spring security with custom AuthenticationProvider gives access denied error

0
votes

I am trying to implement custom authentication using Spring security in my application by implementing AuthenticationProvider. The authentication is successful and the user also has the specified role but still I am always getting access denied page. Below is my code. i am new to spring security. Please help. Thanks in advance

Spring-security.xml 

<form-login 
        login-page="/login"  login-processing-url="/j_spring_security_check"  default-target-url="/welcome" authentication-failure-url="/login?error" 
         />
         <access-denied-handler error-page="/403" />
    <logout logout-success-url="/login?logout"  /> 
     <csrf disabled="true"/>
</http>


<authentication-manager id="dao-auth" erase-credentials="false">
    <authentication-provider ref="customAuthenticationProvider">
    </authentication-provider>
</authentication-manager>

<b:bean id="customAuthenticationProvider" class="com.xom.custom.dataservice.impl.CustomAuthenticationProvider"></b:bean>

CustomAuthenticationProvider

@Override
public Authentication authenticate(Authentication authentication) throws 
    AuthenticationException {

    String name = authentication.getName();
    String password = authentication.getCredentials().toString();
    final User rasUser;
    try {
        rasUser = checkPrivileges(name, password);
    } catch (NoRASUserLoginException exception) {
        throw new ServiceException(0, "exception while retrieving user data  " + exception);
    } catch (SQLException exception) {
        throw new ServiceException(0, "exception while retrieving user privilages " + name + exception);
    }

    // userValue = (UserDetails) rasUser;
    if (rasUser == null)
        throw new UsernameNotFoundException(name + " not found");

       List<SimpleGrantedAuthority> auths = new 
      java.util.ArrayList<SimpleGrantedAuthority>();
      for (String privilege : rasUser.getPermissions()) {
        if (privilege != null && privilege.equalsIgnoreCase("RReportAdmin")) 
      {
            auths.add(new 
          SimpleGrantedAuthority("ROLES_".concat(privilege)));
        }
    }
    auths = auths.stream().distinct().collect(Collectors.toList());
    authentication = new UsernamePasswordAuthenticationToken(name, password, auths);
    return authentication;
}

Login.jsp

<html>
    <head>
       <title>Login</title>
    </head>
    <body onload='document.loginForm.username.focus();'>
        <h1>Spring Security Custom Login Form (XML)</h1>
         <div id="login-box">
         <h3>Login with Username and Password</h3>

         <form name='loginForm'
         action="<c:url value='/j_spring_security_check' />" method='POST'>

         <table>
            <tr>
                <td>User:</td>
                <td><input type='text' name='username'></td>
            </tr>
            <tr>
                <td>Password:</td>
                <td><input type='password' name='password' /></td>
            </tr>
            <tr>
                <td colspan='2'><input name="submit" type="submit"
                    value="submit" /></td>
            </tr>
        </table>
       </form>
      </div>
     </body>
</html>

logs

2017-11-07 03:47:42,212 DEBUG o.s.s.w.u.m.AntPathRequestMatcher [http-nio-8080-exec-15] Checking match of request : '/admin'; against '/admin' 2017-11-07 03:47:42,214 DEBUG o.s.s.a.i.AbstractSecurityInterceptor [http-nio-8080-exec-15] Secure object: FilterInvocation: URL: /admin; Attributes:[hasRole('ROLES_RReportAdmin')] 2017-11-07 03:47:42,214 DEBUG o.s.s.a.i.AbstractSecurityInterceptor [http-nio-8080-exec-15] Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@e68aaf8b: Principal: rparwee; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1c07a: RemoteIpAddress: 127.0.0.1; SessionId: EE3501D56ED257409E40A4F8D5F6F794; Granted Authorities: ROLES_RReportAdmin 2017-11-07 03:47:42,216 DEBUG o.s.s.a.v.AffirmativeBased [http-nio-8080-exec-15] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@6102b9a6, returned: -1 2017-11-07 03:47:42,219 TRACE o.s.c.s.AbstractApplicationContext [http-nio-8080-exec-15] Publishing event in WebApplicationContext for namespace 'mvc-dispatcher-servlet': org.springframework.security.access.event.AuthorizationFailureEvent[source=FilterInvocation: URL: /admin] 2017-11-07 03:47:42,219 DEBUG o.s.s.w.a.ExceptionTranslationFilter [http-nio-8080-exec-15] Access is denied (user is not anonymous); delegating to AccessDeniedHandler org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-4.2.3.RELEASE.jar:4.2.3.RELEASE] at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-4.2.3.RELEASE.jar:4.2.3.RELEASE] at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE] at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]

2
springmodel-view-controllerspring-security

2 Answers

0
votes

Please try adding 

access="permitAll" in Spring-security.xml for login-page="/login"

Also access="hasRole('ROLE_RReportAdmin')" in /welcome

0
votes

I got my mistake. Spring check "ROLE" before checking for authorization. In my case i was adding "ROLES".

Code changed from intercept-url pattern="/admin**" access="hasRole('ROLES_RReportAdmin')" to intercept-url pattern="/admin**" access="hasRole('ROLE_RReportAdmin')"