"Access is denied (user is not anonymous)" with spring-security-oauth2

spring-security oauth-2.0
14,145

Solution 1

I have never used oauth plugin but from reading debug output I can say that RoleVoter returned -1, which means access was denied by DecisionVoter. I see that you granted only ROLE_USER to principal which is trying to access url /api/user/, which is secured by [ROLE_CLIENT, SCOPE_READ] and that's the reason why access was denied.

Either grant ROLE_CLIENT and SCOPE_READ to principal or change <intercept-url pattern="/api/**" access="ROLE_CLIENT,SCOPE_READ" />.

Solution 2

As Xaerxess said, you should change your intercept-url access property to ROLE_USER.

<intercept-url pattern="/api/**" access="ROLE_CLIENT,SCOPE_READ" />

to

<intercept-url pattern="/api/**" access="ROLE_USER,SCOPE_READ" />

The access property controls the role of the user (which the client acts on behalf of).

The documentation of the authorities (ROLE_CLIENT) property of tag <oauth:client> states:

Authorities that are granted to the client (comma-separated). Distinct from the authorities granted to the user on behalf of whom the client is acting.

Also, according to user Dave Syer:

If you didn't change Tonr, it is not acting as a client, it is acting on behalf of a user (who will not have the required ROLE_CLIENT), so it is expected that you would get a 403. If you want to make an assertion about the request from tonr being from a client with a specific role (without changing the app) you can use an expression, e.g. "oauthClientHasRole('ROLE_CLIENT') and hasScope('trust')".

Source: http://forum.springsource.org/showthread.php?125468-confusing-between-ROLE_USER-ROLE_CLIENT

Share:
14,145
javierhe
Author by

javierhe

Java/Scala developer. Also interested in MacOSX and iOS programming.

Updated on June 04, 2022

Comments

  • javierhe
    javierhe almost 2 years

    I'm new to Spring Security and Oauth, and I'm trying to set up a simple example protecting the access to resources in path "/api" with Oauth2. I'm using spring-security-oauth2-1.0.0.RC2. After some time dealing with configuration, I'm able to get tokens, but when I try to send requests to "/api" resources, I'm facing two questions:

    • Initially, I'm sending authorization header with "OAuth2" prefix, but spring-security-oauth2 seems to need headers with "Bearer" prefix in the tokens to find them. What's the difference between these tokens?

    • After Spring validated the token, I'm getting a security error: "ExceptionTranslationFilter - Access is denied (user is not anonymous)" and I'm stuck with this problem. Since I'm using InMemory token store, I have to login each time to authorize client, then I'm getting this error. Here is the spring configuration:

    <http pattern="/api/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
    access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security">
    <anonymous enabled="false" />
    <intercept-url pattern="/api/**" access="ROLE_CLIENT,SCOPE_READ" />
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    <access-denied-handler ref="oauthAccessDeniedHandler" />
</http>

<http disable-url-rewriting="true" xmlns="http://www.springframework.org/schema/security">
    <intercept-url pattern="/oauth/**" access="ROLE_USER" />
    <!--intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /-->
    <form-login/>
    <logout logout-success-url="/index.jsp" logout-url="/logout" />
</http>

<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="O2Server" />
</bean>

<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
    <property name="authenticationManager" ref="clientAuthenticationManager" />
</bean>

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
            <bean class="org.springframework.security.access.vote.RoleVoter" />
            <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
        </list>
    </constructor-arg>
</bean>

<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
    <authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>

<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
    <authentication-provider>
        <user-service>
            <user name="test" password="test" authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>
</authentication-manager>

<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <constructor-arg ref="clientDetails" />
</bean>

<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />

<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
    <property name="tokenStore" ref="tokenStore" />
    <property name="supportRefreshToken" value="true" />
    <property name="clientDetailsService" ref="clientDetails"/>
</bean>

<bean id="userApprovalHandler" class="org.o2server.security.O2ServerUserApprovalHandler">
    <property name="tokenServices" ref="tokenServices" />
</bean>

<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices" user-approval-handler-ref="userApprovalHandler">
    <oauth:authorization-code />
    <oauth:implicit />
    <oauth:refresh-token />
    <oauth:client-credentials />
    <oauth:password />
</oauth:authorization-server>

<oauth:resource-server id="resourceServerFilter" resource-id="O2Server" token-services-ref="tokenServices" />

<oauth:client-details-service id="clientDetails">
    <oauth:client client-id="O2Client" resource-ids="O2Server" authorized-grant-types="authorization_code,refresh_token,implicit"
        authorities="ROLE_CLIENT" scope="read,write" secret="secret" />
</oauth:client-details-service>

<oauth:web-expression-handler id="oauthWebExpressionHandler" />

    This is the log from the server:

    11:58:30.366 [DEBUG] FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /api/user/; Attributes: [ROLE_CLIENT, SCOPE_READ]
11:58:30.366 [DEBUG] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication@48a94464: Principal: org.springframework.security.core.userdetails.User@346448: Username: paul; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails@43794494; Granted Authorities: ROLE_USER
11:58:30.366 [DEBUG] UnanimousBased - Voter: org.springframework.security.oauth2.provider.vote.ScopeVoter@4e857327, returned: 0
11:58:30.366 [DEBUG] UnanimousBased - Voter: org.springframework.security.access.vote.RoleVoter@1b4b2db7, returned: -1
11:58:30.367 [DEBUG] ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler <org.springframework.security.access.AccessDeniedException: Access is denied>org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.UnanimousBased.decide(UnanimousBased.java:90)

    Please, could you give me some advice?

    Thank you in advance.

  • javierhe
    javierhe over 11 years
    Thank you Xaerxess, I guess you mean changing the rule to access=ROLE_USER, because now is with ROLE_CLIENT.I'm not sure, but I think that I only need a token to access an oauth resource, and the principal should get the ROLE_CLIENT, but since I'm a newbie I don't know how to achieve this, I should have missed some additional config.
  • Xaerxess
    Xaerxess over 11 years
    Seems from code that whole magic should be in ClientDetailsUserDetailsService - can you debug and check if clientDetailsService.loadClientByClientId(username) returns correct authorities? I think that spring forums would be better place than SP for problem like this one.
  • javierhe
    javierhe over 11 years
    Thank you, with your additional comments I finally managed it, although I still have doubts between the two header types (OAuth2 or Bearer). Unfortunately, the project which I was using OAuth2 is on hold now, so I can't continue working on it for the moment

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Spring OAuth2 - Can't get client token
How do you set a resource ID for a token?
OAuth2 - Status 401 on OPTIONS request while retrieving TOKEN
OAUTH2 spring Error creating bean with name 'springSecurityFilterChain'
Spring Boot OAuth2 - Could not obtain user details from token
Spring security oauth2 - getting custom data from OAuth2 principal
oAuth2 client with password grant in Spring Security
spring boot oauth2 with jdbc token store gives oauth_access_token relation doesn't exist
Spring security oauth 2 simple example
Spring Security OAuth - Full authentication is required to access this resource