RoleVoter prefix is not working

[sachin_yadav]

Hi All,

I have build a custome login/logout security handler and integrated in spring security 3.0. All is working good except 1 issue. I am trying to put ROLE_ prefix before every role i fetch from DB, but somehow it is not being done. By spring security configuration xml is -

Code:

	<global-method-security secured-annotations="enabled" access-decision-manager-ref="accessDecisionManager"/>
	
	<authentication-manager alias="authenticationManager">
	<authentication-provider>
	<password-encoder hash="plaintext"/>	
	<jdbc-user-service data-source-ref="dataSource"
	users-by-username-query = "select user_id,user_password,status as enabled from user_master where user_email_id = ?" 
	authorities-by-username-query="SELECT user.user_id, role.role_type 
									FROM user_master USER, role_master role, user_role ur 
									WHERE user.user_id = ur.user_id
									AND role.role_id = ur.role_id
									AND user.user_id=?"/>		
	</authentication-provider>
	</authentication-manager>
	
    <beans:bean id="authenticationProcessingFilter" class="XXX.XXX.XXX.XXXAuthenticationProcessingFilter">
		<beans:property name="authenticationManager" ref="authenticationManager" />
		<beans:property name="authenticationFailureHandler" ref="failureHandler"/>
 		<beans:property name="authenticationSuccessHandler" ref="successHandler"/>
	</beans:bean>
	
	<beans:bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
	 	<beans:property name="defaultTargetUrl" value="/index.jsp"/>
	</beans:bean>
	<beans:bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
	 	<beans:property name="defaultFailureUrl" value="/login.jsp?login_error=true"/>
	</beans:bean>
	
	<http auto-config="false" access-decision-manager-ref="accessDecisionManager" 
	entry-point-ref="authenticationProcessingFilterEntryPoint">
	<custom-filter position="FORM_LOGIN_FILTER" ref="authenticationProcessingFilter" />
	<custom-filter position="LOGOUT_FILTER" ref="customLogoutFilter"/>
	<access-denied-handler error-page="/login.jsp"/> 
	<intercept-url pattern="/XXX/**" access="ROLE_USER"/>
	<intercept-url pattern="/XXX/*" access="ROLE_RESTAURENT"/>
	<intercept-url pattern="/XXX/*" access="ROLE_ADMIN"/>
	</http>
     <beans:bean id="customLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
		<beans:constructor-arg value="/login.jsp"></beans:constructor-arg>
		<beans:constructor-arg>
			<beans:list>
				<beans:bean class="XXX.XXX.XXX.XXX.XXXSecurityLogoutHandler" />
				<beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
			</beans:list>
		</beans:constructor-arg>
		<beans:property name="filterProcessesUrl" value="/j_spring_security_logout" />		
	</beans:bean> 
	
     <beans:bean id="authenticationProcessingFilterEntryPoint"
		class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
		<beans:property name="loginFormUrl" value="/login.jsp" />
		<beans:property name="forceHttps" value="false" />
	</beans:bean>
		
     <beans:bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
         <beans:property name="jndiName" value="/jdbc/XXX"/>
         <beans:property name="resourceRef" value="true"/>
    </beans:bean>
	
    <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
		<beans:property name="decisionVoters">
			<beans:list><beans:ref bean="roleVoter" /> </beans:list>
  		</beans:property>
  	</beans:bean>  	 
	<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
 	<beans:property name="rolePrefix">	<beans:value>ROLE_</beans:value> </beans:property>
  </beans:bean>
</beans:beans>

Also no security context is being set presently in HTTP session. Here is my log file

Code:

19:28:39,157 DEBUG DataSourceUtils:332 - Returning JDBC Connection to DataSource
19:28:39,157 DEBUG DaoAuthenticationProvider:69 - Authentication failed: password does not match stored value
19:28:39,157 DEBUG XmlWebApplicationContext:301 - Publishing event in Root WebApplicationContext: org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.authentication.UsernamePasswordAuthenticationToken@7ddcc040: Principal: a@a.com; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: 9F480C623F97F5B3EFA37D5B70331ACF; Not granted any authorities]
19:28:39,172 DEBUG XXXAuthenticationProcessingFilter:318 - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
19:28:39,172 DEBUG XXXAuthenticationProcessingFilter:319 - Updated SecurityContextHolder to contain null Authentication
19:28:39,172 DEBUG XXXAuthenticationProcessingFilter:320 - Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@1c8b884
19:28:39,172 DEBUG SimpleUrlAuthenticationFailureHandler:67 - Redirecting to /login.jsp?login_error=true
19:28:39,172 DEBUG DefaultRedirectStrategy:36 - Redirecting to '/XXX/login.jsp?login_error=true'
19:28:39,172 DEBUG HttpSessionSecurityContextRepository:338 - SecurityContext is empty or anonymous - context will not be stored in HttpSession. 
19:28:39,172 DEBUG SecurityContextPersistenceFilter:89 - SecurityContextHolder now cleared, as request processing completed
19:28:39,188 DEBUG FilterChainProxy:194 - Converted URL to lowercase, from: '/login.jsp'; to: '/login.jsp'
19:28:39,188 DEBUG FilterChainProxy:201 - Candidate is: '/login.jsp'; pattern is /**; matched=true
19:28:39,188 DEBUG FilterChainProxy:376 - /login.jsp?login_error=true at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
19:28:39,188 DEBUG HttpSessionSecurityContextRepository:142 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
19:28:39,188 DEBUG HttpSessionSecurityContextRepository:88 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@1c958af. A new one will be created.
19:28:39,188 DEBUG FilterChainProxy:376 - /login.jsp?login_error=true at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
19:28:39,188 DEBUG FilterChainProxy:376 - /login.jsp?login_error=true at position 3 of 9 in additional filter chain; firing Filter: 'XXXAuthenticationProcessingFilter'
19:28:39,188 DEBUG FilterChainProxy:376 - /login.jsp?login_error=true at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
19:28:39,188 DEBUG FilterChainProxy:376 - /login.jsp?login_error=true at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
19:28:39,203 DEBUG FilterChainProxy:376 - /login.jsp?login_error=true at position 6 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
19:28:39,203 DEBUG AnonymousAuthenticationFilter:67 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90572420: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: 9F480C623F97F5B3EFA37D5B70331ACF; Granted Authorities: ROLE_ANONYMOUS'
19:28:39,203 DEBUG FilterChainProxy:376 - /login.jsp?login_error=true at position 7 of 9 in additional filter chain; firing Filter: 'SessionManagementFilter'
19:28:39,203 DEBUG FilterChainProxy:376 - /login.jsp?login_error=true at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
19:28:39,203 DEBUG FilterChainProxy:376 - /login.jsp?login_error=true at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
19:28:39,203 DEBUG DefaultFilterInvocationSecurityMetadataSource:173 - Converted URL to lowercase, from: '/login.jsp'; to: '/login.jsp'
19:28:39,203 DEBUG DefaultFilterInvocationSecurityMetadataSource:200 - Candidate is: '/login.jsp'; pattern is /order/**; matched=false
19:28:39,203 DEBUG DefaultFilterInvocationSecurityMetadataSource:200 - Candidate is: '/login.jsp'; pattern is /restaurent/*; matched=false
19:28:39,219 DEBUG DefaultFilterInvocationSecurityMetadataSource:200 - Candidate is: '/login.jsp'; pattern is /admin/*; matched=false
19:28:39,219 DEBUG FilterSecurityInterceptor:183 - Public object - authentication not attempted
19:28:39,219 DEBUG XmlWebApplicationContext:301 - Publishing event in Root WebApplicationContext: org.springframework.security.access.event.PublicInvocationEvent[source=FilterInvocation: URL: /login.jsp?login_error=true]
19:28:39,219 DEBUG FilterChainProxy:363 - /login.jsp?login_error=true reached end of additional filter chain; proceeding with original chain
19:28:39,219 DEBUG ExceptionTranslationFilter:100 - Chain processed normally
19:28:39,219 DEBUG HttpSessionSecurityContextRepository:338 - SecurityContext is empty or anonymous - context will not be stored in HttpSession. 
19:28:39,219 DEBUG SecurityContextPersistenceFilter:89 - SecurityContextHolder now cleared, as request processing completed

[bluefoot]

The rolePrefix property just tells the RoleVoter that the authorities will come with that prefix.
Try to change your query to add ROLE_ to the returned authority:

Code:

SELECT user.user_id, 'ROLE_' || role.role_type as role_type
   FROM user_master USER, role_master role, user_role ur 
 WHERE user.user_id = ur.user_id
      AND role.role_id = ur.role_id
      AND user.user_id=?

please notice that the concatenation syntax may vary on different DBMS.

[Luke Taylor]

The log shows a failed authentication

Authentication failed: password does not match stored value

followed by the re-rendering of the login page.

[sachin_yadav]

ya just noticed my bad. This is working fine now, thanks for all your support.