java - Spring security returns HTTP 403 after successful authentication -
this question has answer here:
i'm using spring 4.3.10.release , spring-security 4.2.3.release
when try open /admin after successful authentication 403, have required authorities, @ tomcat log.
my security configuration:
@configuration @enablewebsecurity public class websecurityconfig extends websecurityconfigureradapter { private datasource datasource; @override protected void configure(httpsecurity http) throws exception { http.authorizerequests() .antmatchers("/resources/**").permitall() .antmatchers("/admin/**").hasrole("admin") .anyrequest().authenticated().and() .formlogin().loginpage("/login").failureurl("/login?error").permitall().and() .logout().logouturl("/logout").logoutsuccessurl("/login?logout") .invalidatehttpsession(true) .logoutrequestmatcher(new antpathrequestmatcher("/logout", "get")).and() .csrf().and() .exceptionhandling().accessdeniedpage("/403"); } @autowired public void configureglobal(authenticationmanagerbuilder auth) throws exception { auth.jdbcauthentication() .datasource(datasource) .passwordencoder(passwordencoder()) .usersbyusernamequery("select username, password, enabled app_user username = ?") .authoritiesbyusernamequery("select username, role app_user_role username = ?"); } @bean public passwordencoder passwordencoder() { return new bcryptpasswordencoder(); } @autowired public void setdatasource(datasource datasource) { this.datasource = datasource; }
my tomcat's log:
2017-07-28 14:18:15 debug antpathrequestmatcher:157 - checking match of request : '/admin'; against '/resources/**' 2017-07-28 14:18:15 debug antpathrequestmatcher:157 - checking match of request : '/admin'; against '/admin/**' 2017-07-28 14:18:15 debug filtersecurityinterceptor:219 - secure object: filterinvocation: url: /admin; attributes: [hasrole('role_admin')] 2017-07-28 14:18:15 debug filtersecurityinterceptor:348 - authenticated: org.springframework.security.authentication.usernamepasswordauthenticationtoken@f9ea146f: principal: org.springframework.security.core.userdetails.user@586034f: username: admin; password: [protected]; enabled: true; accountnonexpired: true; credentialsnonexpired: true; accountnonlocked: true; granted authorities: admin,user; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@0: remoteipaddress: 0:0:0:0:0:0:0:1; sessionid: 9f780dc552aed23804184d55f3f9bf0d; granted authorities: admin, user 2017-07-28 14:18:15 debug affirmativebased:66 - voter: org.springframework.security.web.access.expression.webexpressionvoter@6e6a7061, returned: -1 2017-07-28 14:18:15 debug exceptiontranslationfilter:185 - access denied (user not anonymous); delegating accessdeniedhandler org.springframework.security.access.accessdeniedexception: access denied @ org.springframework.security.access.vote.affirmativebased.decide(affirmativebased.java:84) @ org.springframework.security.access.intercept.abstractsecurityinterceptor.beforeinvocation(abstractsecurityinterceptor.java:233) @ org.springframework.security.web.access.intercept.filtersecurityinterceptor.invoke(filtersecurityinterceptor.java:124) @ org.springframework.security.web.access.intercept.filtersecurityinterceptor.dofilter(filtersecurityinterceptor.java:91)
solved! key prefix "role_"
@autowired public void configureglobal(authenticationmanagerbuilder auth) throws exception { auth.jdbcauthentication() .datasource(datasource) .roleprefix("role_") .passwordencoder(passwordencoder()) .usersbyusernamequery("select username, password, enabled app_user username = ?") .authoritiesbyusernamequery("select username, role app_user_role username = ?"); }
Comments
Post a Comment