-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: unauthorized resources due to missing roles returns 405 instead 403 #1
Labels
Comments
Habilitando la traza de errores para spring-security.... Con rol correcto 2022-04-07 09:37:11.359 DEBUG 5989 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy : Securing POST /api/privado/actores/
2022-04-07 09:37:11.359 DEBUG 5989 --- [nio-8080-exec-6] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-04-07 09:37:11.459 DEBUG 5989 --- [nio-8080-exec-6] o.s.s.a.dao.DaoAuthenticationProvider : Authenticated user
2022-04-07 09:37:11.460 DEBUG 5989 --- [nio-8080-exec-6] o.s.s.w.a.www.BasicAuthenticationFilter : Set SecurityContextHolder to UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=admin, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_ADMIN, ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ADMIN, ROLE_USER]]
2022-04-07 09:37:11.460 DEBUG 5989 --- [nio-8080-exec-6] o.s.s.w.a.i.FilterSecurityInterceptor : Authorized filter invocation [POST /api/privado/actores/] with attributes [authenticated]
2022-04-07 09:37:11.460 DEBUG 5989 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy : Secured POST /api/privado/actores/
2022-04-07 09:37:11.492 DEBUG 5989 --- [nio-8080-exec-6] o.s.s.a.i.a.MethodSecurityInterceptor : Authorized ReflectiveMethodInvocation: public org.springframework.http.ResponseEntity es.seresco.cursojee.videoclub.view.controller.ActorController.createActor(es.seresco.cursojee.videoclub.view.dto.actor.RequestCrearActorDTO); target is of class [es.seresco.cursojee.videoclub.view.controller.ActorController] with attributes [ROLE_ADMIN]
2022-04-07 09:37:11.528 DEBUG 5989 --- [nio-8080-exec-6] e.s.c.v.b.service.impl.ActorServiceImpl : createActor(ActorDTO(nombre=Fulanito, primerApellido=Peliculero, segundoApellido=null, fechaNacimiento=Tue Aug 23 02:00:00 CEST 1983))
2022-04-07 09:37:11.554 DEBUG 5989 --- [nio-8080-exec-6] .s.c.v.b.r.i.InMemoryActorRepositoryImpl : initBackedReference(empty=false)
2022-04-07 09:37:11.609 DEBUG 5989 --- [nio-8080-exec-6] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request Con rol incorrecto 2022-04-07 09:36:49.225 DEBUG 5989 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy : Securing POST /api/privado/actores/
2022-04-07 09:36:49.225 DEBUG 5989 --- [nio-8080-exec-5] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-04-07 09:36:49.374 DEBUG 5989 --- [nio-8080-exec-5] o.s.s.a.dao.DaoAuthenticationProvider : Authenticated user
2022-04-07 09:36:49.375 DEBUG 5989 --- [nio-8080-exec-5] o.s.s.w.a.www.BasicAuthenticationFilter : Set SecurityContextHolder to UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=user, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_USER]]
2022-04-07 09:36:49.380 DEBUG 5989 --- [nio-8080-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor : Authorized filter invocation [POST /api/privado/actores/] with attributes [authenticated]
2022-04-07 09:36:49.380 DEBUG 5989 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy : Secured POST /api/privado/actores/
2022-04-07 09:36:49.600 DEBUG 5989 --- [nio-8080-exec-5] o.s.s.a.i.a.MethodSecurityInterceptor : Failed to authorize ReflectiveMethodInvocation: public org.springframework.http.ResponseEntity es.seresco.cursojee.videoclub.view.controller.ActorController.createActor(es.seresco.cursojee.videoclub.view.dto.actor.RequestCrearActorDTO); target is of class [es.seresco.cursojee.videoclub.view.controller.ActorController] with attributes [ROLE_ADMIN]
2022-04-07 09:36:49.604 DEBUG 5989 --- [nio-8080-exec-5] o.s.s.w.access.AccessDeniedHandlerImpl : Forwarding to /login?denied with status code 403
2022-04-07 09:36:49.611 WARN 5989 --- [nio-8080-exec-5] .w.s.m.s.DefaultHandlerExceptionResolver : Resolved [org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'POST' not supported]
2022-04-07 09:36:49.613 DEBUG 5989 --- [nio-8080-exec-5] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2022-04-07 09:36:49.615 DEBUG 5989 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy : Securing POST /error
2022-04-07 09:36:49.616 DEBUG 5989 --- [nio-8080-exec-5] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-04-07 09:36:49.616 DEBUG 5989 --- [nio-8080-exec-5] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2022-04-07 09:36:49.616 DEBUG 5989 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy : Secured POST /error
2022-04-07 09:36:49.657 DEBUG 5989 --- [nio-8080-exec-5] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request podemos ver que se produce al intentar hacer un fowarding a Mirando la configuración en |
davorpa
added a commit
that referenced
this issue
Apr 7, 2022
Opciones:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Un tema sobre Spring Security.
Estando autenticado correctamente, con los
@Secured
@RolesAllowed
@PreAuthorized
... se retorna un 405 como código de estado mientras que si se hace con los antMapper desde la configuración da un 403.Es como si el filtro de seguridad procesara antes las anotaciones que los mappers.
Tiene alguien idea de por que puede ser para como corregirlo? Ya he buscado por internet y no doy con las palabras clave.
Seguro que tiene que ver con el order de los filtros de spring security o alguna configuración de interfaz de configuración que se sugiere al declarar las anotaciones o parametro en el que haya metido la pata.
Me parece bastante raro porque si llamo con un usuario que tenga el rol que pongo en
@Secured
o similares pasa sin problema.The text was updated successfully, but these errors were encountered: