0

I am pretty new to springboot and I have been having issues using the role based basic authentication on some of my methods. I have written a custom UserDetailsService which works fine without roles. 

    @Override
    public UserDetails loadUserByUsername(String arg0)
            throws UsernameNotFoundException {
        Developer d = DeveloperFactory.loadDeveloperByQuery(" Email = '" + arg0 + "'", null);
        if (d == null) throw new UsernameNotFoundException ("User with email " + arg0 + " doesn't exist in our database");

        String username = d.getEmail();
        String password = d.getPassword();
        boolean enabled = d.getActive ();
        boolean accountNonExpired = enabled; 
        boolean credentialsNonExpired = enabled;
        boolean accountNonLocked = enabled;

        Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
        for(Role role : d.roles.toArray()) {
                authorities.add(new SimpleGrantedAuthority(role.getName()));
        }
        UserDetails u = new User (username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
        return u;
    }

Once I add a role with the @Secured annotation to my controller methods like

    @Secured({"USER"})
        @RequestMapping(value = "/admin", method = RequestMethod.GET)
        public Developer[] getByQuery (@RequestParam(value="email", required=false) String email) { 
            if (email == null) {
                Developer[] admins = DeveloperFactory.listDeveloperByQuery(" IsAdmin = TRUE", null);
                return admins;
            } else {
                Developer admin = DeveloperFactory.loadDeveloperByQuery("Email = '" + email + "'", null);
                if (admin == null) throw new AdminNotFound ();
                return new Developer[]{admin};
            }
        }

I start to get the forbidden error. I confirmed the users have the roles requested in database, but still wont work. My SecurityConfigurer looks like this.

 @Configuration
    @EnableWebSecurity
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.userDetailsService(new UserDetailsServiceImpl());
        }

        @Override
        public UserDetailsService userDetailsServiceBean() {
            return new UserDetailsServiceImpl();
        }


    }

and my application class like this.

@Configuration
@ComponentScan
@EnableAutoConfiguration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class Application extends SpringBootServletInitializer {

    public static void main(final String[] args) {
        SpringApplication.run(Application.class, args);
    }    
}

Can someone please tell my why my user roles are not being applied on the /admin GET endpoint?

Here are my logs. 

2014-06-06 03:16:04.453 DEBUG 9364 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter     : Calling Authentication entry point.
2014-06-06 03:16:04.454 DEBUG 9364 --- [nio-8080-exec-1] o.s.s.w.a.Http403ForbiddenEntryPoint     : Pre-authenticated entry point called. Rejecting access
2014-06-06 03:16:04.454 DEBUG 9364 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2014-06-06 03:23:04.886 DEBUG 9364 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /admin at position 1 of 9 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2014-06-06 03:23:04.886 DEBUG 9364 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /admin at position 2 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-06-06 03:23:04.886 DEBUG 9364 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /admin at position 3 of 9 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2014-06-06 03:23:04.887 DEBUG 9364 --- [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@68fe414e
2014-06-06 03:23:04.887 DEBUG 9364 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /admin at position 4 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
2014-06-06 03:23:04.887 DEBUG 9364 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/admin'; against '/logout'
2014-06-06 03:23:04.887 DEBUG 9364 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /admin at position 5 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2014-06-06 03:23:04.887 DEBUG 9364 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /admin at position 6 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2014-06-06 03:23:04.888 DEBUG 9364 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /admin at position 7 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2014-06-06 03:23:04.888 DEBUG 9364 --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter  : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2014-06-06 03:23:04.889 DEBUG 9364 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /admin at position 8 of 9 in additional filter chain; firing Filter: 'SessionManagementFilter'
2014-06-06 03:23:04.889 DEBUG 9364 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /admin at position 9 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2014-06-06 03:23:04.889 DEBUG 9364 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /admin reached end of additional filter chain; proceeding with original chain
2014-06-06 03:23:04.894 DEBUG 9364 --- [nio-8080-exec-3] o.s.s.a.i.a.MethodSecurityInterceptor    : Secure object: ReflectiveMethodInvocation: public com.withinet.cloud.domain.Developer[] com.withinet.cloud.service.AdminController.getByQuery(java.lang.String); target is of class [com.withinet.cloud.service.AdminController]; Attributes: [ROLE_WEB]
2014-06-06 03:23:04.894 DEBUG 9364 --- [nio-8080-exec-3] o.s.s.a.i.a.MethodSecurityInterceptor    : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2014-06-06 03:23:04.894 DEBUG 9364 --- [nio-8080-exec-3] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.access.vote.RoleVoter@7bcf60f2, returned: -1
2014-06-06 03:23:04.894 DEBUG 9364 --- [nio-8080-exec-3] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.access.vote.AuthenticatedVoter@6be5ef5e, returned: 0
2014-06-06 03:23:04.896 DEBUG 9364 --- [nio-8080-exec-3] o.s.s.w.a.ExceptionTranslationFilter     : Access is denied (user is anonymous); redirecting to authentication entry point

org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
    at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:60)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:644)
    at com.withinet.cloud.service.AdminController$$EnhancerBySpringCGLIB$$7633a4cc.getByQuery(<generated>)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:215)
    at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)
    at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:749)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:689)
    at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:83)
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:938)
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:870)
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:961)
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:852)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:837)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:108)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:57)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:108)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:108)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
    at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:683)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1721)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1679)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

2014-06-06 03:23:04.897 DEBUG 9364 --- [nio-8080-exec-3] o.s.s.w.a.ExceptionTranslationFilter     : Calling Authentication entry point.
2014-06-06 03:23:04.897 DEBUG 9364 --- [nio-8080-exec-3] o.s.s.w.a.Http403ForbiddenEntryPoint     : Pre-authenticated entry point called. Rejecting access
2014-06-06 03:23:04.897 DEBUG 9364 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
Improve this question

1 Answer 1

Reset to default
4

You normally need "ROLE_" prefix in @Secured (if you want to use the role voter), i.e. @Secured("ROLE_USER").

Improve this answer
Sign up to request clarification or add additional context in comments.

11 Comments

Hi Dave, an Update. My POST, DELETE, and PUT methods aren't working with the roles except GET. Is there a difference between GET and the other methods in this context or are my just missing something. I have annotated them with the same role as mentioned.
Look at the debug logs. You probably have CSRF enabled (or something) and your client isn't including the token.
Thanks for your quick reply. It still doesn't work after disabling csrf like this. @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); }
That's why I suggested looking at the logs. DEBUG logs will tell you what the 403 is about (or there might even be a WWW-Authenticate header).
I started the app with --debug argument but I don't see the requests being debugged in console. basically nothing changes after startup.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.