@Secured throws AccessDeniedException although roles are correct

StackOverflow https://stackoverflow.com/questions/1443632

Question

After solving all authentication related problems in my first Spring web application I'm now stuck with authorization.

Configuration using @Secured annotations is pretty straight-forward so I don't think I made a mistake here. Additionally I'm using an Active Directory using the LDAP authentication provider and assign roles by AD groups, so isn't a problem either.

So here's a brief summary of my problem:

  • Unsecured actions work
  • Actions using @Secured("IS_AUTHENTICATED_FULLY") work
  • Actions using something like @Secured("GROUP_*") don't work

When calling a secured action a org.springframework.security.AccessDeniedException is thrown. Here's an excerpt from the logs:

DEBUG: org.springframework.security.intercept.AbstractSecurityInterceptor - Secure object: ReflectiveMethodInvocation: public org.springframework.web.servlet.ModelAndView de.dillinger.resources.controllers.HostsController.index(); target is of class [de.dillinger.resources.controllers.HostsController]; ConfigAttributes: [GROUP_IT]
DEBUG: org.springframework.security.intercept.AbstractSecurityInterceptor - Previously Authenticated: org.springframework.security.providers.UsernamePasswordAuthenticationToken@2a5333d9: Principal: org.springframework.security.userdetails.ldap.Person@1422384: Username: di32001; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: GROUP_ITS, GROUP_ITS-IT, GROUP_INTERNET, GROUP_SYSTEMGRUPPE, GROUP_IT; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 773943FFB14E512872BB6CE25F46C00A; Granted Authorities: GROUP_ITS, GROUP_ITS-IT, GROUP_INTERNET, GROUP_SYSTEMGRUPPE, GROUP_IT

As you can see the action requires the GROUP_IT role and my user object has this privilege. I really don't know what's causing this problem.

Was it helpful?

Solution

Are you using org.springframework.security.access.vote.UnanimousBased role voter? Try changing it to org.springframework.security.access.vote.AffirmativeBased.
This kind of problems are related to role voter configuration.

Edit 1(example added):

<security:global-method-security 
    secured-annotations="enabled"  
    access-decision-manager-ref="accessDecisionManager"
/>
<bean 
    id="accessDecisionManager" 
    class="org.springframework.security.access.vote.AffirmativeBased">
    <property name="allowIfAllAbstainDecisions" value="false" />
    <property name="decisionVoters">
        <list>
            <bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter" />
        </list>
    </property>
 </bean>
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top