Spring Security JAAS Authentication Authorization Issue

Question

In Spring Security am using DefaultJaasAuthenticationProvider Configuration for login authentication with linux username/password. JpamLoginModule is used for authentication. I am successfull with authentication but i had problem in authoriztion(ROLE_USER,ROLE_ADMIN), am getting HTTP Status 403 - Access is denied Error.

Following Configuration i used in spring-security.xml

<security:authentication-manager>
    <security:authentication-provider ref="jaasAuthProvider" />
</security:authentication-manager>

<bean id="jaasAuthProvider"  class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider">
    <property name="configuration">
        <bean class="org.springframework.security.authentication.jaas.memory.InMemoryConfiguration">
            <constructor-arg>
                <map>
                    <entry key="SPRINGSECURITY">
                        <array>
                            <bean class="javax.security.auth.login.AppConfigurationEntry">
                                <constructor-arg value="net.sf.jpam.jaas.JpamLoginModule" />
                                <constructor-arg>
                                    <util:constant  static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" />
                                </constructor-arg>
                                <constructor-arg>
                                    <map></map>
                                </constructor-arg>
                            </bean>
                        </array>
                    </entry>
                </map>
            </constructor-arg>
        </bean>
    </property>
    <property name="authorityGranters">
        <list>
            <bean class="it.webapps.pam.RoleGranter" />
        </list>
    </property>
</bean> 
    <bean id="userDetailsService" class="it.webapps.pam.UserDetailsServiceImpl">  
</bean> 

RoleGranter.java code

public class RoleGranter implements AuthorityGranter {

public RoleGranter() {
    System.out.print("=== Creating My Authority Granter ===");
 }

@Override
public Set<String> grant(Principal principal) {

        return Collections.singleton("ROLE_ADMIN");
}

}

suggestion would be very helpful

Answer 1

Based on: http://jpam.sourceforge.net/xref/net/sf/jpam/jaas/JpamLoginModule.html and https://github.com/spring-projects/spring-security/blob/master/core/src/main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java

Looks like you need to extend JpamLoginModule to change commit's behaviour. There needs to be principals assigned into the subject in your extended JpamLoginModule. Then AbstractJaasAuthenticationProvider (DefaultJaasAuthenticationProvider) will loop through these principals and send them to your authorityGranters (RoleGranter).

<authentication-manager>
    <authentication-provider ref="jaasAuthProvider" />
</authentication-manager>

<beans:bean id="userService" class="blah.UserDetailsServiceImpl" />  

<beans:bean id="jaasAuthProvider"  class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider">
    <beans:property name="configuration">
        <beans:bean class="org.springframework.security.authentication.jaas.memory.InMemoryConfiguration">
            <beans:constructor-arg>
                <beans:map>
                    <beans:entry key="SPRINGSECURITY">
                        <beans:array>
                            <beans:bean class="javax.security.auth.login.AppConfigurationEntry">
                                <beans:constructor-arg value="blah.RoleGrantingJpamLoginModule" />
                                <beans:constructor-arg>
                                    <util:constant  static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" />
                                </beans:constructor-arg>
                                <beans:constructor-arg>
                                    <beans:map></beans:map>
                                </beans:constructor-arg>
                            </beans:bean>
                        </beans:array>
                    </beans:entry>
                </beans:map>
            </beans:constructor-arg>
        </beans:bean>
    </beans:property>
    <beans:property name="authorityGranters">
        <beans:list>
            <beans:bean class="blah.RoleGranter" />
        </beans:list>
    </beans:property>
</beans:bean> 

package blah;

import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;

import net.sf.jpam.jaas.JpamLoginModule;

import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;

public class RoleGrantingJpamLoginModule extends JpamLoginModule {
    private Subject subject;

    @Override
    public void initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map sharedState, java.util.Map options) {
        super.initialize(subject, callbackHandler, sharedState, options);
        this.subject = subject;
    }

    @Override
    public boolean commit() throws LoginException {
        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(null, null);
        subject.getPrincipals().add(token);
        return super.commit();
    }
}


package blah;

import static java.util.Arrays.asList;

import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

public class UserDetailsServiceImpl implements UserDetailsService {

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        return new User(username, "password", asList(new SimpleGrantedAuthority("ROLE_ADMIN")));
    }

}

Answer 2

Try to return "ADMIN" instead of "ROLE_ADMIN". Spring add "ROLE" automatically.