hasRole() not working error Http Status 403 - Access is denied

0
votes

Following is configuration in my security-config file:

<security:http use-expressions="true">
    <security:intercept-url pattern="/adminarea"
        access="hasRole('admin')" />
    <security:intercept-url pattern="/logincheck"
        access="permitAll" />
    <security:intercept-url pattern="/newaccount"
        access="permitAll" />
    <security:intercept-url pattern="/createnewaccount"
        access="permitAll" />
    <security:intercept-url pattern="/home"
        access="isAuthenticated()" />
    <security:intercept-url pattern="/static/**"
        access="permitAll" />
    <security:intercept-url pattern="/" access="permitAll" />
    <security:intercept-url pattern="/**" access="denyAll" />
    <security:form-login login-page="/"
        authentication-failure-url="/?error=true" default-target-url="/home" />
</security:http>

I am using spring default login which is working fine. But when I try to aceess /adminarea I get an Http Status 403 - Access is denied error. Any help.

Edited: AuthenticationManager

<security:authentication-manager>
    <security:authentication-provider>
        <security:jdbc-user-service
            data-source-ref="dataSource" />
    </security:authentication-provider>
</security:authentication-manager>

code on JSP: 

<sec:authentication property="principal"/>
<sec:authorize access="hasRole('admin')">
    <a href="${pageContext.request.contextPath}/adminarea">Admin Area</a>
</sec:authorize>

first tag outputs following

rg.springframework.security.core.userdetails.User@6d8e08d5: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: admin

second tag outputs nothing.

2
javaspring-security
my guess is <security:intercept-url pattern="/**" access="denyAll" /> this code is causing error.Amit singh
@Amitsingh i tried removing it...but still same errorMeena Chaudhary
Please show your Authentication Manager and UserDetailsServiceshazin
@shazin I updated the post. I am using spring default authentication, do I have to implement UserDetailsService ?Meena Chaudhary
whats your spring security version? If its < 4.x you can try hasRole('ROLE_admin') or hasAuthority('ROLE_admin') or capitalize ROLE_ADMINAnudeep Gade

2 Answers

0
votes

I assume you have created the following tables 

  create table users(
      username varchar_ignorecase(50) not null primary key,
      password varchar_ignorecase(50) not null,
      enabled boolean not null);

  create table authorities (
      username varchar_ignorecase(50) not null,
      authority varchar_ignorecase(50) not null,
      constraint fk_authorities_users foreign key(username) references users(username));
      create unique index ix_auth_username on authorities (username,authority);

Which are required by above authentication manager configuration in your application context xml.

And you have inserted role admin into authorities table.

0
votes

I fixed the problem by setting role in DB as ROLE_XXX or in my case ROLE_ADMIN. And then using the following code:

security configuration:

<security:intercept-url pattern="/adminarea"
        access="hasRole('ROLE_ADMIN')" />

JSP:

<sec:authorize access="hasRole('ROLE_ADMIN')">
    <a href="${pageContext.request.contextPath}/adminarea">Admin Area</a>
</sec:authorize>

From my experimenting to get it work. I guess roles defined need to be in CAPITAL and should be prefixed with ROLE_.

Hope it helps anybody running into this problem.