Spring security hasRole() giving Error 403 - Access is denied

2
votes

I am trying to view a specific page that only the admin can view but I am getting an error every time I make the request. It appears to be with the hasRole() in my security-context file.

The error just says HTTP Status 403 - Access is denied when I make the request to see the admin jsp page

security-context.xml:

<security:http use-expressions="true">
    <security:intercept-url pattern="/admin" access="hasAnyRole('admin')" />
    <security:form-login login-page="/login"
        authentication-failure-url="/login?error=true" />
    <security:logout logout-success-url="/loogedout" />
    <security:intercept-url pattern="/createoffer" access="isAuthenticated()" />
    <security:intercept-url pattern="/docreate" access="isAuthenticated()" />
    <security:intercept-url pattern="/offercreated" access="isAuthenticated()" />
    <security:intercept-url pattern="/" access="permitAll" />
    <security:intercept-url pattern="/loggedout" access="permitAll" />
    <security:intercept-url pattern="/newaccount" access="permitAll" />
    <security:intercept-url pattern="/createaccount" access="permitAll" />
    <security:intercept-url pattern="/accountcreated" access="permitAll" />
    <security:intercept-url pattern="/static/**" access="permitAll" />
    <security:intercept-url pattern="/login" access="permitAll" />
    <security:intercept-url pattern="/offers" access="permitAll" />
    <security:intercept-url pattern="/**" access="denyAll" />
</security:http>

My two tables in my database are a user(username, email, enabled, password) and authorities(username, authority).

Could anyone suggest what my error is or how to fix it?

2
javaspringjspspring-mvcspring-security
can you post the detailed error message, without it can't help you much. - OPK
@JasonZ Apologies, I have edited the post with the error. - Simon Terry
Are you logging in as admin? - OPK
@JasonZ Yeah logged in as admin and I'm allowed do all the other tasks. - Simon Terry
@What is the URL are you trying to access? Is it /admin? - OPK

2 Answers

0
votes

Please confirm that when you login as admin, You really have the admin role. Please see the out put of following code:
getCurrentUser().getAuthorities(); in any of the flows that is permitted to all. This will simply list all the roles your logged in user has.

public UserInfo getCurrentUser() {
        UserInfo userInfo = null;
        SecurityContext securityContext = SecurityContextHolder.getContext();
        if (securityContext != null && null != securityContext.getAuthentication()) {
            Object principal = securityContext.getAuthentication().getPrincipal();
            if (UserInfo.class.isAssignableFrom(principal.getClass())) {
                userInfo = (UserInfo) principal;
            }
        }
        return userInfo;
    }