@PreAuthorize() is not working when i am using customAuthenticationManager

[satish.bellapu]

Please bare with me i am new to spring... following is the issue along with the code snippet.

I am using customAuthenticationManager and setting my controller object with @PreAuthorize("hasRole('ROLE_USER')") tag, but when i try to access the controller its directly able to access even i have no valid role. Following is the code snippet.

spring-security.xml

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:security="http://www.springframework.org/schema/security"
	xmlns:p="http://www.springframework.org/schema/p" 
	xsi:schemaLocation="http://www.springframework.org/schema/beans 
	   		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
			http://www.springframework.org/schema/security 
			http://www.springframework.org/schema/security/spring-security-3.0.xsd">
	
        <security:global-method-security pre-post-annotations="enabled">
		<security:expression-handler ref="expressionHandler" />
	</security:global-method-security>
        <bean id="expressionHandler"
	class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
		<property name = "roleHierarchy" ref="roleHierarchy"/>
	</bean>
	<security:http auto-config="false" use-expressions="true" access-denied-page="/access-denied.html"
			entry-point-ref="authenticationEntryPoint" >
		<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
	</security:http>
 	<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
  		p:authenticationManager-ref="customAuthenticationManager"
  		p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
  		p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" />
	<bean id="customAuthenticationManager" class="com.CustomAuthenticationManager" />
 	<bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
 		p:defaultFailureUrl="/app/user/role" />
 		
 	<bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
 		p:defaultTargetUrl="/app/user/role" />
 	<bean id="authenticationEntryPoint"  class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
	 	p:loginFormUrl="/index.html"/>
        <bean id="roleHierarchy"  class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
	    <property name="hierarchy">
	        <value>
	            ROLE_ADMIN 
	            ROLE_USER > ROLE_VISITOR
	        </value>
	    </property>
	</bean>
	<security:authentication-manager/>
</beans>

web.xml

Code:

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
	<filter>
	        <filter-name>springSecurityFilterChain</filter-name>
	        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	
	<filter-mapping>
	        <filter-name>springSecurityFilterChain</filter-name>
	        <url-pattern>/*</url-pattern>
	</filter-mapping>
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
		/WEB-INF/spring-security.xml
		/WEB-INF/mvc-dispatcher-servlet.xml
		</param-value>
	</context-param>	
	<servlet>
		<servlet-name>mvc-dispatcher</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
		<load-on-startup>1</load-on-startup>
	</servlet>	
	<servlet-mapping>
		<servlet-name>mvc-dispatcher</servlet-name>
		<url-pattern>/app/*</url-pattern>
	</servlet-mapping>
	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>	
</web-app>

controller.java

Code:

@Controller
@RequestMapping("/user")
public class UserController {
    @RequestMapping(value = "/role", method = RequestMethod.GET)
    @PreAuthorize("hasRole('ROLE_USER')")
    public @ResponseBody String getUserRoleData() {
         System.out.println("My Authorities: "+ SecurityContextHolder.getContext().getAuthentication());
        return "{'key':'Test'}";
    }
}

It will be a gr8 help from your side if you can help me identifying the issue,
Thanks in advance,

[satish.bellapu]

Attaching the Logs
Debug Logs

Code:

2012-05-26 03:10:29,668 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#getFilters(195) - Converted URL to lowercase, from: '/app/user/role'; to: '/app/user/role'
2012-05-26 03:10:29,668 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#getFilters(202) - Candidate is: '/app/user/role'; pattern is /**; matched=true
2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(375) - /app/user/role at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.context.HttpSessionSecurityContextRepository#readSecurityContextFromSession(130) - No HttpSession currently exists
2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.context.HttpSessionSecurityContextRepository#loadContext(88) - No SecurityContext was available from the HttpSession: null. A new one will be created.
2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(375) - /app/user/role at position 2 of 8 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(375) - /app/user/role at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(375) - /app/user/role at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(375) - /app/user/role at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.authentication.AnonymousAuthenticationFilter#doFilter(67) - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2012-05-26 03:10:29,669 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(375) - /app/user/role at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
2012-05-26 03:10:29,670 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(375) - /app/user/role at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2012-05-26 03:10:29,670 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(375) - /app/user/role at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2012-05-26 03:10:29,670 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource#lookupAttributes(173) - Converted URL to lowercase, from: '/app/user/role'; to: '/app/user/role'
2012-05-26 03:10:29,670 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.access.intercept.FilterSecurityInterceptor#beforeInvocation(182) - Public object - authentication not attempted
2012-05-26 03:10:29,670 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.FilterChainProxy#doFilter(362) - /app/user/role reached end of additional filter chain; proceeding with original chain
2012-05-26 03:10:29,670 +0530 [] DEBUG [qtp970799122-37] org.springframework.web.servlet.DispatcherServlet#doService(693) - DispatcherServlet with name 'mvc-dispatcher' processing GET request for [testapp/app/user/role]
2012-05-26 03:10:29,670 +0530 [] DEBUG [qtp970799122-37] org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping#getHandlerInternal(221) - Mapping [/user/role] to HandlerExecutionChain with handler [com.controller.UserController@5bfd9b49] and 2 interceptors
2012-05-26 03:10:29,671 +0530 [] DEBUG [qtp970799122-37] org.springframework.web.servlet.DispatcherServlet#doDispatch(769) - Last-Modified value for [testapp/app/user/role] is: -1
2012-05-26 03:10:29,671 +0530 [] DEBUG [qtp970799122-37] org.springframework.web.bind.annotation.support.HandlerMethodInvoker#invokeHandlerMethod(173) - Invoking request handler method: public java.lang.String com.controller.UserController.getUserRoleData()
2012-05-26 03:10:29,672 +0530 [] DEBUG [qtp970799122-37] org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter#writeWithMessageConverters(981) - Written [/home.html] as "text/html" using [org.springframework.http.converter.StringHttpMessageConverter@1653033e]
2012-05-26 03:10:29,672 +0530 [] DEBUG [qtp970799122-37] org.springframework.web.servlet.DispatcherServlet#doDispatch(824) - Null ModelAndView returned to DispatcherServlet with name 'mvc-dispatcher': assuming HandlerAdapter completed request handling
2012-05-26 03:10:29,672 +0530 [] DEBUG [qtp970799122-37] org.springframework.web.servlet.DispatcherServlet#processRequest(674) - Successfully completed request
2012-05-26 03:10:29,672 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.access.ExceptionTranslationFilter#doFilter(100) - Chain processed normally
2012-05-26 03:10:29,672 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.context.HttpSessionSecurityContextRepository#saveContext(338) - SecurityContext is empty or anonymous - context will not be stored in HttpSession. 
2012-05-26 03:10:29,673 +0530 [] DEBUG [qtp970799122-37] org.springframework.security.web.context.SecurityContextPersistenceFilter#doFilter(89) - SecurityContextHolder now cleared, as request processing completed

[satish.bellapu]

Got the solution,....... this might help someone who are facing the similar issues....

In spring_security.xml add the mvc annotation before global annotation,

Code:

<mvc:annotation-driven />
 /*Before we set global annotation*/
        <security:global-method-security pre-post-annotations="enabled">
		<security:expression-handler ref="expressionHandler" />
	</security:global-method-security>

and remove mvc annotation from mvc-dispatcher-servlet.xml

[ashutoshgawande]

This is just really really tricky, I have done same and it worked.
Amazingly I didn't believe earlier but it's true!!.

Got the solution,....... this might help someone who are facing the similar issues....

In spring_security.xml add the mvc annotation before global annotation,

Code:

<mvc:annotation-driven />
 /*Before we set global annotation*/
        <security:global-method-security pre-post-annotations="enabled">
		<security:expression-handler ref="expressionHandler" />
	</security:global-method-security>

and remove mvc annotation from mvc-dispatcher-servlet.xml