spring security always giving access denied page after successful login
Question
I am using spring security for my crud application. Even after successful login , spring redirects to access denied page.
This is my config file
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled"/>
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/" access="permitAll"/>
<security:intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')"/>
<security:form-login default-target-url="/employees"
authentication-failure-url="/" always-use-default-target="true"
authentication-success-handler-ref="UrlAuthenticationSuccessHandler"/>
</security:http>
<beans:bean id="UrlAuthenticationSuccessHandler"
class="com.sowmith.security.UrlAuthenticationSuccessHandler" />
<security:authentication-manager erase-credentials="false">
<security:authentication-provider>
<security:user-service>
<security:user name="sowmith" password="reddy" authorities="hasRole('ROLE_ADMIN')"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
controller class
@RequestMapping(value="/")
public String welcome(){
return "welcome";
}
@RequestMapping(value = "/employees", method = RequestMethod.GET)
//@PreAuthorize("isAuthenticated()")
public String listEmployee(Model model) {
model.addAttribute("employee", new Employee());
model.addAttribute("listEmployee", employeeService.listEmployee());
model.addAttribute("user", getPrincipal());
return "employee";
}
AuthenticationsuccessHandler class
protected void handle(HttpServletRequest request,HttpServletResponse response,
Authentication authentication) throws IOException{
String targetUrl = determineTargetUrl(authentication);
if(response.isCommitted()){
log.debug("Response has already been committed. Unable to redirect to " + targetUrl);
return;
}
redirectStrategy.sendRedirect(request, response, targetUrl);
}
protected String determineTargetUrl(Authentication authentication){
boolean permitAll = false;
boolean isAdmin = false;
Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
for(GrantedAuthority grantedAuthority : authorities){
if (grantedAuthority.getAuthority().equals("permitAll")) {
permitAll = true;
} else if (grantedAuthority.getAuthority().equals("hasRole('ROLE_ADMIN')")) {
isAdmin = true;
}
}
if (permitAll){
return "/";
} else if (isAdmin) {
return "/employees";
} else {
throw new IllegalStateException();
}
In determine target url method, it is checking for the role and redirecting to the target url. but it is not hitting the controller.
1 answers
solution1
0 ACCPTED 2017-07-02 12:57:14
Specify an admin in authentication manager tag of your spring security xml file like this
<security:user name="sowmith" password="reddy" authorities="ROLE_ADMIN"/>
Then change if condition that's checking role in your AuthenticationSuccessHandler class to
else if (grantedAuthority.getAuthority().equals("ROLE_ADMIN"))
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Spring Security redirect to Login Page after successful authentication by giving access denied exception
Spring security login error page, access denied
Spring MVC/Security - Users still can access login page after successful login
Spring Security return to login page AFTER a successful login
Cannot access to Main Page after using spring-security, although login is successful
How to set redirection page after successful login (WITHOUT Spring Security)
Spring Security redirect to previous page after successful login
Access denied exception while trying to access the login page in spring security
Call a bean AFTER successful spring security login?
Spring security occasionally redirects to default page instead of pre-login page after successful login
Related Tags