Forum:

Spring

Problem with <security:intercept-url pattern=...>

Ranch Hand

Posts: 64

posted 11 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Dear Sirs et Madames,
AM trying to set up Spring Security for my application. To start with, I only want 2 types of user, and Admin who will have acces to everything, and a Data Clerk, who has limited access (access to pages specifically given through the security intercept url patterns). The following code excerpt shows how I have done this:

<security:http auto-config="true">
        <security:intercept-url pattern="/login.faces" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <security:intercept-url pattern="/resources/css/main.css" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <security:intercept-url pattern="/logout.faces" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <security:intercept-url pattern="/openFacesResources/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <security:intercept-url pattern="/primefaces_resource/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <security:form-login login-page="/login.faces" login-processing-url="/loginProcess" default-target-url="/demowelcome.faces" authentication-failure-url="/login.faces?login_error=1" />
        <security:intercept-url pattern="/**" access="ROLE_ADMIN" />
        <security:intercept-url pattern="/individual/**" access="ROLE_USER" />
        <security:intercept-url pattern="/baseline-proto/**" access="ROLE_USER" />
        <security:intercept-url pattern="/birt/**" access="ROLE_USER" />
        <security:intercept-url pattern="/demrates/**" access="ROLE_USER" />
        <security:intercept-url pattern="/external-inmigration/**" access="ROLE_USER" />
        <security:intercept-url pattern="/fieldworker/**" access="ROLE_USER" />
        <security:intercept-url pattern="/individualmerge/**" access="ROLE_USER" />
        <security:intercept-url pattern="/location/**" access="ROLE_USER" />
        <security:intercept-url pattern="/location-hierarchy/**" access="ROLE_USER" />
        <security:intercept-url pattern="/membership/**" access="ROLE_USER" />
        <security:intercept-url pattern="/outmigration/**" access="ROLE_USER" />
        <security:intercept-url pattern="/pregnancy-outcome/**" access="ROLE_USER" />
        <security:intercept-url pattern="/pregnancy-observation/**" access="ROLE_USER" />
        <security:intercept-url pattern="/relationship/**" access="ROLE_USER" />
        <security:intercept-url pattern="/residency/**" access="ROLE_USER" />
        <security:intercept-url pattern="/socialgroup/**" access="ROLE_USER" />
        <security:intercept-url pattern="/update/**" access="ROLE_USER" />
        <security:intercept-url pattern="/demowelcome.faces" access="ROLE_USER" />

<security:logout logout-url="/logoutProcess" logout-success-url="/logout.faces" />
    </security:http>

However for some reason when I log in as ROLE_USER I [i]always[i] get the http error:403 Access is Denied. Am i doing something wrong?

Thanks in advance, and let me know if this is not enough information.

You are what you know

Mark Spritzler

ranger

Posts: 17346

I like...

posted 11 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

And ROLE_USER is how it is stored in your back end datasource for security, meaning your UserDetailService sets the GrantedAuthories as ROLE_USER. With ROLE_ as part of the role string, and all Caps?

Mark

Perfect World Programming, LLC - iOS Apps
How to Ask Questions the Smart Way FAQ

Phoenix Kilimba

Ranch Hand

Posts: 64

posted 11 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Mark Spritzler wrote:And ROLE_USER is how it is stored in your back end datasource for security, meaning your UserDetailService sets the GrantedAuthories as ROLE_USER. With ROLE_ as part of the role string, and all Caps?

Mark

Hello Mark,
It is inherited code so am not completely sure what you may be asking, but am posting details of my UserDetailService class, in the hope it helps. Let me know if it doesn't and you need more info

@Transactional
public class UserDetailsService implements
		org.springframework.security.core.userdetails.UserDetailsService {

UserDao userDao;

public org.openhds.model.User createAdminUser() {
		org.openhds.model.User user = new org.openhds.model.User("admin", "test");
		for (String r : new String[] { "ROLE_ADMIN", "ROLE_USER" }) {
			org.openhds.model.Role newRole = new org.openhds.model.Role(r);
			user.getRoles().add(newRole);
			newRole.getMembers().add(user);
		}
		userDao.create(user);
		return user;
	}

public User convertUser(org.openhds.model.User user) {
		GrantedAuthority[] convertedRoles = convertRoles(user.getRoles());
		User convertedUser = new User(user.getUsername(), user.getPassword(),
				true, true, true, true, convertedRoles);
		return convertedUser;
	}

public GrantedAuthority[] convertRoles(Set<org.openhds.model.Role> roles) {
		if (roles == null || roles.size() == 0)
			return new GrantedAuthority[] {};
		GrantedAuthority[] convertedRoles = new GrantedAuthority[roles.size()];
		Iterator<org.openhds.model.Role> roleIter = roles.iterator();
		for (int i = 0; i < roles.size(); i++)
			convertedRoles[i] = new GrantedAuthorityImpl(roleIter.next()
					.getName());
		return convertedRoles;
	}

public UserDetails loadUserByUsername(String username)
			throws UsernameNotFoundException, DataAccessException {

List<org.openhds.model.User> users = userDao.findByUsername(username);
		org.openhds.model.User user;

// Create default admin user if one doesn't exist
		if (users.isEmpty())
			if ("admin".equals(username))
				user = createAdminUser();
			else
				throw new UsernameNotFoundException("user " + username
						+ " was not found");
		else
			user = users.get(0);

return convertUser(user);
	}

public void setUserDao(UserDao userDao) {
		this.userDao = userDao;
	}

public UserDao getUserDao() {
		return userDao;
	}

}

Thanks again

You are what you know

A day job? In an office? My worst nightmare! Comfort me tiny ad!

free, earth-friendly heat - a kickstarter for putting coin in your pocket while saving the earth

https://coderanch.com/t/751654/free-earth-friendly-heat-kickstarter