Reputation: 746
Spring security is giving 403 inspite of right credentials
Hi I am getting access denied from spring . Can somebody please help me with this
I am using spring 4.3
My controller
@RestController
@RequestMapping (value = "/api/secured/resource/school")
@Secured ({ ApplicationConstants.Role.SYSTEM_ADMIN, ApplicationConstants.Role.SCHOOL_ADMIN })
public class SchoolController
{
@Autowired
private SchoolService schoolService;
@PostMapping (consumes = "application/json")
@Secured ({ ApplicationConstants.Role.SYSTEM_ADMIN })
public @ResponseBody ResponsePayload createSchool (HttpServletRequest request, @RequestBody School school)
throws ServiceException
{
}
interface Role
{
String SYSTEM_ADMIN = "SYSTEM_ADMIN";
String SCHOOL_ADMIN = "SCHOOL_ADMIN";
}
As in the log below you can see that the user has two Authorities
SYSTEM_USER, SYSTEM_ADMIN still its giving me Access Denied
Spring configuration
<http pattern="/static/**" security="none" />
<http use-expressions="true">
<intercept-url pattern="/app/**" access="isAuthenticated()" />
<form-login login-page="/loginPage"
authentication-success-handler-ref="mySuccessHandler"
authentication-failure-handler-ref="myFailureHandler" />
<logout logout-success-url="/loginPage" />
<custom-filter ref="loginFilter" after="FIRST" />
<csrf disabled="true" />
</http>
2016-07-15 16:03:12,525 DEBUG MethodSecurityInterceptor:348 - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@7670236f: Principal: SystemUser [userId=1, name=Administrator, [email protected], mobilePhone=9999999999, status=ACTIVE]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1h5x6yxtd1m0y1ogs4h5vfo1yl; Granted Authorities: SYSTEM_USER, SYSTEM_ADMIN 2016-07-15 16:03:12,525 DEBUG AffirmativeBased:66 - Voter: org.springframework.security.access.vote.RoleVoter@55951fcd, returned: 0 2016-07-15 16:03:12,527 DEBUG AffirmativeBased:66 - Voter: org.springframework.security.access.vote.AuthenticatedVoter@46ab4efc, returned: 0 2016-07-15 16:03:12,529 DEBUG ExceptionHandlerExceptionResolver:133 - Resolving exception from handler [public com.tepachi.web.response.ResponsePayload com.tepachi.web.controller.SchoolController.createSchool(javax.servlet.http.HttpServletRequest,com.tepachi.db.entities.user.School) throws com.tepachi.exception.ServiceException]: org.springframework.security.access.AccessDeniedException: Access is denied
Upvotes: 1
Views: 692
Answers (1)
Reputation: 746
The problem was spring 4 onwards it prepends ROLE_ to the authority granted.
hasRole([role]) : Returns true if the current principal has the specified role. By default if the supplied role does not start with 'ROLE_' it will be added. This can be customized by modifying the defaultRolePrefix on DefaultWebSecurityExpressionHandler.
More information can be found here Spring Doc
Upvotes: 1
Related Questions
- Spring security always returns HTTP 403
- Spring Security throwing 403 after basic authentication
- Spring security shows access denied for valid user
- Spring Security Always returning 403 forbidden, Access denied
- Spring Security: issues 403 after authorization with single granted
- Spring Security Access denied 403 after get
- Spring Security does not accept correct credentials
- 403 - Access is denied after authenticating
- spring security login always get access denied
- Spring Security Failing Authentication with proper credentials