spring security return 403, logging not working

Question

I am not able to make Spring Security work. I tested my application with security:user-service and it works perfectly well. However when I replace the

<security:user-service>
    <security:user name="XX" password="XX" authorities="ROLE_EDITOR" />                
</security:user-service>

with

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider>
        <security:jdbc-user-service data-source-ref="dataSource" 
            users-by-username-query="SELECT name as username, password, 1 as enabled FROM cuser WHERE name=?;"
            authorities-by-username-query="SELECT u.name as username, r.name as authority FROM cuser u join cuserrole ur on ur.iduser=u.id join crole r on r.id=ur.idrole where u.name=?;" />
    </security:authentication-provider>
</security:authentication-manager>

I can no longer make it work. Keep getting 403 response from the server. I ran the queries on my db and they return the expected values.

I am not able to make the logging work either, so am finding it hard to debug what is really happening behind the scenes. I did read similar problems on SO

How do I enable logging for Spring Security?

Debugging Spring configuration

Tried the solutions nut still the logging doesn't work. If someone has any idea, your help is appreciable.

score 0 · Answer 1 · answered Jan 17 '17 at 16:08

0

Can't believe it..

Spring requires ROLE_ prefix for security to work.because of this i was getting 403.

answered Jan 17 '17 at 16:08

user2745862

103
3
8

Could someone tell me why ROLE_ prefix though? thanks Can't I use my handcrafted role name ? – user2745862 Jan 17 '17 at 16:08

score 0 · Answer 2 · answered Jan 17 '17 at 22:47

Class RoleVoter has a setter for property rolePrefix

public class RoleVoter implements AccessDecisionVoter<Object> {
    // ~ Instance fields
    // ================================================================================================

    private String rolePrefix = "ROLE_";

    // ~ Methods
    // ========================================================================================================

    public String getRolePrefix() {
        return rolePrefix;
    }

    /**
     * Allows the default role prefix of <code>ROLE_</code> to be overridden. May be set
     * to an empty value, although this is usually not desirable.
     *
     * @param rolePrefix the new prefix
     */
    public void setRolePrefix(String rolePrefix) {
        this.rolePrefix = rolePrefix;
}

So you could just set this property in a RoleVoter and then set into the AccessDecissionManager and configure it as the access-decission-manager-ref in spring security http configuration

spring security return 403, logging not working

2 Answers2