Reputation: 10675
hasRole() not working error Http Status 403 - Access is denied
Following is configuration in my security-config file:
<security:http use-expressions="true">
<security:intercept-url pattern="/adminarea"
access="hasRole('admin')" />
<security:intercept-url pattern="/logincheck"
access="permitAll" />
<security:intercept-url pattern="/newaccount"
access="permitAll" />
<security:intercept-url pattern="/createnewaccount"
access="permitAll" />
<security:intercept-url pattern="/home"
access="isAuthenticated()" />
<security:intercept-url pattern="/static/**"
access="permitAll" />
<security:intercept-url pattern="/" access="permitAll" />
<security:intercept-url pattern="/**" access="denyAll" />
<security:form-login login-page="/"
authentication-failure-url="/?error=true" default-target-url="/home" />
</security:http>
I am using spring default login which is working fine. But when I try to aceess /adminarea I get an Http Status 403 - Access is denied error. Any help.
Edited: AuthenticationManager
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service
data-source-ref="dataSource" />
</security:authentication-provider>
</security:authentication-manager>
code on JSP:
<sec:authentication property="principal"/>
<sec:authorize access="hasRole('admin')">
<a href="${pageContext.request.contextPath}/adminarea">Admin Area</a>
</sec:authorize>
first tag outputs following
rg.springframework.security.core.userdetails.User@6d8e08d5: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: admin
second tag outputs nothing.
Upvotes: 0
Views: 1219
Answers (2)
Reputation: 10675
I fixed the problem by setting role in DB as ROLE_XXX or in my case ROLE_ADMIN. And then using the following code:
security configuration:
<security:intercept-url pattern="/adminarea"
access="hasRole('ROLE_ADMIN')" />
JSP:
<sec:authorize access="hasRole('ROLE_ADMIN')">
<a href="${pageContext.request.contextPath}/adminarea">Admin Area</a>
</sec:authorize>
From my experimenting to get it work. I guess roles defined need to be in CAPITAL and should be prefixed with ROLE_.
Hope it helps anybody running into this problem.
Upvotes: 0
Reputation: 21883
I assume you have created the following tables
create table users(
username varchar_ignorecase(50) not null primary key,
password varchar_ignorecase(50) not null,
enabled boolean not null);
create table authorities (
username varchar_ignorecase(50) not null,
authority varchar_ignorecase(50) not null,
constraint fk_authorities_users foreign key(username) references users(username));
create unique index ix_auth_username on authorities (username,authority);
Which are required by above authentication manager configuration in your application context xml.
And you have inserted role admin into authorities table.
Upvotes: 0
Related Questions
- Failed to evaluate expression 'hasRole(USER)'
- How to use hasRole in Spring Security properly?
- How to use hasRole in Spring Security?
- Spring Security hasRole() not working
- hasRole always return 403
- for users that have required role hasRole fails with 403 error message
- Spring security hasPermission is not working
- Spring Security does not work with "hasRole('ROLE_ADMIN')" or ROLE_ADMIN
- Spring Security 403 error when access with role JAVA
- Spring security hasRole() giving Error 403 - Access is denied