Annotation PreAuthorize is not working properly. Tutorial spring security + jsf
Hi,
I modified spring security tutorial for use java server faces and xhtml pages.
I have the next problem:
class: bigbank.BankService
problem: @PreAuthorize(...) is not working propertly. When you login with any role and enter on listAccounts.xhtml page, clic on any operation, always obtain 403 Error.
url netbeans project on DropBox to dowload: https://dl.dropbox.com/u/80642164/Tu...g-security.zip
console output:Code:public interface BankService { public Account readAccount(Long id); public Account[] findAccounts(); @PreAuthorize( "hasRole('ROLE_SUPERVISOR') or " + "hasRole('ROLE_TELLER') and (#account.balance + #amount >= -#account.overdraft)" ) public Account post(Account account, double amount); }
Other files:Code:[...] Advertencia: #{postAccounts2.post}: org.springframework.security.access.AccessDeniedException: Access is denied javax.faces.FacesException: #{postAccounts2.post}: org.springframework.security.access.AccessDeniedException: Access is denied at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:118) at org.springframework.faces.webflow.FlowActionListener.processAction(FlowActionListener.java:71) at org.springframework.faces.model.SelectionTrackingActionListener.processAction(SelectionTrackingActionListener.java:55) at javax.faces.component.UICommand.broadcast(UICommand.java:315) at javax.faces.component.UIData.broadcast(UIData.java:1093) [...] Información: 13:18:53.466 [http-thread-pool-8080(3)] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) ~[spring-security-core-3.1.3.RELEASE.jar:3.1.3.RELEASE] [...]
/WEB-INF/applicationContext-security.xml
/WEB-INF/applicationContext-business.xmlCode:<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <debug /> <global-method-security pre-post-annotations="enabled" /> <http pattern="/resources/**" security="none"/> <http pattern="/loggedout.xhtml" security="none"/> <http pattern="/timeout.xhtml" security="none"/> <http use-expressions="true"> <intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')"/> <intercept-url pattern="/secure/**" access="isAuthenticated()" /> <!-- Allow all other requests. In a real application you should adopt a whitelisting approach where access is not allowed by default --> <intercept-url pattern="/**" access="permitAll" /> <form-login /> <logout logout-success-url="/loggedout.xhtml" delete-cookies="JSESSIONID"/> <remember-me /> <!-- Uncomment to enable X509 client authentication support <x509 /> --> <!-- Uncomment to limit the number of sessions a user can have --> <session-management invalid-session-url="/timeout.xhtml"> <!--<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />--> </session-management> </http> <!-- Usernames/Passwords are rod/koala dianne/emu scott/wombat peter/opal --> <beans:bean id="encoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"/> <authentication-manager> <authentication-provider> <password-encoder ref="encoder"/> <user-service> <user name="rod" password="4efe081594ce25ee4efd9f7067f7f678a347bccf2de201f3adf2a3eb544850b465b4e51cdc3fcdde" authorities="supervisor, user, teller" /> <user name="dianne" password="957ea522524a41cbfb649a3e293d56268f840fd5b661b499b07858bc020d6d223f912e3ab303b00f" authorities="user,teller" /> <user name="scott" password="fb1f9e48058d30dc21c35ab4cf895e2a80f2f03fac549b51be637196dfb6b2b7276a89c65e38b7a1" authorities="user" /> <user name="peter" password="e175750688deee19d7179d444bfaf92129f4eea8b4503d83eb8f92a7dd9cda5fbae73638c913e420" authorities="user" /> </user-service> </authentication-provider> </authentication-manager> </beans:beans>
/WEB-INF/web.xmlCode:<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <bean id="bankDao" class="bigbank.BankDaoStub"/> <bean id="seedData" class="bigbank.SeedData"> <property name="bankDao" ref="bankDao"/> </bean> <bean id="bankService" class="bigbank.BankServiceImpl"> <constructor-arg ref="bankDao"/> <!--This will add a security interceptor to the bean--> <!-- <security:intercept-methods> <security:protect method="bigbank.BankService.*" access="IS_AUTHENTICATED_REMEMBERED" /> <security:protect method="bigbank.BankService.post" access="ROLE_TELLER" /> <security:protect method="bigbank.BankService.findAccounts" access="IS_AUTHENTICATED_ANONYMOUSLY, IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED"/> </security:intercept-methods> --> </bean> </beans>
Code:<?xml version="1.0" encoding="UTF-8"?> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <display-name>Spring Security Tutorial Application</display-name> <context-param> <param-name>javax.faces.FACELETS_LIBRARIES</param-name> <param-value>/WEB-INF/springsecurity.taglib.xml</param-value> </context-param> <!-- - Location of the XML file that defines the root application context - Applied by ContextLoaderListener. --> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/applicationContext-business.xml /WEB-INF/bank-servlet.xml /WEB-INF/applicationContext-security.xml <!--/WEB-INF/faces-config.xml--> </param-value> </context-param> <context-param> <param-name>webAppRootKey</param-name> <param-value>tutorial.root</param-value> </context-param> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- - Loads the root application context of this web app at startup. --> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <!-- - Publishes events for session creation and destruction through the application - context. Optional unless concurrent session control is being used. --> <listener> <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> </listener> <!-- - Provides core MVC application controller. See bank-servlet.xml. --> <!-- <servlet> <servlet-name>bank</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>bank</servlet-name> <url-pattern>/*</url-pattern> <url-pattern>*.xhtml</url-pattern> </servlet-mapping>--> <context-param> <param-name>javax.faces.DEFAULT_SUFFIX</param-name> <param-value>.xhtml</param-value> </context-param> <servlet> <servlet-name>Faces Servlet</servlet-name> <servlet-class>javax.faces.webapp.FacesServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>Faces Servlet</servlet-name> <url-pattern>*.xhtml</url-pattern> </servlet-mapping> <welcome-file-list> <welcome-file>index.xhtml</welcome-file> </welcome-file-list> </web-app>
Reply With Quote