security:authorize tags not working

**auditty** · Dec 14th, 2009, 11:13 AM

I turned on security logging and this is what I see for one request of the home page:

Code:

Converted URL to lowercase, from: '/'; to: '/'
Candidate is: '/'; pattern is /**; matched=true
/ at position 1 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@1e44e3e9'
HttpSession returned null object for SPRING_SECURITY_CONTEXT
No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@115e01c2. A new one will be created.
/ at position 2 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@29fd28da'
/ at position 3 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@2b8515bf'
/ at position 4 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.www.BasicAuthenticationFilter@2e56c4eb'
Authorization header: null
/ at position 5 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@429a3811'
/ at position 6 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1ad70640'
/ at position 7 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@447f1499'
Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90576bf4: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@21a2c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 577455A205EE55571E2E8DFC25CB5BB7; Granted Authorities: ROLE_ANONYMOUS'
/ at position 8 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.session.SessionManagementFilter@73216bf0'
/ at position 9 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.access.ExceptionTranslationFilter@1735949d'
/ at position 10 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor@3eafdb52'
Converted URL to lowercase, from: '/'; to: '/'
Candidate is: '/'; pattern is /admin/**; matched=false
Candidate is: '/'; pattern is /researcher/**; matched=false
Candidate is: '/'; pattern is /interest/**; matched=false
Candidate is: '/'; pattern is /member/**; matched=false
Candidate is: '/'; pattern is /resources/**; matched=false
Candidate is: '/'; pattern is /static/**; matched=false
Candidate is: '/'; pattern is /**; matched=true
Secure object: FilterInvocation: URL: /; Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]
Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@90576bf4: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@21a2c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 577455A205EE55571E2E8DFC25CB5BB7; Granted Authorities: ROLE_ANONYMOUS
Voter: org.springframework.security.access.vote.RoleVoter@167d912, returned: 0
Voter: org.springframework.security.access.vote.AuthenticatedVoter@48dc2d76, returned: 1
Authorization successful
RunAsManager did not change Authentication object
/ reached end of additional filter chain; proceeding with original chain
DispatcherServlet with name 'FacultyResources2' determining Last-Modified value for [/csri/app/index]
Mapping [/index] to handler 'org.springframework.web.servlet.mvc.UrlFilenameViewController@32c57076'
Last-Modified value for [/csri/app/index] is: -1
DispatcherServlet with name 'FacultyResources2' processing GET request for [/csri/app/index]
Returning view name 'index' for lookup path [/index]
Rendering view [org.springframework.web.servlet.view.tiles2.TilesView: name 'index'; URL [index]] in DispatcherServlet with name 'FacultyResources2'
Successfully completed request
Chain processed normally
SecurityContextHolder now cleared, as request processing completed

The stuff that is inside a <security:authorize ifAllGranted="ROLE_ADMIN"> is still visible to a non-authenticated person.

**auditty** · Dec 14th, 2009, 11:53 AM

Strangely,

If I change my security tag to <security:authorize ifNotGranted="ROLE_ANONYMOUS">

then the stuff gets hidden...

**auditty** · Dec 14th, 2009, 11:55 AM

Now I am baffled. It is just working now... I didn't change anything except to try ifNotGranted and then change it back to ifAllGranted.

**Ben Alex** · Dec 14th, 2009, 04:39 PM

Glad you got it working.

**jsandman** · Dec 14th, 2009, 06:06 PM

This is exactly the issue I was having. If you figure out the exact fix, let me know. I will tinker with my project some more and hopefully it will start working for me too.

**bliu72** · Dec 14th, 2009, 10:40 PM

Just tried again. I saw this problem when deploying app to springsource dm server 2.0 from springsource tool suite. However, if I ran app from command line "mvn tomcat:run", this time security is run successfully.

However, after login, and logoff, and login again, this time app shows me blank screen (from both IE and firefox), I have to refresh the page to get app showing, but this could be roo RC3 related, not security related.

**bliu72** · Dec 14th, 2009, 10:57 PM

Originally Posted by bliu72

Just tried again. I saw this problem when deploying app to springsource dm server 2.0 from springsource tool suite. However, if I ran app from command line "mvn tomcat:run", this time security is run successfully.

However, after login, and logoff, and login again, this time app shows me blank screen (from both IE and firefox), I have to refresh the page to get app showing, but this could be roo RC3 related, not security related.

-- When roo RC4 will be released?

**jsandman** · Dec 14th, 2009, 11:47 PM

I think I figured out my problem. I was including the security tag library in my layouts/default.jspx page, assuming it would take effect on my views/index.jspx page. It didn't.

So I added it to my views/index.jspx page and it worked. Below is what my index.jspx page looks like:

<div
xmlns:spring="http://www.springframework.org/tags"
xmlns:security="http://www.springframework.org/security/tags"
>
<script type="text/javascript">dojo.require("dijit.TitlePane")</script>
<div style="width: 100%" id="_title">
<spring:message var="title" code="welcome.titlepane" />
<script type="text/javascript">Spring.addDecoration(new Spring.ElementDecoration({elementId : '_title', widgetType : 'dijit.TitlePane', widgetAttrs : {title: '${title}'}})); </script>
<h3><spring:message code="welcome.h3" /></h3>
<p><spring:message code="welcome.text" /></p>

<security:authorize ifAllGranted="ROLE_ADMIN">
<hr />
This is secure!<br />
<hr />
</security:authorize>

</div>
</div>

It seems to be working consistently for me now.

**Stefan Schmidt** · Dec 15th, 2009, 03:57 AM

Yes the namespace needs to be declared in every file where you wish to use it. I am surprised it did not complain about the unknown security namespace before...

Anyway, thanks for making this clear for the benefit of all!

Cheers,
Stefan

**asheikh** · Jan 13th, 2010, 01:37 PM

Hi,

My web app was working with spring and spring security 3.0.0. I have added UrlRewriteFilter and spring security tags are not working anymore. If I remove UrlRewriteFilter , it works again.

My web.xml contains the following jsp-config

Code:

	
	<jsp-config>
		<jsp-property-group>
			<url-pattern>*.jsp</url-pattern>
			<scripting-invalid>true</scripting-invalid>
		<include-prelude>/WEB-INF/views/includes/prelude.jspf</include-prelude>
		</jsp-property-group>
	</jsp-config>

and prelude.jspf has following content.

Code:

<%@ taglib prefix="tiles" uri="http://tiles.apache.org/tags-tiles"%>
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core_rt" %>
<%@ taglib prefix="fmt" uri="http://java.sun.com/jstl/fmt_rt" %>
<%@ taglib prefix="mytag" tagdir="/WEB-INF/tags" %>

No matter where I put the security tag library, it doesn't work, and whenever I remove UrlRewriteFilter everything works ...

UrlRewriteFilter

Code:

	
<filter>
		<filter-name>UrlRewriteFilter</filter-name>
		<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>UrlRewriteFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

Here are the spring security tags:

Code:

<security:authorize access="hasAnyRole('ROLE_USER','ROLE_PARTNER', 'ROLE_ADMIN')">
<a href="${pageContext.request.contextPath}/micro/accountSetting">Account & Settings</a> | 
    <span style="text-align: right;"> Welcome
    <security:authentication property="name" /> | <a 
			href="${pageContext.request.contextPath}/logout.jsp" >Sign Out</a></span>
</security:authorize> 

<security:authorize  access="!hasAnyRole('ROLE_USER','ROLE_PARTNER', 'ROLE_ADMIN')">
<span> Hello, Guest!</span> |   <a id="signinNode2" href="${pageContext.request.contextPath}/micro/signin" onclick="">Sign in</a> 

</security:authorize>

Please help, thanks in advance.

Thread: security:authorize tags not working

Thread Tools

Display

Problem solved, sort of

Rc4

security:authorize tags not working with UrlRewriteFilter

Posting Permissions