I am using java based spring security. I have created the custom access decision voter impl.
But when I run the application, I can not open the login page as it says, access is denied.
This happened after I added the custom access decision voter impl. I guess the issue is because of the following code in custom AccessDecisionVoter.
if(authentication instanceof AnonymousAuthenticationToken)
return ACCESS_DENIED;
But i need this so that permissions are not checked for not logged in users.
And it goes in infinite loop, login page, access decision voter, access denied, login page and so on.
Below is the spring security configuration code.
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private AffirmativeBased accessDecisionManager;
@Bean
@Autowired
public AffirmativeBased accessDecisionManager(AccessDecisionVoterImpl accessDecisionVoter) {
List<AccessDecisionVoter<?>> accessDecisionVoters = new ArrayList<AccessDecisionVoter<?>>();
accessDecisionVoters.add(accessDecisionVoter);
AffirmativeBased accessDecisionManager = new AffirmativeBased(accessDecisionVoters);
return accessDecisionManager;
}
@Override
@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder(){
PasswordEncoder passwordEncoder = new PasswordEncoder();
passwordEncoder.setStringDigester(stringDigester());
return passwordEncoder;
}
@Bean
public PooledStringDigester stringDigester() {
PooledStringDigester psd = new PooledStringDigester();
psd.setPoolSize(2);
psd.setAlgorithm("SHA-256");
psd.setIterations(1000);
psd.setSaltSizeBytes(16);
psd.setSaltGenerator(randomSaltGenerator());
return psd;
}
@Bean
public RandomSaltGenerator randomSaltGenerator() {
RandomSaltGenerator randomSaltGenerator = new RandomSaltGenerator();
return randomSaltGenerator;
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/static/**")
.antMatchers("/i18n/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/checkLogin")
.defaultSuccessUrl("/home")
.failureUrl("/login?login_error=1")
.usernameParameter("username")
.passwordParameter("password")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login?isLoggedOut=1")
.deleteCookies("JSESSIONID")
.invalidateHttpSession(true)
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/login**").permitAll()
.antMatchers("/error**").permitAll()
.antMatchers("/checkLogin**").permitAll()
.anyRequest()
.authenticated()
.accessDecisionManager(accessDecisionManager)
.and()
.exceptionHandling()
.accessDeniedPage("/accessDenied")
.and()
.headers()
.frameOptions()
.disable()
.and()
.sessionManagement()
.invalidSessionUrl("/login")
.maximumSessions(1);
}
}
and my custom voter impl
@Component
public class AccessDecisionVoterImpl implements AccessDecisionVoter {
@Autowired
private ModuleService moduleService;
@Override
public boolean supports(ConfigAttribute attribute) {
return true;
}
@Override
public boolean supports(Class clazz) {
return true;
}
@Override
public int vote(Authentication authentication, Object object, Collection collection) {
// i have given this so that if user is not logged in then should not check permission at all
if(authentication instanceof AnonymousAuthenticationToken)
return ACCESS_DENIED;
HttpServletRequest request = ((FilterInvocation) object).getHttpRequest();
String requestedOperation = request.getParameter("operation");
if (requestedOperation != null && !requestedOperation.isEmpty()){
String [] requestURISplit = request.getRequestURI().split("/");
String requestedModuleName = requestURISplit[2];
if(SecurityUtils.hasPermission(requestedModuleName, requestedOperation)){
return ACCESS_GRANTED;
}
} else {
return ACCESS_GRANTED;
}
return ACCESS_DENIED;
Also, when I remove following lines from my voter, if the user is not logged in and tries to access the secured pages, it goes ahead. It should have redirected to the login page instead.
if(authentication instanceof AnonymousAuthenticationToken)
return ACCESS_DENIED;
This is the first time I am trying to use the spring boot. Hence, i am not sure of all the configuration issues.
Is there anything wrong with the order of the antMatchers?
Please help.
Your AccessDecisionVoter
needs to either
AccessDecisionVoter.ACCESS_ABSTAIN
): if the voter is unable to make a decision (eg. user unauthorized, unable to obtain module from request context etc.) AccessDecisionVoter.ACCESS_GRANTED
): if the module can be identified and the user is authorized AccessDecisionVoter.ACCESS_DENIED
): if the module can be identified and the user is not authorized With your AccessDecisionManager
configuration, you basically cancel out the url-based access restrictions such as:
http.authorizeRequests()
.antMatchers("/css/**", "/img/**", "/js/**", "/font/**").permitAll()
.antMatchers("/login**").permitAll()
.antMatchers("/error**").permitAll()
.antMatchers("/checkLogin**").permitAll()
.anyRequest()
.authenticated()
By default spring uses the WebExpressionVoter
for that purpose. However, the AffirmativeBased
AccessDecisionManager grants access if at least one AccessDecisionVoter grants access to a resource (this is probably not what you want). For your requirements a ConsensusBased
AccessDecisionManager including the WebExpressionVoter
would be the best match.
@Bean
public AccessDecisionManager accessDecisionManager() {
List<AccessDecisionVoter<? extends Object>> decisionVoters = new ArrayList<>();
decisionVoters.add(new WebExpressionVoter());
decisionVoters.add(new ModuleAccessDecisionVoter());
ConsensusBased consensusBased = new ConsensusBased(decisionVoters);
// deny access if voters equally voted to allow and deny access
consensusBased.setAllowIfEqualGrantedDeniedDecisions(false);
return consensusBased;
}
Your AccessDecisionVoter
implementation:
static class ModuleAccessDecisionVoter implements AccessDecisionVoter<FilterInvocation> {
public int vote(Authentication authentication, FilterInvocation object, Collection<ConfigAttribute> attributes) {
if (authentication == null || authentication instanceof AnonymousAuthenticationToken) {
return ACCESS_ABSTAIN;
}
// determine module and grant or deny access
// if module cannot be determined abstain from voting
String module = determineModule(object);
if (module != null) {
return isAccessGranted(module, authentication) ? ACCESS_GRANTED : ACCESS_DENIED
}
return ACCESS_ABSTAIN;
}
}
Anonymous access should lead to the following results:
/login
: WebExpressionVoter: +1
, ModuleVoter: 0
-> 1
= ACCESS_GRANTED
/foo-module
: WebExpressionVoter: -1
, ModuleVoter: -1
-> -2
= ACCESS_DENIED
Given a User that is allowed to view the Foo
module should produce the following results:
/foo-module
: WebExpressionVoter: +1
, ModuleVoter: +1
-> 2
= ACCESS_GRANTED
/bar-module
: WebExpressionVoter: +1
(because user is authenticated), ModuleVoter: -1
-> 0
= ACCESS_DENIED
(because of ConsensusBased.setAllowIfEqualGrantedDeniedDecisions(false)
) If I read this correctly, you are trying to solve the problem where your user is being logged in anonymously by returning ACCESS_DENIED for anonymous authentication. That's no good. Remove that custom code and instead do this in security config:
anyRequest().hasRole("USER")
Then, ensure that when user is logged in, they have the required role.
An alternative would be to disable anonymous login so you won't need roles (for long term this would not be recommended).
http.anonymous().disable()
The problem comes from your voter. Your voter should let anonymous access if the related "ConfigAttribute" is configured so. Below is what you should add (it may depends on your Spring Security version):
for (ConfigAttribute attribute : collection) {
if ("IS_AUTHENTICATED_ANONYMOUSLY".equals(attribute.getAttribute())) {
return ACCESS_GRANTED;
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.