spring security roles issue

Hi

I would like some help with this code because is not working at it should be.
I want to work with two different users (admin and user)

This is my security xml

<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <http auto-config="true" use-expressions="true" access-denied-page="/jsp/static/deniedpage.jsp"> <intercept-url pattern="/login" access="permitAll" /> <intercept-url pattern="/jsp/static/**" access="isAuthenticated()" /> <intercept-url pattern="/jsp/users/**" access="hasRole('ROLE_USER')" /> <intercept-url pattern="/jsp/admin/**" access="hasRole('ROLE_ADMIN')" /> <logout invalidate-session="true" logout-success-url="/login" logout-url="/logout" /> <form-login login-page="/login" default-target-url="/index" authentication-failure-url="/login?error=true" /> </http> <authentication-manager alias="authenticationManager"> <authentication-provider> <jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username,password, enabled from Users where USERNAME=?" authorities-by-username-query="select u.username, ur.authority from USERS u, USER_ROLES ur where u.user_id= ur.user_id and u.username=?" /> </authentication-provider> </authentication-manager> <global-method-security secured-annotations="enabled" /> </beans:beans>

and this is my controller

public class LoginController { private Users currentUser = null; @RequestMapping(value = "/index", method = RequestMethod.GET) public String accessUserPage(Model model) { model.addAttribute("message", "This page is publicly accessible. No authentication is required to view."); return "/users/menu"; } @RequestMapping("/admin/menuAdmin") public String accessSecuredPage(Model model) { model.addAttribute("message", "Only you are authenticated and authorized to view this page."); return "/admin/menuAdmin"; } @RequestMapping(value = "/login", method = RequestMethod.GET) public String login(ModelMap model) { return "login"; } @RequestMapping(value = "/loginfailed", method = RequestMethod.GET) public String loginerror(ModelMap model) { model.addAttribute("error", "true"); return "login"; } @RequestMapping(value = "/logout", method = RequestMethod.GET) public String logout(ModelMap model) { return "login"; } public Users getCurrentUser() { if (currentUser == null) { currentUser = new Users(); currentUser.setUsername(SecurityContextHolder.getContext() .getAuthentication().getName()); @SuppressWarnings("unchecked") List<GrantedAuthority> gaList = (List<GrantedAuthority>) SecurityContextHolder .getContext().getAuthentication().getAuthorities(); for (GrantedAuthority ga : gaList) { currentUser.getUserRoleses().add( new UserRoles(null, ga.getAuthority(), currentUser)); } } return currentUser; } }

I have two users in my database, one admin and one user
When i use my login form, the boths go to the same page and it shouldn't be like this because i have

<intercept-url pattern="/jsp/static/**" access="isAuthenticated()" />
<intercept-url pattern="/jsp/users/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/jsp/admin/**" access="hasRole('ROLE_ADMIN')" />

my web.xml is this one

<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0"> <display-name>GesTaxi</display-name> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> <context-param> <param-name>log4jConfigLocation</param-name> <param-value>classpath:log4j.xml</param-value> </context-param> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/spring-servlet.xml /WEB-INF/security-context.xml </param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class> </listener> <!-- Definicao de um filtro que ativa segurança Spring Security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <servlet> <servlet-name>spring</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>spring</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> </web-app>

What's wrong with this ?

Thanks for any help.

When i use my login form, the boths go to the same page and it shouldn't be like this because i have

<intercept-url pattern="/jsp/static/**" access="isAuthenticated()" />
<intercept-url pattern="/jsp/users/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/jsp/admin/**" access="hasRole('ROLE_ADMIN')" />

Where did you expect it to go? Nothing in your code specifies an initial landing page. Those intercept URL's are for defining the privileges required to view those URL's. If a user tries to access one of the admin pages for example Spring Security will prevent this and return a 403.

This line

<form-login login-page="/login" default-target-url="/index" authentication-failure-url="/login?error=true" />

says the that once logged in (regardless of role) send the user to /index.

Now you could create a custom AuthenticationSuccessHandler, but a solution less coupled with security would be to change that default target url to something and have a controller make the determination of where they go:

<form-login login-page="/login" default-target-url="/landing-page" authentication-failure-url="/login?error=true" />

@Controller public class LandingtController { @RequestMapping("/landing-page") public String redirecttAfterLogin(HttpServletRequest request) { if (request.isUserInRole("ROLE_ADMIN")) { return "redirect:/admin/admin-page"; } return "redirect:/user/user-page"; } }

You can do this because Spring Security will put the authenticated role onto the HttpServletRequest.

Hi Bill

Thank you for your answer and explanation too.
I just did what you mention but now i have a http 404 when i run the web apllication

WARN : org.springframework.web.servlet.PageNotFound - No mapping found for HTTP request with URI [/GesTaxi/login] in DispatcherServlet with name 'spring'

I didn't change anything unless what you mention.

<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <http auto-config="true" use-expressions="true" access-denied-page="/jsp/static/deniedpage.jsp"> <intercept-url pattern="/login" access="permitAll" /> <intercept-url pattern="/jsp/static/**" access="isAuthenticated()" /> <intercept-url pattern="/jsp/users/**" access="hasRole('ROLE_USER')" /> <intercept-url pattern="/jsp/admin/**" access="hasRole('ROLE_ADMIN')" /> <logout invalidate-session="true" logout-success-url="/login" logout-url="/logout"/> <form-login login-page="/login" default-target-url="/landing-page" authentication-failure-url="/login?error=true" /> </http> <authentication-manager> <authentication-provider> <jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username,password, enabled from Users where USERNAME=?" authorities-by-username-query="select u.username, ur.authority from USERS u, USER_ROLES ur where u.user_id= ur.user_id and u.username=?" /> </authentication-provider> </authentication-manager> <global-method-security secured-annotations="enabled" /> </beans:beans>

Controller

@Controller public class LoginController { @RequestMapping("/landing-page") public String redirecttAfterLogin(HttpServletRequest request) { if (request.isUserInRole("ROLE_ADMIN")) { return "redirect:/admin/menuAdmin"; } return "redirect:/users/menu"; } }

My login page is under WEB-INF/jsp/login.jsp

My web.xml

<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0"> <display-name>GesTaxi</display-name> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> <context-param> <param-name>log4jConfigLocation</param-name> <param-value>classpath:log4j.xml</param-value> </context-param> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/spring-servlet.xml /WEB-INF/security-context.xml </param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class> </listener> <!-- Definicao de um filtro que ativa segurança Spring Security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <servlet> <servlet-name>spring</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>spring</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> </web-app>

What's wrong now?? What do i miss??

Thanks

I assume you have another config somewhere for you mvc stuff make sure you have a simple controller to map the login page to the view.

<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"> <mvc:annotation-driven/> <mvc:view-controller path="/login" view-name="/login"/> <!-- Resolves view names to protected .jsp resources within the /WEB-INF directory --> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="prefix" value="/WEB-INF/jsp/"/> <property name="suffix" value=".jsp"/> </bean> </beans>

Hi Bill

Sorry to disturb you again, but still have the same message

Let me give you all my config files

spring-context
<context:annotation-config /> <context:component-scan base-package="gmc.gestaxi.*" /> <!-- To prevent browser's back button on displaying secured resource after logout --> <bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter"> <property name="cacheSeconds" value="0" /> </bean> <bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer" p:location="/WEB-INF/jdbc.properties" /> <bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource"> <property name="basename" value="classpath:messages" /> <property name="defaultEncoding" value="UTF-8" /> </bean> <bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor"> <property name="paramName" value="lang" /> </bean> <bean id="localeResolver" class="org.springframework.web.servlet.i18n.CookieLocaleResolver"> <property name="defaultLocale" value="pt" /> </bean> <bean id="handlerMapping" class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping"> <property name="interceptors"> <ref bean="localeChangeInterceptor" /> </property> </bean> <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close" p:driverClassName="${jdbc.driverClassName}" p:url="${jdbc.databaseurl}" p:username="${jdbc.username}" p:password="${jdbc.password}" /> <bean id="sessionFactory" class="org.springframework.orm.hibernate3.LocalSessionFactoryBean"> <property name="dataSource" ref="dataSource" /> <property name="configLocation"> <value>classpath:hibernate.cfg.xml</value> </property> <property name="configurationClass"> <value>org.hibernate.cfg.AnnotationConfiguration</value> </property> <property name="hibernateProperties"> <props> <prop key="hibernate.dialect">${jdbc.dialect}</prop> <prop key="hibernate.show_sql">true</prop> </props> </property> </bean> <bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" /> <property name="prefix" value="/WEB-INF/jsp/" /> <property name="suffix" value=".jsp" /> </bean> <bean id="transactionManager" class="org.springframework.orm.hibernate3.HibernateTransactionManager"> <property name="sessionFactory" ref="sessionFactory" /> </bean> <mvc:annotation-driven /> [b]<mvc:view-controller path="/login" view-name="/login"/> [/b][color=red] [/color]//What you ask to put <tx:annotation-driven /> </beans>

my security
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <http auto-config="false" use-expressions="true" access-denied-page="/jsp/static/deniedpage.jsp"> <intercept-url pattern="/login" access="permitAll" /> <intercept-url pattern="/jsp/static/**" access="isAuthenticated()" /> <intercept-url pattern="/jsp/users/**" access="hasRole('ROLE_USER')" /> <intercept-url pattern="/jsp/admin/**" access="hasRole('ROLE_ADMIN')" /> <logout invalidate-session="true" logout-success-url="/login" logout-url="/logout"/> <form-login login-page="/login" default-target-url="/landing-page" authentication-failure-url="/login?error=true" /> </http> <authentication-manager> <authentication-provider> <jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username,password, enabled from Users where USERNAME=?" authorities-by-username-query="select u.username, ur.authority from USERS u, USER_ROLES ur where u.user_id= ur.user_id and u.username=?" /> </authentication-provider> </authentication-manager> <global-method-security secured-annotations="enabled" /> </beans:beans>

My web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0"> <display-name>GesTaxi</display-name> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> <context-param> <param-name>log4jConfigLocation</param-name> <param-value>classpath:log4j.xml</param-value> </context-param> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/spring-servlet.xml /WEB-INF/security-context.xml </param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class> </listener> <!-- Definicao de um filtro que ativa segurança Spring Security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <servlet> <servlet-name>spring</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>spring</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> </web-app>

And the image with all my folders


I'm sure is something really stupid from me but i can't figure out why..

Hi

I have a little info update, with this url: http://localhost:8085/GesTaxi/

i get

WARN : org.springframework.web.servlet.PageNotFound - No mapping found for HTTP request with URI [/GesTaxi/] in DispatcherServlet with name 'spring'

With this url
http://localhost:8085/GesTaxi/login

I have my login, but i put my credentials

i have for both admin and user)

WARN : org.springframework.web.servlet.PageNotFound - No mapping found for HTTP request with URI [/GesTaxi/jsp/admin/menuAdmin] in DispatcherServlet with name 'spring'
WARN : org.springframework.web.servlet.PageNotFound - No mapping found for HTTP request with URI [/GesTaxi/users/menu] in DispatcherServlet with name 'spring'


So my problems are:
Entry page must be trought
http://localhost:8085/GesTaxi/login

and the mappong of those files

Sorry Xil I got busy with some stuff there.

I have a couple suggestions for you.

First of all your Warning is telling you there are no mappings for that URL pattern. I am going to assume you have some classes annotated with @Controller that have mappings for this. You need to register those. Typically you would do this by adding a component scanner in your servlet xml

<context:component-scan base-package="org.example.controller"/>

You would change that base package to the package that has all of your controllers in it. This will allow Spring to pick up those classes and register them and their request mappings as Spring beans.


My next suggestion is use the latest Spring. Assuming you are doing that you should not use PropertyPlaceholderConfigurer but rather PropertySourcesPlaceholderConfigurer. You should also not use DefaultAnnotationHandlerMapping. This was replaced with the much more flexible RequestMappingHandlerMapping. You would register your interceptors in xml by using the mvc:interceptors tag
<mvc:interceptors> <bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor" /> </mvc:interceptors>


Similarly the AnnotationHandlerAdapter has been replaced with the RequestMappingHandlerAdapter. For now I would remove that as well.

Also note that the Spring is is moving to the component model. That means you can do this configuration in Java rather than XML. If you are more comfortable with XML right now that is fine but if you are just getting started it might behoove you to learn the component model first. In this case you would define your beans in a class with an @Configuration annotation.