0

I modified my security.xml this way:

<?xml version="1.0" encoding="UTF-8"?>
<bean:beans xmlns:bean="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <http pattern="/resources/**" security="none"/>
    <http use-expressions="true" entry-point-ref="casEntryPoint">
        <intercept-url pattern="/"
                access="permitAll"/>
        <intercept-url pattern="/login/*"
                access="permitAll"/>
        <intercept-url pattern="/logout"
                access="permitAll"/>
        <intercept-url pattern="/errors/**"
                access="permitAll"/>
        <intercept-url pattern="/events/new"
                       access="hasRole('ROLE_PERMISSIONS_CREATE_EVENTS')"/>
        <intercept-url pattern="/admin/**"
                access="hasRole('ROLE_ADMIN')"/>
        <intercept-url pattern="/**"
                access="hasRole('ROLE_USER')"/>
        <access-denied-handler error-page="/errors/403"/>

        <custom-filter ref="casFilter" position="CAS_FILTER"/>

        <logout logout-url="/logout"
                logout-success-url="/login/form?logout"/>
    </http>

    <global-method-security pre-post-annotations="enabled"/>


    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="casAuthProvider" />
    </authentication-manager>
</bean:beans>

When user with the role ROLE_PERMISSIONS_CREATE_EVENTS try to access /events/new

Spring security denies the access:

2013-11-06 12:33:32,850 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/events/form'; against '/resources/**'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@e4412558: Authentication: org.springframework.security.cas.authentication.CasAuthenticationToken@e4412558: Principal: org.springframework.security.core.userdetails.User@7796388a: Username: ifridman; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc: RemoteIpAddress: 192.168.108.195; SessionId: null; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS Assertion: org.jasig.cas.client.validation.AssertionImpl@c6ba147 Credentials (Service/Proxy Ticket): ST-23-SqDujXNnf1vNPEc9bRqO-cas'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 3 of 9 in additional filter chain; firing Filter: 'CasAuthenticationFilter'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - serviceTicketRequest = false
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - proxyReceptorConfigured = false
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - proxyReceptorRequest = false
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - proxyTicketRequest = false
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - requiresAuthentication = false
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 6 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.cas.authentication.CasAuthenticationToken@e4412558: Principal: org.springframework.security.core.userdetails.User@7796388a: Username: ifridman; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc: RemoteIpAddress: 192.168.108.195; SessionId: null; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS Assertion: org.jasig.cas.client.validation.AssertionImpl@c6ba147 Credentials (Service/Proxy Ticket): ST-23-SqDujXNnf1vNPEc9bRqO-cas'
2013-11-06 12:33:32,851 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 7 of 9 in additional filter chain; firing Filter: 'SessionManagementFilter'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.FilterChainProxy - /events/form at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/events/form'; against '/'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/events/form'; against '/login/*'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/events/form'; against '/logout'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/events/form'; against '/errors/**'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/events/form'; against '/events/new'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/events/form'; against '/admin/**'
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /events/form; Attributes: [hasRole('ROLE_USER')]
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.cas.authentication.CasAuthenticationToken@e4412558: Principal: org.springframework.security.core.userdetails.User@7796388a: Username: ifridman; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc: RemoteIpAddress: 192.168.108.195; SessionId: null; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS Assertion: org.jasig.cas.client.validation.AssertionImpl@c6ba147 Credentials (Service/Proxy Ticket): ST-23-SqDujXNnf1vNPEc9bRqO-cas
2013-11-06 12:33:32,852 [http-apr-8080-exec-7] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@33439c61, returned: -1
2013-11-06 12:33:32,853 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
...
2013-11-06 12:33:32,859 [http-apr-8080-exec-7] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2013-11-06 12:33:33,018 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/favicon.ico'; against '/resources/**'
2013-11-06 12:33:33,018 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2013-11-06 12:33:33,018 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@e4412558: Authentication: org.springframework.security.cas.authentication.CasAuthenticationToken@e4412558: Principal: org.springframework.security.core.userdetails.User@7796388a: Username: ifridman; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc: RemoteIpAddress: 192.168.108.195; SessionId: null; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS Assertion: org.jasig.cas.client.validation.AssertionImpl@c6ba147 Credentials (Service/Proxy Ticket): ST-23-SqDujXNnf1vNPEc9bRqO-cas'
2013-11-06 12:33:33,018 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
2013-11-06 12:33:33,018 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 3 of 9 in additional filter chain; firing Filter: 'CasAuthenticationFilter'
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - serviceTicketRequest = false
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - proxyReceptorConfigured = false
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - proxyReceptorRequest = false
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - proxyTicketRequest = false
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - requiresAuthentication = false
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 6 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.cas.authentication.CasAuthenticationToken@e4412558: Principal: org.springframework.security.core.userdetails.User@7796388a: Username: ifridman; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc: RemoteIpAddress: 192.168.108.195; SessionId: null; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS Assertion: org.jasig.cas.client.validation.AssertionImpl@c6ba147 Credentials (Service/Proxy Ticket): ST-23-SqDujXNnf1vNPEc9bRqO-cas'
2013-11-06 12:33:33,019 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 7 of 9 in additional filter chain; firing Filter: 'SessionManagementFilter'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /favicon.ico at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/favicon.ico'; against '/'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/favicon.ico'; against '/login/*'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/favicon.ico'; against '/logout'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/favicon.ico'; against '/errors/**'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/favicon.ico'; against '/events/new'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/favicon.ico'; against '/admin/**'
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /favicon.ico; Attributes: [hasRole('ROLE_USER')]
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.cas.authentication.CasAuthenticationToken@e4412558: Principal: org.springframework.security.core.userdetails.User@7796388a: Username: ifridman; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc: RemoteIpAddress: 192.168.108.195; SessionId: null; Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS Assertion: org.jasig.cas.client.validation.AssertionImpl@c6ba147 Credentials (Service/Proxy Ticket): ST-23-SqDujXNnf1vNPEc9bRqO-cas
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@33439c61, returned: -1
2013-11-06 12:33:33,021 [http-apr-8080-exec-8] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
...

Any idea? Thanks, ray.

4

1 回答 1

0

日志表明您的用户只有 ROLE_PERMISSIONS_ALL_EVENTS

... Granted Authorities: ROLE_PERMISSIONS_ALL_EVENTS Assertion: ...

对于 AccessDeniedException,它说明您正在请求两个 URL:

Secure object: FilterInvocation: URL: /events/form; Attributes: [hasRole('ROLE_USER')]
...
Secure object: FilterInvocation: URL: /favicon.ico; Attributes: [hasRole('ROLE_USER')]

所以有几点不对:

  • 用户具有角色 ROLE_PERMISSIONS_ALL_EVENTS 而不是 ROLE_PERMISSIONS_CREATE_EVENTS
  • 第一个 URL 是 /events/form 而不是 /events/new 这意味着 URL 在 /** 上匹配并且需要您的用户没有的 ROLE_USER
  • 第二个 URL 是 /favicon.ico 并且在 /** 上匹配并且需要您的用户没有的 ROLE_USER
于 2013-11-06T14:32:18.647 回答