The Java – @ secured function obtains the access denied permission of the authorized user
I have implemented spring security into my rest API according to many threads At first I was stuck in the @ secured comment and was ignored. Now I've solved it. I'm trapped in getting access denied
It feels like my question sounds very similar: @ secured with granted authorities throws access denied exception – but I'm still denied access
Here are my settings:
Spring security XML file
<authentication-manager> <authentication-provider user-service-ref="userDetailsService"> <password-encoder ref="passwordEncoder" /> </authentication-provider> </authentication-manager> <beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.PlaintextPasswordEncoder"/> <user-service id="userDetailsService"> <user name="john" password="john1" authorities="ROLE_USER,ROLE_ADMIN" /> <user name="jane" password="jane1" authorities="ROLE_USER" /> <user name="apiuser" password="apiuser" authorities="PERMISSION_TEST" /> </user-service>
controller:
@Controller @RequestMapping("/secure") public class SecureController { private static final Logger logger = Logger.getLogger(SecureController.class); @Secured("PERMISSION_TEST") @RequestMapping(value = "/makeRequest",method = RequestMethod.GET) @ResponseBody public SimpleDTO executeSecureCall() { logger.debug("[executeSecureCall] Received request to a secure method"); SimpleDTO dto = new SimpleDTO(); dto.setStringVariable("You are authorized!"); return dto; } }
Now – no correct
<security:global-method-security secured-annotations="enabled"/>
My request passed (because the @ secured comment was ignored) When I put it in and use "apiuser" / "apiuser" to access it, I always refuse to access it. Debugging log:
11:42:43,899 [http-apr-8080-exec-4] DEBUG MethodSecurityInterceptor - PrevIoUsly Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@cc12af5d: Principal: org.springframework.security.core.userdetails.User@d059c8e5: Username: apiuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: PERMISSION_TEST; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: PERMISSION_TEST 11:42:43,899 [http-apr-8080-exec-4] DEBUG AffirmativeBased - Voter: org.springframework.security.access.Vote.RoleVoter@2a9a42ef,returned: 0 11:42:43,900 [http-apr-8080-exec-4] DEBUG AffirmativeBased - Voter: org.springframework.security.access.Vote.AuthenticatedVoter@75a06ec2,returned: 0 11:42:43,902 [http-apr-8080-exec-4] DEBUG AnnotationMethodHandlerExceptionResolver - Resolving exception from handler [com.test.webapp.spring.controller.SecureController@342d150f]: org.springframework.security.access.AccessDeniedException: Access is denied 11:42:43,905 [http-apr-8080-exec-4] DEBUG ResponseStatusExceptionResolver - Resolving exception from handler [com.test.webapp.spring.controller.SecureController@342d150f]: org.springframework.security.access.AccessDeniedException: Access is denied 11:42:43,906 [http-apr-8080-exec-4] DEBUG DefaultHandlerExceptionResolver - Resolving exception from handler [com.test.webapp.spring.controller.SecureController@342d150f]: org.springframework.security.access.AccessDeniedException: Access is denied 11:42:43,909 [http-apr-8080-exec-4] DEBUG DispatcherServlet - Could not complete request org.springframework.security.access.AccessDeniedException: Access is denied
reflection?
Thank you in advance!
Solution
I remember that the @ secured annotation only applies to roles by default_ Role name starting with
You can switch to @ preauthorize ("hasauthority ('permission_test ')") (use pre post annotations = "enabled") or rename your role