Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Exception using @RolesAllowed in SpringBoot app

Tags:

I have a basic SpringBoot app. using Spring Initializer, embedded Tomcat, Thymeleaf template engine, and package as an executable JAR file.

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
...
}

companyService is injected and not null. Removing @RolesAllowed works fine

@Autowired
CompanyService companyService;

in my applicationConfig:

@Configuration
@EnableGlobalMethodSecurity(jsr250Enabled=true, securedEnabled=true, prePostEnabled=true)

I have a method of a controller anotated like this

@ModelAttribute("companies")
    @RolesAllowed({"ROLE_ADMIN"})
    public Iterable<Company> companies(){
        return companyService.findAll();
    }

When I try to reach the controller I have an application exception with no information:

<div th:utext="'Failed URL: ' +  ${url}"    th:remove="tag">${url}</div>
<div th:utext="'Exception: ' + ${message}"  th:remove="tag">${message}</div>
<div th:utext="'Exception: ' + ${trace}"    th:remove="tag">${trace}</div>


<!--
    Failed URL: null
    Exception: No message available
    Exception: null

    -->

Before reaching the controller I check the roles of the user 

System.out.println("Authorities -> " +
    SecurityContextHolder.getContext().getAuthentication().getAuthorities())

and this is the result:

Authorities -> [Authority [authority=ROLE_BASIC], Authority [authority=ROLE_ADMIN]]

same result using:

  @ModelAttribute("companies")
    @Secured("ADMIN")
    public Iterable<Company> companies(){
        return companyService.findAll();
    }

or @Secured("ROLE_ADMIN")

in the debug:

 42410 [http-nio-8080-exec-7] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@65eab2b2, returned: 1
42410 [http-nio-8080-exec-7] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Authorization successful
42410 [http-nio-8080-exec-7] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - RunAsManager did not change Authentication object
42410 [http-nio-8080-exec-7] DEBUG o.s.security.web.FilterChainProxy - /company/list reached end of additional filter chain; proceeding with original chain
42411 [http-nio-8080-exec-7] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
42411 [http-nio-8080-exec-7] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
42411 [http-nio-8080-exec-7] DEBUG o.a.c.c.C.[Tomcat].[localhost] - Processing ErrorPage[errorCode=0, location=/error

  • companies() is invoked when you remove @Secured, and debugging AffirmativeBased I got :

    switch (result) { case AccessDecisionVoter.ACCESS_GRANTED: return; logger.debug("Authorization successful");

like image 684
Nunyet de Can Calçada Avatar asked May 20 '17 12:05

Nunyet de Can Calçada

1 Answers

Do not use either @Secured or @RolesAllowed use of this annotations is no more recomended. Instead use @PreAuthorize("hasAuthority('ROLE_ADMIN')")

like image 139
TomOw Avatar answered Oct 15 '22 16:10

TomOw
Sign in to Comment

Related questions

Where does SignalR belong in a DDD architecture?
Name of font by powershell
marker.setIcon throws java.lang.IllegalArgumentException: Unmanaged descriptor
How to extend a volume programmatically
Golang middleware with just the standard library
Using Pre and Post build actions in dotnet core csproj files
ASP Classic CDOSYS Email via HTMLBody format
Swift: How to get correct UICollectionView height when using snapkit?
How to set Drawable from xml vector inside ImageSpan
AsyncStorage is not returning the callback
Combine Bitflags
libusb: error [submit_bulk_transfer] submiturb failed error -1 errno=2 - What am I doing wrong with LibUSB?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!