Well, as it turns out, the compareTo
method in my Role class (Role implements GrantedAuthority) was returning always 0. So each user had only one role (since they are stored in a Set).
Hi everyone,
I'm having some strange behaviour in my application.
I've added a couple of fields to the User class (created by Acegi), so I can set an expired password, record last N passwords, stuff like that. We have 9 roles, ROLE_ADMIN
being the "superuser" that can access all the functionality.
After deploying the app, users started complaining that they can't use it. They are able to login, but whenever they want to go somewhere, they get access denied, as if they didn't have the Role.
This happens on every User, except for the administrator (only has the ROLE_ADMIN
), included those with ( ROLE_ADMIN
+ other roles).
I can't even think were to start.
I've checked and user are coming from the database with the roles attached.
Roles are checked in the SecurityConfig.groovy file. Im afraid that the problem is elsewhere, since I have a tagged version of the project that actually works.
Here's my SecurityConfig.groovy:
import com.mycompany.myapp.audit.Auditoria
security {
// see DefaultSecurityConfig.groovy for all settable/overridable properties
active = true
loginUserDomainClass = "com.mycompany.myapp.user.User"
authorityDomainClass = "com.mycompany.myapp.user.Role"
requestMapClass = "com.mycompany.myapp.user.Requestmap"
useRequestMapDomainClass = false
/** authenticationEntryPoint */
loginFormUrl = '/login/auth'
forceHttps = 'false'
ajaxLoginFormUrl = '/login/authAjax'
authenticationFailureUrl = '/login/authfail'
afterLogoutUrl = '/login/auth'
requestMapString = """\
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/=IS_AUTHENTICATED_REMEMBERED
/login/auth=IS_AUTHENTICATED_ANONYMOUSLY
/login/authajax=IS_AUTHENTICATED_ANONYMOUSLY
/login/authfail=IS_AUTHENTICATED_ANONYMOUSLY
/login/renew=IS_AUTHENTICATED_ANONYMOUSLY
/js/**=IS_AUTHENTICATED_ANONYMOUSLY
/css/**=IS_AUTHENTICATED_ANONYMOUSLY
/images/**=IS_AUTHENTICATED_ANONYMOUSLY
/plugins/**=IS_AUTHENTICATED_ANONYMOUSLY
/scan/uploadfile=IS_AUTHENTICATED_ANONYMOUSLY
/ticket/uploadfile=IS_AUTHENTICATED_ANONYMOUSLY
/analisis/list =ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_OP_FUNCIONAL, ROLE_ADMIN
/analisis/hazzards/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_OP_FUNCIONAL, ROLE_ADMIN
/analisis/show/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_ADMIN
/analisis/create/**=ROLE_SUP_TECNICO, ROLE_ADMIN
/analisis/edit/**=ROLE_SUP_TECNICO,ROLE_ADMIN
/hazzardsreport/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_OP_FUNCIONAL, ROLE_REPORTE_VULNERABILIDAD, ROLE_ADMIN
/mistaken/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_ADMIN
/hazzardtype/**=ROLE_SUP_TECNICO, ROLE_ADMIN
/** MODULO NORMAS */
/report/**=ROLE_OP_FUNCIONAL, ROLE_ADMIN
/norm/**=ROLE_OP_FUNCIONAL, ROLE_ADMIN
/** TICKETS */
/ticket/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_ADMIN
/alert/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_ADMIN
/ticket/uploadfile=IS_AUTHENTICATED_ANONYMOUSLY
/** RISKS */
/project/**=ROLE_AN_RIESGOS, ROLE_ADMIN
/riskreport/**=ROLE_AN_RIESGOS, ROLE_ADMIN, ROLE_REPORTE_RIESGO
/** BUSINESS CONTINUITY*/
/projectpcn/**=ROLE_AN_PCN, ROLE_ADMIN
/businessuniteval/** = ROLE_AN_PCN, ROLE_ADMIN
/subprocesseval/** = ROLE_AN_PCN, ROLE_ADMIN
/failscenario/**=ROLE_AN_PCN, ROLE_ADMIN
/strategy/**=ROLE_AN_PCN, ROLE_ADMIN
/test/**=ROLE_AN_PCN, ROLE_ADMIN
/reportepcn/**=ROLE_AN_PCN, ROLE_ADMIN, ROLE_REPORTE_PCN
/process/**=ROLE_AN_PCN, ROLE_ADMIN
/** ADMIN */
/user/changeent=IS_AUTHENTICATED_REMEMBERED
/user/finduser=IS_AUTHENTICATED_REMEMBERED
/user/**=ROLE_ADMIN
/role/**=ROLE_ADMIN
/requestmap/**=ROLE_ADMIN
/empresa/**=ROLE_ADMIN
/asset/**=ROLE_ADMIN, ROLE_SUP_TECNICO, ROLE_OP_TECNICO
/responsable/**=ROLE_ADMIN
/preference/**=ROLE_ADMIN
/businessunit/**=ROLE_ADMIN, ROLE_AN_PCN
/**=IS_AUTHENTICATED_REMEMBERED
"""
useSecurityEventListener = true
onInteractiveAuthenticationSuccessEvent = { e, appCtx ->
Auditoria.log(e.getSource().getPrincipal().getDomainClass(), "Usuario autenticado - " + e.getSource().getDetails().getRemoteAddress())
}
}
Hi, after updating my SecurityConfig.groovy
, the error continues. However, I've retrived this log line. I tried to access /norm/index
with a user that has all 9 roles assigned to them.
DEBUG 28/Dec/2010 00:12:57,110 [http-8080-3] Secure object: FilterInvocation: URL: /norm/index; ConfigAttributes: [ROLE_OP_FUNCIONAL,ROLE_ADMIN]
org.springframework.security.intercept.AbstractSecurityInterceptor - Previously Authenticated: org.springframework.security.providers.UsernamePasswordAuthenticationToken@a00c7ad6: Principal: com.baufest.insside.security.UserLoginDetails@0:
Username: someuser; Password:[PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_OP_TECNICO; Password: [PROTECTED]; Authenticated: true;
Details: org.springframework.security.ui.WebAuthenticationDetails@0: Granted Authorities: ROLE_OP_TECNICO
DEBUG 28/Dec/2010 00:12:57,110 [http-8080-3] org.springframework.security.ui.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
For what I read here, it seems that my User is only getting 1 role, even though when I debug it, user.authorities has all 9 roles assigned to it.
Any thoughts will be appreciated Thanks in advance.
EDIT --
from the documentation , the requestMapString should be of the form
requestMapString = '''CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/login/**=IS_AUTHENTICATED_ANONYMOUSLY
/admin/**=ROLE_USER
/book/test/**=IS_AUTHENTICATED_FULLY
/book/**=ROLE_SUPERVISOR
'''
a few notes:
1) You have extra newlines and comments in the request map string. The requestMapString is a multiline String (look at the '''one long string''' format), so the Acegi mechanisms are going to try and parse/use the comments.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.