Стив Гейтс
Reputation: 73
Spring Security don't change role
I wrote a project where the admin can change the role of the user (from user to admin level). I kind of wrote the code correctly, but it does not change the role. You can see the code. The login changes, but the user's role remains the same as it was before.
EditUser.JSP
<body>
<center>
<h1>User Edit form</h1>
<form:form method="POST" action="${pageContext.request.contextPath}/admin/editUser">
<table>
<input type="hidden" value="${user.id}" name="id"/>
<tr>
<td><label path="Login">Login</label></td>
<td bgcolor="#000000"><input type="text" name="login" value="${user.login}"/></td>
</tr>
<tr>
<td><label path="Password">Password</label></td>
<td bgcolor="#000000"><input name="password" value="${user.password}"/></td>
</tr>
<tr>
<td>
<select name="role">
<option value="${user.role}" selected>ROLE_ADMIN</option>
<option value="${user.role}">ROLE_USER</option>
</td>
</select>
</tr>
<tr>
<td><input class="btn btn-primary" type="submit" value="Save"/></td>
</tr>
</table>
</form:form>
</center>
UserServiceImpl.JAVA
@Service
@Transactional
public class UserServiceImpl implements UserService {
@Autowired
private UserRepository repository;
@Autowired
public UserServiceImpl(UserRepository repository) {
super();
this.repository = repository;
}
@Override
public List<User> getAll() {
return (List<User>) repository.findAll();
}
@Override
public Optional<User> findUser(Long id) {
return repository.findById(id);
}
@Override
public User saveUser(User user) {
return repository.save(user);
}
@Override
public User updateUser(User user) {
User targetUser = repository.findById(user.getId()).get();
if (user.getLogin() != null) {
targetUser.setLogin(user.getLogin());
}
if (user.getRole() != null) {
targetUser.setRole(user.getRole());
}
if (user.getPassword() != null) {
targetUser.setPassword(user.getPassword());
}
return repository.save(targetUser);
}
}
User.JAVA
@Entity
@Table(name = "users")
public class User implements Serializable, UserDetails {
@Id
@GeneratedValue
private Long id;
private String login;
private String password;
private String role;
public Long getId() {
return id;
}
public void setId(Long id) {
this.id = id;
}
public void setId(long id) {
this.id = id;
}
public String getLogin() {
return login;
}
public void setLogin(String login) {
this.login = login;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return Collections.singleton(new SchoolAuthority(role));
}
@Override
public String getPassword() {
return password;
}
@Override
public String getUsername() {
return login;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
public void setPassword(String password) {
this.password = password;
}
public String getRole() {
return role;
}
public void setRole(String role) {
this.role = role;
}
class SchoolAuthority implements GrantedAuthority {
String role;
public SchoolAuthority(String role) {
this.role = role;
}
@Override
public String getAuthority() {
return role;
}
}
@Override
public String toString() {
return "User{" +
"id=" + id +
", login='" + login + '\'' +
", password='" + password + '\'' +
", role='" + role + '\'' +
'}';
}
}
AdminController.JAVA
@Controller
@RequestMapping("/admin")
public class AdminController {
@Autowired
private StudentService studentService;
@Autowired
private UserService userService;
@GetMapping("/allStudentsAdmin")
public ModelAndView allStudentsForUser() {
ModelAndView mv = new ModelAndView();
List<Student> studentList = studentService.getAllStudents();
mv.addObject("studentList", studentList);
mv.setViewName("allStudentsAdmin");
return mv;
}
@GetMapping(value = "/deleteStudent/{id}")
public ModelAndView deleteUserById(@PathVariable Long id) {
studentService.deleteStudentById(id);
ModelAndView mv = new ModelAndView("redirect:/admin/allStudentsAdmin");
return mv;
}
@GetMapping(value = "/editStudent/{id}")
public ModelAndView displayEditUserForm(@PathVariable Long id) {
ModelAndView mv = new ModelAndView("adminEditStudent");
Student student = studentService.getStudentById(id);
mv.addObject("headerMessage", "Редактирование студента");
mv.addObject("student", student);
return mv;
}
@PostMapping(value = "/editStudent")
public String saveEditedUser(
@RequestParam("id") Long id,
@RequestParam("name") String name,
@RequestParam("surname") String surname,
@RequestParam("avatar") MultipartFile file) {
try {
studentService.updateStudent(name, surname, file, studentService.getStudentById(id));
} catch (FileSystemException ex) {
ex.printStackTrace();
} catch (IOException e) {
return "redirect:/errors";
}
return "redirect:/admin/allStudentsAdmin";
}
@GetMapping(value = "/addStudentAdmin")
public ModelAndView displayNewUserForm() {
ModelAndView mv = new ModelAndView("addStudentAdmin");
mv.addObject("headerMessage", "Add Student Details");
mv.addObject("student", new Student());
return mv;
}
@PostMapping(value = "/addStudentAdmin")
public String saveNewStudent(@RequestParam("name") @NonNull String name,
@RequestParam("surname") @NonNull String surname,
@RequestParam("avatar") MultipartFile file)
throws IOException {
Student student = new Student();
student.setSurname(surname);
student.setName(name);
if (file != null && !file.isEmpty()) {
student.setAvatar(studentService.saveAvatarImage(file).getName());
}
studentService.saveStudent(student);
return "redirect:/admin/allStudentsAdmin";
}
@GetMapping(value = "/addUser")
public ModelAndView displayAddUserForm() {
ModelAndView mv = new ModelAndView("addUser");
mv.addObject("user", new User());
return mv;
}
@PostMapping(value = "/addUser", consumes = "multipart/form-data")
public String saveNewUser(@ModelAttribute User user) {
userService.saveUser(user);
return "redirect:/admin/allUsers";
}
@GetMapping("/allUsers")
public ModelAndView allUsers(@ModelAttribute User user) {
ModelAndView mv = new ModelAndView("allUsers");
List<User> users = userService.getAll();
mv.addObject("users", users);
return mv;
}
@GetMapping("/editUser/{id}")
public ModelAndView editUser(@PathVariable Long id) {
Optional<User> user = userService.findUser(id);
if (user.isPresent()) {
ModelAndView mv = new ModelAndView("editUser");
mv.addObject("user", user.get());
return mv;
}
return new ModelAndView("redirect:/admin/allUsers");
}
@PostMapping("/editUser")
public String saveEditedUser(@ModelAttribute User user) {
userService.updateUser(user);
return "redirect:/admin/allUsers";
}
}
Upvotes: 0
Views: 104
Answers (1)
Jaume Morón i Tarrasa
Reputation: 689
Your jsp code contains an error in the code below:
<select name="role">
<option value="${user.role}" selected>ROLE_ADMIN</option>
<option value="${user.role}">ROLE_USER</option>
The parameter role always have the same value ${user.role}. If you choose ROLE_ADMIN or ROLE_USER, the value of current user role (${user.role}) always be sent to controller.
Upvotes: 1
Related Questions
- Spring security added prefix "ROLE_" to all roles name?
- Spring Security Role Hierarchy not working using Java Config
- Spring Security roles issue
- Spring security doesn't match a given role
- How to fix role in Spring Security?
- Spring security Role cannot be converted to granted authority
- Spring security roles and permissions
- Spring security @secure not working with role hierarchy
- One of my roles is not working in Spring Security 3.1
- Spring security roles