roles checking never triggered

**louis.gueye@gmail.com** · Dec 12th, 2011, 08:34 AM

Hi all,

I'm facing a weird behaviour.

My application checks identity but does'nt check role. Ever had an example like that ?

here is my config

web.xml

Code:

	<filter>
		<filter-name>authenticationFilter</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<servlet>
		<servlet-name>jerseyspring</servlet-name>
		<servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>
		<init-param>
			<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
			<param-value>true</param-value>
		</init-param>
		<load-on-startup>1</load-on-startup>
	</servlet>
	<servlet-mapping>
		<servlet-name>jerseyspring</servlet-name>
		<url-pattern>/*</url-pattern>
	</servlet-mapping>
	<filter-mapping>
		<filter-name>authenticationFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

servlet.xml

Code:

    <bean id="authenticationFilter"
          class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
          <property name="authenticationManager" ref="authenticationManager"/>
          <property name="authenticationEntryPoint" ref="defaultEntryPoint"/>
    </bean>

    <sec:http entry-point-ref="defaultEntryPoint" auto-config="true" realm="diveintojee.org">
		<sec:http-basic/>
		<sec:intercept-url pattern="/**/protected" access="ROLE_ADMIN" />
		<sec:access-denied-handler ref="defaultAccessDeniedHandler" />
    </sec:http>

	<sec:authentication-manager alias="authenticationManager">
		<sec:authentication-provider>
			<sec:user-service>
				<sec:user name="bob" password="bob" authorities="ROLE_USER" />
				<sec:user name="visitor" password="visitor" authorities="ROLE_USER,ROLE_ADMIN" />
			</sec:user-service>
		</sec:authentication-provider>
	</sec:authentication-manager>

protected resource

Code:

	@GET
	@Path("/protected")
	@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
	public Response returnProtectedResource() throws Throwable {

		final Advert criteria = new Advert();

		// very important phone number !!!!!
		criteria.setPhoneNumber("0033606060606");

		final List<Advert> results = this.facade.findAdvertsByCriteria(criteria);

		final GenericEntity<List<Advert>> entity = new GenericEntity<List<Advert>>(results) {
		};

		if (CollectionUtils.isEmpty(results)) AdvertController.LOGGER.info("No results found");

		return Response.ok(entity).build();

	}

When I send a GET request at uri /advert/protected with basic auth "bob:anything" I get a http 401 (which is correct).
When I send a GET request at uri /advert/protected with basic auth "bob:bob" I get a http 200 (which is totally wrong as bob doesn't have ROLE_ADMIN authority).

Last, the logs :

Code:

DEBUG 1275884857@qtp-814397217-0 org.springframework.security.web.authentication.www.BasicAuthenticationFilter - Basic Authentication Authorization header found for user 'bob'
DEBUG 1275884857@qtp-814397217-0 org.springframework.security.authentication.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
DEBUG 1275884857@qtp-814397217-0 org.springframework.security.web.authentication.www.BasicAuthenticationFilter - Authentication success: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@441d974e: Principal:
 org.springframework.security.core.userdetails.User@17db5: Username: bob; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [P
ROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_USER
INFO 1275884857@qtp-814397217-0 org.diveintojee.poc.web.AdvertController - No results found

Any help would be much appreciated cause I'm stuck really, can't figure out where my mistake is.

Thx,

Louis GUEYE

**rohan123** · Dec 12th, 2011, 10:24 AM

can you show your "defaultAccessDeniedHandler" code?

**louis.gueye@gmail.com** · Dec 12th, 2011, 10:35 AM

Originally Posted by rohan123

can you show your "defaultAccessDeniedHandler" code?

Hi rohan thanks for replying ! Here is my code :

Code:

@Component(AccessDeniedHandlerImpl.BEAN_ID)
public class AccessDeniedHandlerImpl implements AccessDeniedHandler {

    public static final String BEAN_ID = "defaultAccessDeniedHandler";

    @Autowired
    private ExceptionConverter exceptionConverter;

    /**
     * @see org.springframework.security.web.access.AccessDeniedHandler#handle(javax.servlet.http.HttpServletRequest,
     *      javax.servlet.http.HttpServletResponse, org.springframework.security.access.AccessDeniedException)
     */
    @Override
    public void handle(final HttpServletRequest request, final HttpServletResponse response,
            final AccessDeniedException accessDeniedException) throws IOException, ServletException {
        response.sendError(exceptionConverter.resolveHttpStatus(accessDeniedException),
            exceptionConverter.resolveMesage(request, accessDeniedException));
    }

}

And the relevant ExceptionConverter part :

Code:

    /**
     * @param th
     * @return
     */
    public int resolveHttpStatus(final Throwable th) {
        if (th == null)
            return HttpServletResponse.SC_OK;
        // th.printStackTrace();
        if (th instanceof NotFoundException)
            return HttpServletResponse.SC_NOT_FOUND;
        if (th instanceof AuthenticationException)
            return HttpServletResponse.SC_UNAUTHORIZED;
        if (th instanceof AccessDeniedException)
            return HttpServletResponse.SC_FORBIDDEN;
        if (th instanceof IllegalArgumentException || th instanceof ValidationException
            || th instanceof BusinessException)
            return HttpServletResponse.SC_BAD_REQUEST;
        if (th instanceof IllegalStateException)
            return HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
        if (th instanceof WebApplicationException && ((WebApplicationException) th).getResponse() != null)
            return ((WebApplicationException) th).getResponse().getStatus();
        return HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
    }

Also if you'd rather navigate through a complete source code you can browse it on github : https://github.com/lgueye/jbehave-poc.
You can run the code with

Code:

mvn clean install -Pembedded

.

Regards,

Louis.

**rohan123** · Dec 13th, 2011, 02:29 AM

Change your component scan path to jbehave, your handler is in web so

**louis.gueye@gmail.com** · Dec 13th, 2011, 02:56 AM

Originally Posted by rohan123

Change your component scan path to jbehave, your handler is in web so

My handler is in web and I scan web. The factory finds it otherwise it would fail creating a context at runtime : it doesn't.
It just doesn't invoke the code where it should check for bob's authorities. It returns a http 200 status. To him everything is fine.

**louis.gueye@gmail.com** · Dec 14th, 2011, 03:41 AM

Well I gave up.
Resources protection did not work. Maybe it's the spring/jersey association.
I enabled method protection with jsr250-annotations. That worked and I could handle my AccessDeniedException.

Thread: roles checking never triggered

Thread Tools

Display

roles checking never triggered

Posting Permissions