P
P
P_Alexander2018-06-29 14:45:13
Java
P_Alexander, 2018-06-29 14:45:13

Spring security - forbidden how to solve?

After authorization of the user I receive forbidden why?
After authorization, the user is sent to the / home page for this page, two roles are specified ADMIN AND USER
In UserDetailsServiceImpl, I get the user with the USER role from the database, I know this for sure, so why do I grab access denied?
spin security file

<http security="none" pattern="/resources/**"/>

    <http auto-config="true"
          disable-url-rewriting="true"
          use-expressions="true">
        <intercept-url pattern="/" access="permitAll()"/>
        <intercept-url pattern="/main" access="permitAll()"/>
        <intercept-url pattern="/about" access="permitAll()"/>
        <intercept-url pattern="/registration" access="permitAll()"/>
        <intercept-url pattern="/authorization" access="permitAll()"/>
        <intercept-url pattern="/home" access="hasAnyRole('ADMIN', 'USER')"/>
        <intercept-url pattern="/admin" access="hasRole('ADMIN')"/>

        <form-login login-page="/authorization" login-processing-url="/authorization" default-target-url="/home"
                    authentication-failure-url="/registration"
                    username-parameter="username" password-parameter="password"/>
        <csrf/>

        <anonymous username="guest" granted-authority="ANONYMOUS"/>
        <access-denied-handler error-page="/accessDenied"/>
        <logout logout-success-url="/authorization?logout"/>
    </http>

    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="userDetailsServiceImpl">
            <password-encoder ref="encoder"></password-encoder>
        </authentication-provider>
    </authentication-manager>

    <beans:bean id="userDetailsServiceImpl" class="com.service.security.UserDetailsServiceImpl"></beans:bean>

    <beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
        <beans:constructor-arg name="strength" value="11"/>
    </beans:bean>

Class UserDetailsServiceImpl
public class UserDetailsServiceImpl implements UserDetailsService {

    private static final Logger logger = LogManager.getLogger(UserDetailsServiceImpl.class);

    @Autowired
    private UserDAO userDAO;

    @Override
    @Transactional(readOnly = true)
    public UserDetails loadUserByUsername(String userLogin) throws UsernameNotFoundException {
        logger.debug("it is loadUserByUsername method " + userLogin);
        User user = userDAO.findByLogin(userLogin);

        logger.debug("it is password " + user.getPassword());

        Set<GrantedAuthority> grantedAuthorities = new HashSet<>();
        grantedAuthorities.add(new SimpleGrantedAuthority(user.getRole().getNameRole()));
        for(GrantedAuthority grantedAuthority : grantedAuthorities){
            logger.debug("grant user " + grantedAuthority);
        }

        return new org.springframework.security.core.userdetails.User(user.getLogin(),
                                                                    user.getPassword(),
                                                                    grantedAuthorities);
    }
}

controller
@RequestMapping(value = "/authorization" ,method = RequestMethod.GET)
    public String authorization(Model model, String error, String logout){
        if (error != null){
            model.addAttribute("error", "Your username and password is invalid.");
        }

        if (logout != null)
            model.addAttribute("message", "You have been logged out successfully.");
        logger.debug("authorization GET");
        return "authorization";
    }

authorization page
<div layout:fragment="content">

        <div th:if="${param.success}">
            <div class="alert alert-info">
                You've successfully registered to our awesome app!
            </div>
        </div>
        <div th:if="${param.logout}">
            <div class="alert alert-info">
                You have been logged out.
            </div>
        </div>
        <form name="f" th:action="@{/authorization}" method="post">
            <div th:if="${param.error}">
                <div class="alert alert-danger">
                    Invalid login or password.
                </div>
            </div>
            <!--th:classappend="${error != null}? 'has-error':''"-->
            <div class="row">
                <div class="col">
                    <span th:text="${masage}"></span>
                    <label for="username">Login</label>
                    <input type="text" name="username" id="username" class="form-control" placeholder="Login" autofocus="autofocus">
                </div>
                <div class="col">
                    <label for="password">Password</label>
                    <span th:text="${error}"></span>
                    <input type="password" name="password" id="password" class="form-control" placeholder="Password">
                    <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>
                    <!--<p th:text="${_csrf.parameterName} + ${_csrf.token}"></p>-->
                    <!--<p th:text="${_csrf.token}"></p>-->
                </div>
            </div>
            <div>
                <div class="form-group">
                    <div class="row">
                        <div class="col-sm-6 col-sm-offset-3">
                            <input type="submit"
                                   name="login-submit"
                                   id="login-submit"
                                   class="form-control btn btn-info"
                                   value="Log In"/>
                        </div>
                    </div>
                </div>
                <span>Already registered?<a href="/" th:href="@{/authorization}">Forget your password or login?</a></span>
            </div>
        </form>
    </div>

Answer the question

In order to leave comments, you need to log in

1 answer(s)
P
P_Alexander, 2018-06-29
@P_Alexander

I'm a bitch from this spring just fucking, the documentation says, yes, I myself saw the implementation of the hasRole method THAT THE ROLE_ PREFIX IS ADDED BY DEFAULT, but in fact, fuck !!!!! I killed two days this one so far from hopelessness, I decided to add the ROLE_ prefix to the main role myself. and everything was decided. FUH!

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question