CODEWITHSUNDEEP
spring-security
user468587
user468587

Reputation: 5031

Spring security roles

I have user roles tables in my database, which contains roles like 'ROLE_ADMIN' and 'ROLE_USER', and in applicationContext-security.xml, I defined the filterSecurityInterceptor as:

  <s:filter-chain pattern="/rpc/adminService"
    filters="
        authenticationProcessingFilter,
        filterSecurityInterceptor"/>

  <s:filter-chain pattern="/rpc/**"
    filters="
        concurrentSessionFilter, 
        httpSessionContextIntegrationFilter,
        authenticationProcessingFilter,
        rememberMeProcessingFilter,
        anonymousProcessingFilter,
        exceptionTranslationFilter,
        filterSecurityInterceptor" />

  <s:filter-chain pattern="/j_spring_security*"
    filters="
        concurrentSessionFilter, 
        httpSessionContextIntegrationFilter,
        logoutFilter,
        authenticationProcessingFilter,
        rememberMeProcessingFilter,
        anonymousProcessingFilter" />

  <s:filter-chain pattern="/**" filters="none" />
</s:filter-chain-map>


  <bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="objectDefinitionSource">
      <s:filter-invocation-definition-source>
        <s:intercept-url pattern="/rpc/userService" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <s:intercept-url pattern="/rpc/adminService**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <s:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
      </s:filter-invocation-definition-source>
    </property>
  </bean>

  <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
    <property name="sessionController" ref="concurrentSessionController" />
    <property name="providers">
      <list>
        <ref bean="rememberMeAuthenticationProvider" />
        <ref bean="daoAuthenticationProvider" />
      </list>
    </property>
  </bean>

 <bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="accountRepository" />
    <property name="passwordEncoder" ref="passwordEncoder" />
  </bean>

However, when I tried to access some resource as admin user, it got rejected, complained as:

An Authentication object was not found in the SecurityContext

How can I convert a role that defined in the database to a role that recognized by securityContext?

Upvotes: 0

Views: 1861

Answers (2)

Shaun the Sheep
Shaun the Sheep

Reputation: 22762

You have no HttpSessionContextIntegrationFilter in your filter chain for /rpc/adminService. You haven't said what the request URL is when you're seeing the problem, but if you access that exact URL there will be no security context provided for the request.

Spring Security filter chains should always have this filter included.

I would also beware of your 

<s:filter-chain pattern="/**" filters="none" />

since anything that is not matched by the previous patterns will not have a security context.

Upvotes: 2

mino.me
mino.me

Reputation: 305

You have this in your configuration right?

<authentication-manager>
    <authentication-provider user-service-ref="accountRepository">
        <password-encoder ref="passwordEncoder"/>
    </authentication-provider>
</authentication-manager>

Have you looked into this: spring-security-3-database-authentication-with-hibernate

I am using this for simple testing:

<authentication-manager alias="authenticationManager" >
    <authentication-provider>
            <jdbc-user-service data-source-ref="dataSource"
                users-by-username-query =
                    "SELECT username, password, CASE Status WHEN 1 THEN 'true' ELSE 'false' END as enabled
                        FROM User
                        WHERE username = ?"
                authorities-by-username-query=
                    "SELECT username, CASE role WHEN 1 THEN 'ROLE_USER' WHEN 2 THEN 'ROLE_ADMIN' ELSE 'ROLE_GUEST' END as authorities
                        FROM User
                        WHERE username = ?" />       
        </authentication-provider>
</authentication-manager>

Upvotes: 0

Related Questions