I’m in the process of trying to setup database user authentication with Spring 3.
Now using the Spring included login form thing:
<form action="<c:url value="/j_spring_security_check" />" method="POST">
<fieldset>
<input name="j_username" type="text" placeholder="name" autofocus="autofocus" /><br/>
<input name="j_password" type="password" placeholder="password" /><br/>
<input type="submit" value="Login" />
</fieldset>
</form>
According to the logs (logging from my userService class that implements Spring UserDetailsService interface) this is resulting in a user being fetched from the database and roles assigned (using UserDetails.toString to view in logs).
When I hit an application URL I get sent to the login page correctly. I log in and regardless of URL I get redirected to my accessDenied page. Am I doing something wrong in my security config setup?
My security config follows:
(Removed refs to schema etc so I was allowed to post – they got picked up as URLs!)
<global-method-security pre-post-annotations="enabled"></global-method-security>
<http auto-config="true" create-session="ifRequired" use-expressions="true" access-denied-page="/accessDenied">
<logout invalidate-session="true" logout-success-url="/loggedOut" />
<anonymous/>
<form-login login-page="/login" authentication-failure-url="/login"/>
<intercept-url pattern="/reports/**" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/routes" method="GET" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/data/routes" method="DELETE" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/routes" method="POST" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/routes" method="PUT" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/route/**" method="GET" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/data/route/**" method="DELETE" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/route/**" method="POST" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/route/**" method="PUT" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/patrolsummaries" method="GET" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/data/patrolsummaries" method="DELETE" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/patrolsummaries" method="POST" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/patrolsummaries" method="PUT" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/patrolsummary/**" method="GET" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/data/patrolsummary/**" method="DELETE" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/patrolsummary/**" method="POST" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/patrolsummary/**" method="PUT" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/guards" method="GET" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/data/guards" method="DELETE" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/guards" method="POST" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/guards" method="PUT" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/guard/**" method="GET" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/data/guard/**" method="DELETE" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/guard/**" method="POST" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/guard/**" method="PUT" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/include/js/pages/admin/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/include/js/pages/all.js" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/include/js/pages/**" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/include/js/**" access="hasRole('ROLE_ANONYMOUS')" />
<intercept-url pattern="/public/**" filters="none"/>
<intercept-url pattern="/login" filters="none"/>
<intercept-url pattern="/loggedOut" filters="none"/>
<intercept-url pattern="/include/css/**" filters="none"/>
<intercept-url pattern="/include/img/**" filters="none"/>
<intercept-url pattern="/include/**" access="hasRole('ROLE_REPORTS')" />
</http>
<beans:import resource="hibernate-context.xml" />
<context:component-scan base-package="uk.co.romar.guardian.services" />
<beans:bean id="userService" class="uk.co.romar.guardian.services.UserServiceImpl" />
<beans:bean id="pwdEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />
<!-- <beans:bean id="saltSource" class="??"/> -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userService">
</authentication-provider>
</authentication-manager>
</beans:beans>
Thanks all for the input.
The problem was in my own code where I copy role/authorisations from the database hibernate object to the UserDetails object that will be returned by the loadUserByUsername implementation.
Spring was behaving, it just had incorrect roles assigned to the UserDetails object because of the mistake in my code.
Spring / config was correct.