JdbcDaoImpl : Default GrantedAuthority Issue

[behrooz]

Dear Ben Alex,

We were just extending the org.acegisecurity.userdetails.jdbc.JdbcDaoImpl
when we come to a point that may also be interesting for you to take into consideration in next releases.

There is a couple of lines in the method "loadUserByUsername" which is worth more in-depth thought:

Code:

        if (dbAuths.size() == 0) {
            throw new UsernameNotFoundException("User has no GrantedAuthority");
        }

In our usage, we came to this conclusion that if any user is defined in the database so it can be deduced the user has certainly the role of "ROLE_USER".

This lead us to change the code as the following. We commented those lines and instead used the method which had been defined before as "addCustomAuthorities":

Code:

		addCustomAuthorities(user.getUsername(), dbAuths);

//		if (dbAuths.size() == 0) {
//			throw new UsernameNotFoundException("User has no GrantedAuthority");
//		}

And at last we change the code for the method "addCustomAuthorities" as follows:

Code:

	protected void addCustomAuthorities(String username, List authorities) {
		authorities.add(new GrantedAuthorityImpl("ROLE_USER"));
	}

This would make it so that each defined user has at least the role "ROLE_USER" and there is no need to throw the exception of not having any "GrantedAuthority" and actually it should not.

We hope we can contribute more in future.

I hope this was an idea which you agree with too.

Regards,
Behrooz Nobakht
Seyyed Jamal Pishvayi

[Ben Alex]

Please feel free to add this suggestion to JIRA, and I'll add it to CVS.

[pea1]

There is a couple of lines in the method "loadUserByUsername" which is worth more in-depth thought:

Code:

        if (dbAuths.size() == 0) {
            throw new UsernameNotFoundException("User has no GrantedAuthority");
        }

In our usage, we came to this conclusion that if any user is defined in the database so it can be deduced the user has certainly the role of "ROLE_USER".

This lead us to change the code as the following. We commented those lines and instead used the method which had been defined before as "addCustomAuthorities":

Code:

		addCustomAuthorities(user.getUsername(), dbAuths);

//		if (dbAuths.size() == 0) {
//			throw new UsernameNotFoundException("User has no GrantedAuthority");
//		}

I just ran into a similar issue in that I didn't want authentication to fail just because the user had no granted authorities in the DB. In our systems, we have an entire universe of users each of which uses a variety of apps/projects. What I need to do was allow the user to get logged in and then register the user for the specific app/project by adding a role for him. I accomplished this by using an AuthenticationSuccessEvent listener which added the role (to the DB) if the user didn't have it, and then forced reauthentication to get the role actually in the Authentication object.

In short, the automatic addition of the ROLE_USER authority suggested above doesn't work for my case, but it was critical to allow the user to get logged even if he had no authorities granted.

[lumpynose]

I may have overlooked something but it seems to me that Acegi needs some way that allows you to provide a "default" role/authority when a user authenticates, regardless of the authentication method used.

[Andreas Senft]

This seems to be quite useful for some cases. However, adding such a functionality in the JdbcDao seems to be the wrong place (what about other providers?).
How about making the ProviderManager configurable to assign specifiable "default role(s)" when a user exists but has no assigned authorities.
The default should be, to assign no roles, thus being backward compatible.

Regards,
Andreas

[lumpynose]

I hope I didn't imply that it should be added to the JdbcDao; that's not what I meant. I just meant in a general case it would be nice to have that ability. I added it to my Acegi code for our CAS-alike authentication system. Let's see if I can remember how I did it ... I think in my UserDetailsService I call an AuthoritiesLoader, and then I wrote an AuthoritiesLoader that returns a default. So I can configure it and its usage via the xml config file. If I remember correctly my UserDetailsService takes a List of AuthoritiesLoaders, and all are cycled through.

[RayKrueger]

This is fixed already actually.
I entered a Jira on this back on 26/April, and fixed it shortly afterwards.
http://opensource.atlassian.com/proj...browse/SEC-253

[Fabio]

Another way would be to not throw the UsernameNotFoundException("User has no GrantedAuthority") if the user has no roles and to use AuthenticatedVoter toghether with role voter and AffirmativeBased AccessDecisionManager.