Access denied to page when using hasPermission from Spring Security
Question
In my project, the methods from my controller have this structure:
@Controller
@RequestMapping(value="privado")
public class PrivadoController {
@RequestMapping(value="admin")
@PreAuthorize("hasPermission(#usuario, 'admin_main')")
public ModelAndView admin() {
ModelAndView mav = new ModelAndView();
mav.setViewName("privado/admin");
return mav;
}
@RequestMapping(value="customer")
@PreAuthorize("hasPermission(#usuario, 'customer_main')")
public ModelAndView customer() {
ModelAndView mav = new ModelAndView();
mav.setViewName("privado/customer");
return mav;
}
}
The method hasPermission is implemented in this CustomPermissionEvaluator class:
@Component
public class CustomPermissionEvaluator implements PermissionEvaluator {
public CustomPermissionEvaluator() {
}
@Override
public boolean hasPermission(Authentication arg0, Object arg1, Object arg2) {
System.out.println("CustomPermissionEvaluator.hasPermission");
if (arg0 == null || !arg0.isAuthenticated())
return false;
else
return arg0.getAuthorities().contains(arg1);
}
@Override
public boolean hasPermission(Authentication arg0, Serializable arg1, String arg2, Object arg3) {
throw new RuntimeException("Id-based permission evaluation not currently supported.");
}
}
My problem is, despite informing the right login credencials, and have the proper roles abd permissions for the user saved in the database, I am facing a default access denied page (and I have an custom page for this error in my project).
Anyone can see what I am doing wrong here?
ps.: the complete code for the security layer of my application can be found here:
https://github.com/klebermo/webapp2/tree/master/src/com/spring/webapp/lojavirtual/config/security
1 answers
solution1
0 ACCPTED 2014-04-19 02:59:13
After a more careful analysis in the code, I finally manage to solve this problem. It happens I am using the wrong argument in the method's body. The final code for my CustomPermissionEvaluator is:
@Component
public class CustomPermissionEvaluator implements PermissionEvaluator {
public CustomPermissionEvaluator() {
}
public boolean hasPermission(Authentication arg0, Object arg1) {
System.out.println("CustomPermissionEvaluator.hasPermission");
System.out.println("arg0 = "+arg0);
System.out.println("arg1 = "+arg1);
if (arg0 == null || !arg0.isAuthenticated()) {
System.out.println("false");
return false;
}
else {
System.out.println("true");
for(GrantedAuthority authority: arg0.getAuthorities()) {
if(authority.getAuthority().equals(arg1))
return true;
}
return false;
}
}
@Override
public boolean hasPermission(Authentication arg0, Object arg1, Object arg2) {
System.out.println("CustomPermissionEvaluator.hasPermission");
System.out.println("arg0 = "+arg0);
System.out.println("arg1 = "+arg1);
System.out.println("arg2 = "+arg2);
if (arg0 == null || !arg0.isAuthenticated()) {
System.out.println("false");
return false;
}
else {
System.out.println("true");
for(GrantedAuthority authority: arg0.getAuthorities()) {
if(authority.getAuthority().equals(arg2))
return true;
}
return false;
}
}
@Override
public boolean hasPermission(Authentication arg0, Serializable arg1, String arg2, Object arg3) {
throw new RuntimeException("Id-based permission evaluation not currently supported.");
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.