mapping> <filter-name>authenticationFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
protected resourceCode:<bean id="authenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager"/> <property name="authenticationEntryPoint" ref="defaultEntryPoint"/> </bean> <sec:http entry-point-ref="defaultEntryPoint" auto-config="true" realm="diveintojee.org"> <sec:http-basic/> <sec:intercept-url pattern="/**/protected" access="ROLE_ADMIN" /> <sec:access-denied-handler ref="defaultAccessDeniedHandler" /> </sec:http> <sec:authentication-manager alias="authenticationManager"> <sec:authentication-provider> <sec:user-service> <sec:user name="bob" password="bob" authorities="ROLE_USER" /> <sec:user name="visitor" password="visitor" authorities="ROLE_USER,ROLE_ADMIN" /> </sec:user-service> </sec:authentication-provider> </sec:authentication-manager>
When I send a GET request at uri /advert/protected with basic auth "bob:anything" I get a http 401 (which is correct).Code:@GET @Path("/protected") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) public Response returnProtectedResource() throws Throwable { final Advert criteria = new Advert(); // very important phone number !!!!! criteria.setPhoneNumber("0033606060606"); final List<Advert> results = this.facade.findAdvertsByCriteria(criteria); final GenericEntity<List<Advert>> entity = new GenericEntity<List<Advert>>(results) { }; if (CollectionUtils.isEmpty(results)) AdvertController.LOGGER.info("No results found"); return Response.ok(entity).build(); }
When I send a GET request at uri /advert/protected with basic auth "bob:bob" I get a http 200 (which is totally wrong as bob doesn't have ROLE_ADMIN authority).
Last, the logs :
Any help would be much appreciated cause I'm stuck really, can't figure out where my mistake is.Code:DEBUG 1275884857@qtp-814397217-0 org.springframework.security.web.authentication.www.BasicAuthenticationFilter - Basic Authentication Authorization header found for user 'bob' DEBUG 1275884857@qtp-814397217-0 org.springframework.security.authentication.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider DEBUG 1275884857@qtp-814397217-0 org.springframework.security.web.authentication.www.BasicAuthenticationFilter - Authentication success: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@441d974e: Principal: org.springframework.security.core.userdetails.User@17db5: Username: bob; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [P ROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_USER INFO 1275884857@qtp-814397217-0 org.diveintojee.poc.web.AdvertController - No results found
Thx,
Louis GUEYE
Reply With Quote