"Access is denied (user is not anonymous)" with spring-security-oauth2
Solution 1
I have never used oauth plugin but from reading debug output I can say that RoleVoter
returned -1, which means access was denied by DecisionVoter
. I see that you granted only ROLE_USER
to principal which is trying to access url /api/user/
, which is secured by [ROLE_CLIENT, SCOPE_READ]
and that's the reason why access was denied.
Either grant ROLE_CLIENT and SCOPE_READ to principal or change <intercept-url pattern="/api/**" access="ROLE_CLIENT,SCOPE_READ" />
.
Solution 2
As Xaerxess said, you should change your intercept-url access property to ROLE_USER.
<intercept-url pattern="/api/**" access="ROLE_CLIENT,SCOPE_READ" />
to
<intercept-url pattern="/api/**" access="ROLE_USER,SCOPE_READ" />
The access property controls the role of the user (which the client acts on behalf of).
The documentation of the authorities (ROLE_CLIENT) property of tag <oauth:client>
states:
Authorities that are granted to the client (comma-separated). Distinct from the authorities granted to the user on behalf of whom the client is acting.
Also, according to user Dave Syer:
If you didn't change Tonr, it is not acting as a client, it is acting on behalf of a user (who will not have the required ROLE_CLIENT), so it is expected that you would get a 403. If you want to make an assertion about the request from tonr being from a client with a specific role (without changing the app) you can use an expression, e.g. "oauthClientHasRole('ROLE_CLIENT') and hasScope('trust')".
Source: http://forum.springsource.org/showthread.php?125468-confusing-between-ROLE_USER-ROLE_CLIENT
javierhe
Java/Scala developer. Also interested in MacOSX and iOS programming.
Updated on June 04, 2022Comments
-
javierhe almost 2 years
I'm new to Spring Security and Oauth, and I'm trying to set up a simple example protecting the access to resources in path "/api" with Oauth2. I'm using spring-security-oauth2-1.0.0.RC2. After some time dealing with configuration, I'm able to get tokens, but when I try to send requests to "/api" resources, I'm facing two questions:
Initially, I'm sending authorization header with "OAuth2" prefix, but spring-security-oauth2 seems to need headers with "Bearer" prefix in the tokens to find them. What's the difference between these tokens?
After Spring validated the token, I'm getting a security error: "ExceptionTranslationFilter - Access is denied (user is not anonymous)" and I'm stuck with this problem. Since I'm using InMemory token store, I have to login each time to authorize client, then I'm getting this error. Here is the spring configuration:
<http pattern="/api/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint" access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security"> <anonymous enabled="false" /> <intercept-url pattern="/api/**" access="ROLE_CLIENT,SCOPE_READ" /> <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> <access-denied-handler ref="oauthAccessDeniedHandler" /> </http> <http disable-url-rewriting="true" xmlns="http://www.springframework.org/schema/security"> <intercept-url pattern="/oauth/**" access="ROLE_USER" /> <!--intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /--> <form-login/> <logout logout-success-url="/index.jsp" logout-url="/logout" /> </http> <bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> <property name="realmName" value="O2Server" /> </bean> <bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" /> <bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter"> <property name="authenticationManager" ref="clientAuthenticationManager" /> </bean> <bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans"> <constructor-arg> <list> <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" /> <bean class="org.springframework.security.access.vote.RoleVoter" /> <bean class="org.springframework.security.access.vote.AuthenticatedVoter" /> </list> </constructor-arg> </bean> <authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security"> <authentication-provider user-service-ref="clientDetailsUserService" /> </authentication-manager> <authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security"> <authentication-provider> <user-service> <user name="test" password="test" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager> <bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService"> <constructor-arg ref="clientDetails" /> </bean> <bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" /> <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices"> <property name="tokenStore" ref="tokenStore" /> <property name="supportRefreshToken" value="true" /> <property name="clientDetailsService" ref="clientDetails"/> </bean> <bean id="userApprovalHandler" class="org.o2server.security.O2ServerUserApprovalHandler"> <property name="tokenServices" ref="tokenServices" /> </bean> <oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices" user-approval-handler-ref="userApprovalHandler"> <oauth:authorization-code /> <oauth:implicit /> <oauth:refresh-token /> <oauth:client-credentials /> <oauth:password /> </oauth:authorization-server> <oauth:resource-server id="resourceServerFilter" resource-id="O2Server" token-services-ref="tokenServices" /> <oauth:client-details-service id="clientDetails"> <oauth:client client-id="O2Client" resource-ids="O2Server" authorized-grant-types="authorization_code,refresh_token,implicit" authorities="ROLE_CLIENT" scope="read,write" secret="secret" /> </oauth:client-details-service> <oauth:web-expression-handler id="oauthWebExpressionHandler" />
This is the log from the server:
11:58:30.366 [DEBUG] FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /api/user/; Attributes: [ROLE_CLIENT, SCOPE_READ] 11:58:30.366 [DEBUG] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication@48a94464: Principal: org.springframework.security.core.userdetails.User@346448: Username: paul; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails@43794494; Granted Authorities: ROLE_USER 11:58:30.366 [DEBUG] UnanimousBased - Voter: org.springframework.security.oauth2.provider.vote.ScopeVoter@4e857327, returned: 0 11:58:30.366 [DEBUG] UnanimousBased - Voter: org.springframework.security.access.vote.RoleVoter@1b4b2db7, returned: -1 11:58:30.367 [DEBUG] ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler <org.springframework.security.access.AccessDeniedException: Access is denied>org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.UnanimousBased.decide(UnanimousBased.java:90)
Please, could you give me some advice?
Thank you in advance.
-
javierhe over 11 yearsThank you Xaerxess, I guess you mean changing the rule to
access=ROLE_USER
, because now is with ROLE_CLIENT.I'm not sure, but I think that I only need a token to access an oauth resource, and the principal should get the ROLE_CLIENT, but since I'm a newbie I don't know how to achieve this, I should have missed some additional config. -
Xaerxess over 11 yearsSeems from code that whole magic should be in
ClientDetailsUserDetailsService
- can you debug and check ifclientDetailsService.loadClientByClientId(username)
returns correct authorities? I think that spring forums would be better place than SP for problem like this one. -
javierhe over 11 yearsThank you, with your additional comments I finally managed it, although I still have doubts between the two header types (OAuth2 or Bearer). Unfortunately, the project which I was using OAuth2 is on hold now, so I can't continue working on it for the moment