Reputation: 42893
@Secured throws AccessDeniedException although roles are correct
After solving all authentication related problems in my first Spring web application I'm now stuck with authorization.
Configuration using @Secured annotations is pretty straight-forward so I don't think I made a mistake here. Additionally I'm using an Active Directory using the LDAP authentication provider and assign roles by AD groups, so isn't a problem either.
So here's a brief summary of my problem:
- Unsecured actions work
- Actions using
@Secured("IS_AUTHENTICATED_FULLY")work - Actions using something like
@Secured("GROUP_*")don't work
When calling a secured action a org.springframework.security.AccessDeniedException is thrown. Here's an excerpt from the logs:
DEBUG: org.springframework.security.intercept.AbstractSecurityInterceptor - Secure object: ReflectiveMethodInvocation: public org.springframework.web.servlet.ModelAndView de.dillinger.resources.controllers.HostsController.index(); target is of class [de.dillinger.resources.controllers.HostsController]; ConfigAttributes: [GROUP_IT]
DEBUG: org.springframework.security.intercept.AbstractSecurityInterceptor - Previously Authenticated: org.springframework.security.providers.UsernamePasswordAuthenticationToken@2a5333d9: Principal: org.springframework.security.userdetails.ldap.Person@1422384: Username: di32001; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: GROUP_ITS, GROUP_ITS-IT, GROUP_INTERNET, GROUP_SYSTEMGRUPPE, GROUP_IT; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 773943FFB14E512872BB6CE25F46C00A; Granted Authorities: GROUP_ITS, GROUP_ITS-IT, GROUP_INTERNET, GROUP_SYSTEMGRUPPE, GROUP_IT
As you can see the action requires the GROUP_IT role and my user object has this privilege. I really don't know what's causing this problem.
Upvotes: 0
Views: 1151
Answers (1)
Reputation: 7480
Are you using org.springframework.security.access.vote.UnanimousBased role voter? Try changing it to org.springframework.security.access.vote.AffirmativeBased.
This kind of problems are related to role voter configuration.
Edit 1(example added):
<security:global-method-security
secured-annotations="enabled"
access-decision-manager-ref="accessDecisionManager"
/>
<bean
id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false" />
<property name="decisionVoters">
<list>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter" />
</list>
</property>
</bean>
Upvotes: 2
Related Questions
- Spring security authorization not working though the roles provided correctly
- Spring Security roles issue
- Spring security 4 : Access denied on providing roles
- Spring security hasRole() giving Error 403 - Access is denied
- Spring Security access denied roles or what else?
- Spring security @secure not working with role hierarchy
- Spring Security @RolesAllowed Works but @Secured gives me AccessDeniedException in Spring 3.2 with Spring Security 3.1
- Spring security works with access="ROLE_USER" but not with EL
- @secured with granted authorities throws access denied exception
- AccessDeniedException; Spring Security