bug: unauthorized resources due to missing roles returns 405 instead 403 #1

davorpa · 2022-04-07T08:04:22Z

Un tema sobre Spring Security.

Estando autenticado correctamente, con los @Secured @RolesAllowed @PreAuthorized... se retorna un 405 como código de estado mientras que si se hace con los antMapper desde la configuración da un 403.

Es como si el filtro de seguridad procesara antes las anotaciones que los mappers.

Tiene alguien idea de por que puede ser para como corregirlo? Ya he buscado por internet y no doy con las palabras clave.

Seguro que tiene que ver con el order de los filtros de spring security o alguna configuración de interfaz de configuración que se sugiere al declarar las anotaciones o parametro en el que haya metido la pata.

Me parece bastante raro porque si llamo con un usuario que tenga el rol que pongo en @Secured o similares pasa sin problema.

The text was updated successfully, but these errors were encountered:

davorpa · 2022-04-07T08:16:02Z

Habilitando la traza de errores para spring-security....

Con rol correcto

2022-04-07 09:37:11.359 DEBUG 5989 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : Securing POST /api/privado/actores/
2022-04-07 09:37:11.359 DEBUG 5989 --- [nio-8080-exec-6] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-04-07 09:37:11.459 DEBUG 5989 --- [nio-8080-exec-6] o.s.s.a.dao.DaoAuthenticationProvider    : Authenticated user
2022-04-07 09:37:11.460 DEBUG 5989 --- [nio-8080-exec-6] o.s.s.w.a.www.BasicAuthenticationFilter  : Set SecurityContextHolder to UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=admin, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_ADMIN, ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ADMIN, ROLE_USER]]
2022-04-07 09:37:11.460 DEBUG 5989 --- [nio-8080-exec-6] o.s.s.w.a.i.FilterSecurityInterceptor    : Authorized filter invocation [POST /api/privado/actores/] with attributes [authenticated]
2022-04-07 09:37:11.460 DEBUG 5989 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : Secured POST /api/privado/actores/
2022-04-07 09:37:11.492 DEBUG 5989 --- [nio-8080-exec-6] o.s.s.a.i.a.MethodSecurityInterceptor    : Authorized ReflectiveMethodInvocation: public org.springframework.http.ResponseEntity es.seresco.cursojee.videoclub.view.controller.ActorController.createActor(es.seresco.cursojee.videoclub.view.dto.actor.RequestCrearActorDTO); target is of class [es.seresco.cursojee.videoclub.view.controller.ActorController] with attributes [ROLE_ADMIN]
2022-04-07 09:37:11.528 DEBUG 5989 --- [nio-8080-exec-6] e.s.c.v.b.service.impl.ActorServiceImpl  : createActor(ActorDTO(nombre=Fulanito, primerApellido=Peliculero, segundoApellido=null, fechaNacimiento=Tue Aug 23 02:00:00 CEST 1983))
2022-04-07 09:37:11.554 DEBUG 5989 --- [nio-8080-exec-6] .s.c.v.b.r.i.InMemoryActorRepositoryImpl : initBackedReference(empty=false)
2022-04-07 09:37:11.609 DEBUG 5989 --- [nio-8080-exec-6] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request

Con rol incorrecto

2022-04-07 09:36:49.225 DEBUG 5989 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy        : Securing POST /api/privado/actores/
2022-04-07 09:36:49.225 DEBUG 5989 --- [nio-8080-exec-5] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-04-07 09:36:49.374 DEBUG 5989 --- [nio-8080-exec-5] o.s.s.a.dao.DaoAuthenticationProvider    : Authenticated user
2022-04-07 09:36:49.375 DEBUG 5989 --- [nio-8080-exec-5] o.s.s.w.a.www.BasicAuthenticationFilter  : Set SecurityContextHolder to UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=user, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_USER]]
2022-04-07 09:36:49.380 DEBUG 5989 --- [nio-8080-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor    : Authorized filter invocation [POST /api/privado/actores/] with attributes [authenticated]
2022-04-07 09:36:49.380 DEBUG 5989 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy        : Secured POST /api/privado/actores/
2022-04-07 09:36:49.600 DEBUG 5989 --- [nio-8080-exec-5] o.s.s.a.i.a.MethodSecurityInterceptor    : Failed to authorize ReflectiveMethodInvocation: public org.springframework.http.ResponseEntity es.seresco.cursojee.videoclub.view.controller.ActorController.createActor(es.seresco.cursojee.videoclub.view.dto.actor.RequestCrearActorDTO); target is of class [es.seresco.cursojee.videoclub.view.controller.ActorController] with attributes [ROLE_ADMIN]
2022-04-07 09:36:49.604 DEBUG 5989 --- [nio-8080-exec-5] o.s.s.w.access.AccessDeniedHandlerImpl   : Forwarding to /login?denied with status code 403
2022-04-07 09:36:49.611  WARN 5989 --- [nio-8080-exec-5] .w.s.m.s.DefaultHandlerExceptionResolver : Resolved [org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'POST' not supported]
2022-04-07 09:36:49.613 DEBUG 5989 --- [nio-8080-exec-5] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2022-04-07 09:36:49.615 DEBUG 5989 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy        : Securing POST /error
2022-04-07 09:36:49.616 DEBUG 5989 --- [nio-8080-exec-5] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-04-07 09:36:49.616 DEBUG 5989 --- [nio-8080-exec-5] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2022-04-07 09:36:49.616 DEBUG 5989 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy        : Secured POST /error
2022-04-07 09:36:49.657 DEBUG 5989 --- [nio-8080-exec-5] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request

podemos ver que se produce al intentar hacer un fowarding a login?denied por POST.

Mirando la configuración en WebMvcConfig.java vemos que su view controller solo acepta GET ya que el POST es capturado por el filtro de authenticación de la pantalla de login

Via #1

davorpa · 2022-04-07T08:32:50Z

Opciones:

Deshabilitar la configuración para el exceptionHandler.access-denied-page
Refinar la configuración para que login sea un controlador inteligente con GET y POST en vez de una view-mapping. Necesita cambiar la config a la que atiende la validacion de credenciales: appz.security.http.form.login-processing-url

davorpa added the bug Something isn't working label Apr 7, 2022

davorpa self-assigned this Apr 7, 2022

davorpa added the help wanted Extra attention is needed label Apr 7, 2022

davorpa added a commit that referenced this issue Apr 7, 2022

wip: enable spring-security debug logs

661b8c7

Via #1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bug: unauthorized resources due to missing roles returns 405 instead 403 #1

bug: unauthorized resources due to missing roles returns 405 instead 403 #1

davorpa commented Apr 7, 2022 •

edited

Loading

davorpa commented Apr 7, 2022 •

edited

Loading

davorpa commented Apr 7, 2022

bug: unauthorized resources due to missing roles returns 405 instead 403 #1

bug: unauthorized resources due to missing roles returns 405 instead 403 #1

Comments

davorpa commented Apr 7, 2022 • edited Loading

davorpa commented Apr 7, 2022 • edited Loading

davorpa commented Apr 7, 2022

davorpa commented Apr 7, 2022 •

edited

Loading

davorpa commented Apr 7, 2022 •

edited

Loading