Clever Geek Handbook

Exception using @RolesAllowed in SpringBoot application

I have a main SpringBoot application. using Spring Initializer, embedded Tomcat, Thymeleaf templating engine, and package as JAR executable.

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
...
}

companyService is injected, not null. Removal @RolesAllowed

works fine

@Autowired
CompanyService companyService;

in my appConfig:

@Configuration
@EnableGlobalMethodSecurity(jsr250Enabled=true, securedEnabled=true, prePostEnabled=true)

I have a controller method described as

@ModelAttribute("companies")
    @RolesAllowed({"ROLE_ADMIN"})
    public Iterable<Company> companies(){
        return companyService.findAll();
    }

When I try to communicate with the controller, I have an application exception with no information:

<div th:utext="'Failed URL: ' +  ${url}"    th:remove="tag">${url}</div>
<div th:utext="'Exception: ' + ${message}"  th:remove="tag">${message}</div>
<div th:utext="'Exception: ' + ${trace}"    th:remove="tag">${trace}</div>


<!--
    Failed URL: null
    Exception: No message available
    Exception: null

    -->

Before contacting the controller, I will check the user roles

System.out.println("Authorities -> " +
    SecurityContextHolder.getContext().getAuthentication().getAuthorities())

and this is the result:

Authorities -> [Authority [authority=ROLE_BASIC], Authority [authority=ROLE_ADMIN]]

the same result using:

  @ModelAttribute("companies")
    @Secured("ADMIN")
    public Iterable<Company> companies(){
        return companyService.findAll();
    }

or @Secured("ROLE_ADMIN")

in debug:

 42410 [http-nio-8080-exec-7] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@65eab2b2, returned: 1
42410 [http-nio-8080-exec-7] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Authorization successful
42410 [http-nio-8080-exec-7] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - RunAsManager did not change Authentication object
42410 [http-nio-8080-exec-7] DEBUG o.s.security.web.FilterChainProxy - /company/list reached end of additional filter chain; proceeding with original chain
42411 [http-nio-8080-exec-7] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
42411 [http-nio-8080-exec-7] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
42411 [http-nio-8080-exec-7] DEBUG o.a.c.c.C.[Tomcat].[localhost] - Processing ErrorPage[errorCode=0, location=/error

  • Company () is called when removing @Secured and debugging AffirmativeBased

    I got:

    switch (result) {case AccessDecisionVoter.ACCESS_GRANTED: return; logger.debug ("Authorization successful");

+3


source to share


2 answers


Do not use either @Secured

, or @RolesAllowed

using these annotations is no longer recommended. Use instead@PreAuthorize("hasAuthority('ROLE_ADMIN')")



0


source


is companies()

called when annotation is removed @Secured

? if so try to debug it org.springframework.security.access.vote.AffirmativeBased

will most likely be called first when you validate your url, after which it gets called when you call a method companies()

that is protected by the annotation @Secured

and for some reason the second validation fails.



see also: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#authz-pre-invocation

0


source






More articles:


All Articles