2

I was trying to create custom pages on my broadleaf e-commerce admin side. I followed this tutorial. But when i try to access the page i get this strange error. enter image description here. Here's code of my controller:

package com.community.admin.controller;

import org.broadleafcommerce.openadmin.web.controller.AdminAbstractController;
import org.springframework.security.access.annotation.Secured;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@Controller
@RequestMapping("/" + ThemeController.SECTION_KEY)
@Secured("PERMISSION_OTHER_DEFAULT")
public class ThemeController extends AdminAbstractController {

    protected static final String SECTION_KEY = "test";

    @RequestMapping(value = "", method = RequestMethod.GET)
    public String test(HttpServletRequest request, HttpServletResponse response, Model model) throws Exception {
        // This is expected by the modules/emptyContainer template, this is a custom template that gets included into the body
        model.addAttribute("customView", "views/test");

        // ensure navigation gets set up correctly
        setModelAttributes(model, SECTION_KEY);

        // gets the scaffolding set up to display the template from the customView attribute above
        return "modules/emptyContainer";
    }

}

Also as there's no Web-INF Folder as stated in tutorial so i added my html file in Resources > open_admin_styles > templates > views folder, where other html pages were present. Any help will be appreciated thanks

P.S: I get the AccessDeniedException. I executed these following queries for permissions:

INSERT INTO `blc_admin_module` (`ADMIN_MODULE_ID`, `DISPLAY_ORDER`, `ICON`, `MODULE_KEY`, `NAME`) VALUES (1, 7, 'icon-barcode', 'MyCustomModule', 'My Custom Module');
INSERT INTO `blc_admin_section` (`ADMIN_SECTION_ID`, `DISPLAY_ORDER`, `NAME`, `SECTION_KEY`, `URL`, `ADMIN_MODULE_ID`) VALUES (1, 1000, 'My Custom Section', 'MyCustomSection', '/test', 1);
INSERT INTO `blc_admin_sec_perm_xref` (`ADMIN_SECTION_ID`, `ADMIN_PERMISSION_ID`) VALUES (1, -1);

EDIT

Removing Security Annotation can solve the problem, regardless of the fact that i added all permissions in db as stated in documentation.

Mustahsan
  • 3,852
  • 1
  • 18
  • 34

2 Answers2

0

Spring Framework Security use "ROLE_" prefix, so you can't use @Secured("PERMISSION_OTHER_DEFAULT") because RoleVoter won't process it. You have to change all Broadleaf permission name, add "ROLE_" prefix to make it work.

In this case you have to change "PERMISSION_OTHER_DEFAULT" in database to "ROLE_PERMISSION_OTHER_DEFAULT" and use in controller as: 

@Controller
@RequestMapping("/" + ThemeController.SECTION_KEY)
@Secured("ROLE_PERMISSION_OTHER_DEFAULT")
public class ThemeController extends AdminAbstractController {
   //something
}

Do the same with other permissions.

Here are some information: https://docs.spring.io/spring-security/site/docs/4.2.13.BUILD-SNAPSHOT/apidocs/org/springframework/security/access/vote/RoleVoter.html

Dragonthoughts
  • 2,180
  • 8
  • 25
  • 28
Hà Mã Tím
  • 143
  • 2
  • 3
0

The above answer resolves the security issues. But I don't find Web-INF Folder as well as Resources > open_admin_styles > templates > views folder too in admin on version 6.1.5-GA.

Then I add the test.html file on

admin > src > main > resources > community-demo-style.templates.admin

folder.

And also in MyController Class gives /test.html to model.addAtrribute() like model.addAttribute("customView", "/test.html");

It works fine for me.

MyController image

John Conde
  • 217,595
  • 99
  • 455
  • 496
parves ahmed
  • 1
  • 1