manual authentication with annotations ("Access is denied ")

[pgoetzin]

Hello everyone,
i need a advice, i already checke many samples and tried to understand the problem but all of the samples use filters and im note sure if i need them.


in my case i dont have a web app and dont do a weblogin, thats why i try to create the SecurityContextHolder by hand. i get my user details from the openesb bus thats where i check the passwords and so on, this is not necessary anymore in spring.

1st i create the security context for the local thread

Code:

authResult = new PreAuthenticatedAuthenticationToken(userDetails, "", userDetails.getAuthorities());
	    		SecurityContextHolder.getContext().setAuthentication(authResult);

i think this is working fine because i see the grantedAuthorities later in the log.(see below)

after i initialized the SecurityContextHolder i wire my ejb bean to the spring bean, i think maybe the problem is here in

my applicationContext.xml

Code:

      <bean id="_authenticationManager"
                class="org.springframework.security.providers.ProviderManager">
                <property name="providers">
                    <list>
                        <ref local="preAuthenticatedAuthenticationProvider"/>
                    </list>
                </property>
        </bean>

        <bean id="preAuthenticatedAuthenticationProvider" 
                class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
		<property name="preAuthenticatedUserDetailsService"
			ref="preAuthenticatedUserDetailsService" />
	</bean>

	<bean id="preAuthenticatedUserDetailsService"
		class="org.springframework.security.providers.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService" />

           <security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>

the problem is that when i use annotations in my spring code

Code:

   @Secured("admin") 
      public void print2(){
        .....
      }

i get a "Access denied" error

Code:

Caused by: org.springframework.security.AccessDeniedException: Access is denied
        at org.springframework.security.vote.AbstractAccessDecisionManager.checkAllowIfAllAbstainDecisions(AbstractAccessDecisionManager.java:58)
        at org.springframework.security.vote.AffirmativeBased.decide(AffirmativeBased.java:73)
        at org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:262)
        at org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:63)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at $Proxy90.print2(Unknown Source)
        at com.tmp.bosch.dev.evaluation.serverbean.ServerBeanEndPoint.getPrincipal(ServerBeanEndPoint.java:55)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at com.sun.enterprise.security.application.EJBSecurityManager.runMethod(EJBSecurityManager.java:1067)
        at com.sun.enterprise.security.SecurityUtil.invoke(SecurityUtil.java:176)
        at com.sun.ejb.containers.BaseContainer.invokeBeanMethod(BaseContainer.java:4005)
        at com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:483)
        at com.sun.ejb.containers.interceptors.InterceptorManager.intercept(InterceptorManager.java:205)
        at com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:3978)
        at com.sun.ejb.containers.WebServiceInvocationHandler.invoke(WebServiceInvocationHandler.java:189)
        ... 34 more
RuntimeException thrown from the JAX-WS. No <detail> found.

the point is the GrantedAuthority looks fine .. i checked them and "admin" is available there.

Code:

 GrantedAuthority[] g = SecurityContextHolder.getContext().getAuthentication().getAuthorities();

the security log looks also fine, but there is no deny or permit, but i see the granted authorities.

security.log

Code:

2008-12-16 14:59:44,749 INFO  [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: Validated configuration attributes
2008-12-16 14:59:44,764 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource: Adding security method [CacheKey[com.tmp.bosch.dev.evaluation.serverbean.SpringbeanImpl; public void com.tmp.bosch.dev.evaluation.serverbean.SpringbeanImpl.print1()]] with attribute [[admin]]
2008-12-16 14:59:44,811 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource: Adding security method [CacheKey[com.tmp.bosch.dev.evaluation.serverbean.SpringbeanImpl; public abstract void com.tmp.bosch.dev.evaluation.serverbean.Springbean.print1()]] with attribute [[admin]]
2008-12-16 14:59:44,811 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: Secure object: ReflectiveMethodInvocation: public abstract void com.tmp.bosch.dev.evaluation.serverbean.Springbean.print1(); target is of class [com.tmp.bosch.dev.evaluation.serverbean.SpringbeanImpl]; ConfigAttributes: [admin]
2008-12-16 14:59:44,811 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: Previously Authenticated: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken@fa79fc8b: Principal: org.springframework.security.userdetails.User@0: Username: philipp; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: admin; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: admin
2008-12-16 14:59:44,811 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: Authorization successful
2008-12-16 14:59:44,811 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: RunAsManager did not change Authentication object
2008-12-16 14:59:44,811 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource: Adding security method [CacheKey[com.tmp.bosch.dev.evaluation.serverbean.SpringbeanImpl; public abstract void com.tmp.bosch.dev.evaluation.serverbean.Springbean.print2()]] with attribute [[admin]]
2008-12-16 14:59:44,811 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: Secure object: ReflectiveMethodInvocation: public abstract void com.tmp.bosch.dev.evaluation.serverbean.Springbean.print2(); target is of class [com.tmp.bosch.dev.evaluation.serverbean.SpringbeanImpl]; ConfigAttributes: [admin]
2008-12-16 14:59:44,811 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: Previously Authenticated: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken@fa79fc8b: Principal: org.springframework.security.userdetails.User@0: Username: philipp; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: admin; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: admin

any one a advice for me ?


thanks in advance

Philipp

[Luke Taylor]

First off, don't use names like "_authenticationManager" (i.e. beginning with an underscore) for your beans as these are used internally by the namespace. Follow the approach explained in the namespace chapter on how to use the AuthenticationManager and custom AuthenticationProvider beans.

The key to the problem is probably in the error:

Code:

Caused by: org.springframework.security.AccessDeniedException: Access is denied
        at org.springframework.security.vote.AbstractAccessDecisionManager.checkAllowIfAllAbstainDecisions(AbstractAccessDecisionManager.java:58)

Meaning that none of the default voters (the RoleVoter is the class that matters here) in the AccessDecisionManager voted. RoleVoter by default looks for the prefix "ROLE_" on the attributes for the secured method. So it is ignoring "admin". Therefore access is being denied because the default is to deny access if all voters abstain. You should either add the "ROLE_" prefix to your roles or configure your own AccessDecisionManger with a RoleVoter configured with an empty prefix. You can set this on the global-method-security namespace element.

[pgoetzin]

Hey Luke,
u are right.
thanks for your assistance!

I renamed my GrantedAuthorities vom "admin" to "ROLE_ADMIN" and changed my annotation to @RolesAllowed("ROLE_ADMIN")

I also changed my applicationContext.xml config

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:aop="http://www.springframework.org/schema/aop"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:flow="http://www.springframework.org/schema/webflow-config"
       xmlns:jms="http://www.springframework.org/schema/jms"
       xmlns:jee="http://www.springframework.org/schema/jee"
       xmlns:lang="http://www.springframework.org/schema/lang"
       xmlns:osgi="http://www.springframework.org/schema/osgi"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:security="http://www.springframework.org/schema/security"

       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
       http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.5.xsd
       http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd
       http://www.springframework.org/schema/webflow-config http://www.springframework.org/schema/webflow-config/spring-webflow-config-1.0.xsd
       http://www.springframework.org/schema/jms http://www.springframework.org/schema/jms/spring-jms-2.5.xsd
       http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-2.5.xsd
       http://www.springframework.org/schema/lang http://www.springframework.org/schema/lang/spring-lang-2.5.xsd
       http://www.springframework.org/schema/osgi http://www.springframework.org/schema/osgi/spring-osgi.xsd
       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.5.xsd
       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.5.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
    
      <bean id="preAuthenticatedAuthenticationProvider" 
                class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
                 <security:custom-authentication-provider />
		<property name="preAuthenticatedUserDetailsService"
			ref="preAuthenticatedUserDetailsService" />
	</bean>

	<bean id="preAuthenticatedUserDetailsService"
		class="org.springframework.security.providers.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService" />

        <security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>
		
    <bean id="springbean" class="com.tmp.bosch.dev.evaluation.serverbean.SAMPLEBEAN_CHANGEIT"></bean>
                

    
</beans>

and now its working fine. - It's easy when u know that there is a name convention" -

Thanks again !

best regards

Philipp