Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Access denied exception while trying to access the login page in spring security

Tags:

java

spring

access-denied

spring-security

spring-java-config

I am using java based spring security. I have created the custom access decision voter impl.

But when I run the application, I can not open the login page as it says, access is denied.

This happened after I added the custom access decision voter impl. I guess the issue is because of the following code in custom AccessDecisionVoter. 

if(authentication instanceof AnonymousAuthenticationToken)
            return ACCESS_DENIED;

But i need this so that permissions are not checked for not logged in users.

And it goes in infinite loop, login page, access decision voter, access denied, login page and so on.

Below is the spring security configuration code.

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private AffirmativeBased accessDecisionManager;

    @Bean
    @Autowired
    public AffirmativeBased accessDecisionManager(AccessDecisionVoterImpl accessDecisionVoter) {
        List<AccessDecisionVoter<?>> accessDecisionVoters = new ArrayList<AccessDecisionVoter<?>>();
        accessDecisionVoters.add(accessDecisionVoter);
        AffirmativeBased accessDecisionManager = new AffirmativeBased(accessDecisionVoters);
        return accessDecisionManager;
    }

    @Override
    @Autowired
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
    }

    @Bean
    public PasswordEncoder passwordEncoder(){
        PasswordEncoder passwordEncoder = new PasswordEncoder();
        passwordEncoder.setStringDigester(stringDigester());
        return passwordEncoder;
    }

    @Bean
    public PooledStringDigester stringDigester() {
        PooledStringDigester psd = new PooledStringDigester();

        psd.setPoolSize(2);
        psd.setAlgorithm("SHA-256");
        psd.setIterations(1000);
        psd.setSaltSizeBytes(16);
        psd.setSaltGenerator(randomSaltGenerator());

        return psd;
    }

    @Bean
    public RandomSaltGenerator randomSaltGenerator() {
        RandomSaltGenerator randomSaltGenerator = new RandomSaltGenerator();
        return randomSaltGenerator;
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring()
                .antMatchers("/static/**")
                .antMatchers("/i18n/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf()
        .and()
            .formLogin()
            .loginPage("/login")
            .loginProcessingUrl("/checkLogin")
            .defaultSuccessUrl("/home")
            .failureUrl("/login?login_error=1")
            .usernameParameter("username")
            .passwordParameter("password")
            .permitAll()
        .and()
            .logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login?isLoggedOut=1")
            .deleteCookies("JSESSIONID")
            .invalidateHttpSession(true)
            .permitAll()
        .and()
            .authorizeRequests()
            .antMatchers("/login**").permitAll()
            .antMatchers("/error**").permitAll()
            .antMatchers("/checkLogin**").permitAll()
            .anyRequest()
            .authenticated()
            .accessDecisionManager(accessDecisionManager)
        .and()
            .exceptionHandling()
            .accessDeniedPage("/accessDenied")
        .and()
            .headers()
            .frameOptions()
            .disable()
        .and()
            .sessionManagement()
            .invalidSessionUrl("/login")
            .maximumSessions(1);
    }

}

and my custom voter impl

@Component
public class AccessDecisionVoterImpl implements AccessDecisionVoter {

    @Autowired
    private ModuleService moduleService;

    @Override
    public boolean supports(ConfigAttribute attribute) {
        return true;
    }

    @Override
    public boolean supports(Class clazz) {
        return true;
    }

    @Override
    public int vote(Authentication authentication, Object object, Collection collection) {
// i have given this so that if user is not logged in then should not check permission at all 
        if(authentication instanceof AnonymousAuthenticationToken)
            return ACCESS_DENIED;

             HttpServletRequest request = ((FilterInvocation) object).getHttpRequest();
    String requestedOperation = request.getParameter("operation");

    if (requestedOperation != null && !requestedOperation.isEmpty()){
        String [] requestURISplit = request.getRequestURI().split("/");
        String requestedModuleName = requestURISplit[2];

        if(SecurityUtils.hasPermission(requestedModuleName, requestedOperation)){
           return ACCESS_GRANTED;
        }
    } else {
        return ACCESS_GRANTED;
    }

    return ACCESS_DENIED;

Also, when I remove following lines from my voter, if the user is not logged in and tries to access the secured pages, it goes ahead. It should have redirected to the login page instead.

if(authentication instanceof AnonymousAuthenticationToken)
                return ACCESS_DENIED;

This is the first time I am trying to use the spring boot. Hence, i am not sure of all the configuration issues.

Is there anything wrong with the order of the antMatchers?

Please help.

like image 585
ashishjmeshram Avatar asked Mar 10 '16 06:03

ashishjmeshram

People also ask

How do you handle security exceptions in Spring?

Spring security exceptions can be directly handled by adding custom filters and constructing the response body. To handle these exceptions at a global level via @ExceptionHandler and @ControllerAdvice, we need a custom implementation of AuthenticationEntryPoint.

How does Spring boot handle Access Denied exception?

Since this is an exception handling, we are using the Spring security . excepTionHandling() method and telling that we like to handle the access denied use case by passing custom access denied handler to the accessDeniedHandler() method ( . exceptionHandling(). accessDeniedHandler(accessDeniedHandler() ).

Can Spring Security log failed logon events?

A user can login failed 3 times maximum. His account will be locked on the last failed attempt. The user account is locked during 24 hours. That means after this duration the user account will be unlocked (upon the next login attempt).

2 Answers

Your AccessDecisionVoter needs to either

  • abstain from voting (AccessDecisionVoter.ACCESS_ABSTAIN): if the voter is unable to make a decision (eg. user unauthorized, unable to obtain module from request context etc.)
  • grant access (AccessDecisionVoter.ACCESS_GRANTED): if the module can be identified and the user is authorized
  • deny access (AccessDecisionVoter.ACCESS_DENIED): if the module can be identified and the user is not authorized

With your AccessDecisionManager configuration, you basically cancel out the url-based access restrictions such as:

http.authorizeRequests()
    .antMatchers("/css/**", "/img/**", "/js/**", "/font/**").permitAll()
    .antMatchers("/login**").permitAll()
    .antMatchers("/error**").permitAll()
    .antMatchers("/checkLogin**").permitAll()
    .anyRequest()
        .authenticated()

By default spring uses the WebExpressionVoter for that purpose. However, the AffirmativeBased AccessDecisionManager grants access if at least one AccessDecisionVoter grants access to a resource (this is probably not what you want). For your requirements a ConsensusBased AccessDecisionManager including the WebExpressionVoter would be the best match.

@Bean
public AccessDecisionManager accessDecisionManager() {
    List<AccessDecisionVoter<? extends Object>> decisionVoters = new ArrayList<>();
    decisionVoters.add(new WebExpressionVoter());
    decisionVoters.add(new ModuleAccessDecisionVoter());
    ConsensusBased consensusBased = new ConsensusBased(decisionVoters);

    // deny access if voters equally voted to allow and deny access
    consensusBased.setAllowIfEqualGrantedDeniedDecisions(false);
    return consensusBased;
}

Your AccessDecisionVoter implementation:

static class ModuleAccessDecisionVoter implements AccessDecisionVoter<FilterInvocation> {

    public int vote(Authentication authentication, FilterInvocation object, Collection<ConfigAttribute> attributes) {
        if (authentication == null || authentication instanceof AnonymousAuthenticationToken) {
            return ACCESS_ABSTAIN;
        }

        // determine module and grant or deny access
        // if module cannot be determined abstain from voting
        String module = determineModule(object);
        if (module != null) {
            return isAccessGranted(module, authentication) ? ACCESS_GRANTED : ACCESS_DENIED
        }

        return ACCESS_ABSTAIN;
    }
}

Anonymous access should lead to the following results:

  • /login: WebExpressionVoter: +1, ModuleVoter: 0 -> 1 = ACCESS_GRANTED
  • /foo-module: WebExpressionVoter: -1, ModuleVoter: -1 -> -2 = ACCESS_DENIED

Given a User that is allowed to view the Foo module should produce the following results:

  • /foo-module: WebExpressionVoter: +1, ModuleVoter: +1 -> 2 = ACCESS_GRANTED
  • /bar-module: WebExpressionVoter: +1 (because user is authenticated), ModuleVoter: -1 -> 0 = ACCESS_DENIED (because of ConsensusBased.setAllowIfEqualGrantedDeniedDecisions(false))
like image 88
fateddy Avatar answered Sep 26 '22 00:09

fateddy

If I read this correctly, you are trying to solve the problem where your user is being logged in anonymously by returning ACCESS_DENIED for anonymous authentication. That's no good. Remove that custom code and instead do this in security config:

anyRequest().hasRole("USER")

Then, ensure that when user is logged in, they have the required role.

An alternative would be to disable anonymous login so you won't need roles (for long term this would not be recommended).

http.anonymous().disable()
like image 25
Teemu Ilmonen Avatar answered Sep 23 '22 00:09

Teemu Ilmonen
Sign in to Comment

Related questions

Java Compile error when return Generic Class type
List.fill(int)(method()) equivalent in Java?
java spring repositories - findBy() method using set of IDs/values
javax.json strange behavior
Using Enum to hold object constants
Set last modified timestamp of a file using jimfs in Java
Debugging in Eclipse GWT
How to iterate over MultiKeyMap?
JAX-WS Maven Plugin Not Working with JDK 8
How can you find the latest version of a maven artifact from Java using aether?
Hibernate: Delete all children with one query
In Java 8, does Executors.newWorkStealingPool() also provide a task queue?
How can I find the JSON key of a field (jackson)?
How do you use the Google DataProc Java Client to submit spark jobs using jar files and classes in associated GS bucket?
Why can't notifyAll() be used in a Thread instance?
What is the Time Complexity of Set operation of a BitSet in java?
Cannot Deploy Spring Boot Application to Azure
Java streams: throwing exception from stream depending upon value in stream
Must implement default interface method?
SAML Request Attributes In AuthnRequest

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!