-
Mar 16th, 2011, 03:49 AM
#1
Authorization fails when using GBAC in spring security 3.0
I am working with CAS integration with my web application with Spring security 3.0 framework.I created a secured page which will be accessed only if the user has ROLE_SUPERVISOR role.
When using "usersByUsernameQuery" value="select username,password,enabled from users where username=?" Everything worked perfect.
when using "groupAuthoritiesByUsernameQuery", am able to retrieve the groups of the user logged in. For example. it says the GRANTED Authorities are Administrators,Supervisors which comes from the group_permission table. But when i try to access the secured page, it is showing ACCESS DENIED. It seems like the actual roles/permisssions which i assigned to the groups (For e.g ROLE_SUPERVISOR to Supervisors) is not reflected or validated properly.
Am i missing anything? Please help me out.
-
Mar 16th, 2011, 04:52 AM
#2
I found the answer myself, I am supposed to override this method in my custom jdbcImplentation class
@SuppressWarnings("unchecked")
protected List<GrantedAuthority> loadGroupAuthorities(String username) {
return getJdbcTemplate().query(groupAuthoritiesByUsername Query, new String[] {username}, new RowMapper() {
@SuppressWarnings("deprecation")
public Object mapRow(ResultSet rs, int rowNum) throws SQLException {
String roleName = rs.getString("permissionname");
GrantedAuthorityImpl authority = new GrantedAuthorityImpl(roleName);
return authority;
}
});
}
-
Mar 16th, 2011, 05:35 AM
#3
Glad to hear you solved it! A good way to debug / diagnose this is to enable logging of the Spring Security components so that you can see what roles the user has been assigned upon login.
Peter Mularien | Blog
Author, Spring Security 3 (Book) - Packt Publishing, Available in print and eBook form
SCJP 5, Oracle DBA
Any postings are my own opinion, and should not be attributed to my employer or clients.
-
Mar 16th, 2011, 05:41 AM
#4
Thanks pmularien,
I saw the details of the Granted Authorities by using request.getUserPrincipal(); It showed me the group names instead of role names in the GRANTED AUTHORITY property.I came across this link
https://src.springframework.org/svn/...bcDaoImpl.java
This helped me.
-
Feb 5th, 2012, 09:44 PM
#5
Integrating groups
I am currently reading the Spring Security 3 book, and while it has been good so far I am having a little bit of trouble integrating a mysql database and using groups. I disabled "enableAuthorities", enabled groups, and created the tables that are needed; however, I cannot log into some parts of my page as an admin, even though I belong to that group. It seems "Authorities" are being use over groups. Any ideas or leads would be really appreciated.
Thanks!
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
Reply With Quote