Back Forum Reply New
amy

1#
Print
tT
Post at 2011-4-15 14:35 | This Author's Posts Only

User exists, Authority does not -gt; Login

Hello,

Ive got one question. Today I had an error in my database (the ids were not correct - unimportant) and I noticed a strange behaviour.

Here is the scenario:
For one user, a users entry(users_id, username, password, enabled) does exist, a authorities-entry(id, users_id, authority) does not. (a salt value does exist too)

This specific user tries to log in: As his username and password are correct, he is authenticated as quot;user with username x and correct password, enabledquot;, but has the role_anonymous. Of course the pages then appear incorrect.
Normally the mainpage is structured like this

Code:
lt;!-- parts always shown --gt;
....

lt;!-- not logged in --gt;
lt;sec:authorize ifAnyGranted=quot;ROLE_ANONYMOUSquot; ifNotGranted=quot;ROLE_USER,ROLE_ADMINquot;gt;
...
lt;/sec:authorizegt;lt;!-- Logged in: --gt;
lt;sec:authorize ifAnyGranted=quot;ROLE_USER,ROLE_ADMINquot; ifNotGranted=quot;ROLE_ANONYMOUSquot;gt;
...
lt;/sec:authorizegt;

lt;!-- parts always shown --gt;
...
what now happened was, that neither the part for quot;logged inquot; nor the part for quot;not logged inquot; was shown! I requested then a page where I get a output from the controller regarding the principal:

Code:
// this is the code       Authentication auth =SecurityContextHolder.getContext().getAuthentication();       System.out.println(quot;toString: quot; + auth.toString());       System.out.println(quot;Username: quot; + auth.getCredentials());

// this is the output
toString: org..security.authentication.UsernamePasswordAuthenticationToken@758c14e9: Principal: project.business.logic.UserDetailsImpl@17e078b6; Credentials: [PROTECTED]; Authenticated: true; Details: org..security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 8BA5EF74C3675F5D93C779CC59F83A82; Granted Authorities: IS_AUTHENTICATED_ANONYMOUSLY
Username: test
Of course the pages which are secured for role_user can't be seen then, but the pages are somehow looking strange then (as seen above: neither the content for anonymous nor the content for users is shown.)

So there must be a possibilty to catch this exception if it appears

This is my UserDetailsService

Code: @Transactional(readOnly = true)   public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {       logger.info(quot;loadUserByUsername(..): creating UserDetails Object for quot; + username);
       Users u = new Users();       UsersAuthorities auth = new UsersAuthorities();
       // loading users object and authorities object belonging to username       u = projectDao.getUsersByUsername(username);       if (u == null) {throw new UsernameNotFoundException(quot;Username does not existquot;);       } else {

auth = projectDao.getUsersAuthoritiesByUsersId(u.getId());// in case the authority check does not workCollectionlt;GrantedAuthoritygt; ga = AuthorityUtils.createAuthorityList(quot;IS_AUTHENTICATED_ANONYMOUSLYquot;);
if (auth == null) {    //throw new AuthorityNotFoundException(quot;Authority does not existquot;);    if (u.getId() == 1) {        logger.info(quot;loadUserByUsername(..): user does exist, but authority does not: default userquot;);    } else {        logger.warn(quot;loadUserByUsername(..): user does exist, but authority does notquot;);        // when I use: return null         // no login, a springspecific errormessage is displayed on the login-page        // return null;       // if I use this        //throw new UsernameNotFoundException(quot;blablaquot;);        // it shows: username/password incorrect       // the page is then displayed correctly in both cases, no userdetails-object is created    }} else { // checks the authorization of the user    if (auth.getAuthority().equals(quot;ROLE_USERquot;)) {        ga = AuthorityUtils.createAuthorityList(quot;ROLE_USERquot;);    } else if (auth.getAuthority().equals(quot;ROLE_ADMINquot;)) {        ga = AuthorityUtils.createAuthorityList(quot;ROLE_ADMINquot;);    }}
// creates a new User object and returns it by casting to UserDetails// this UserDetails Object is needed by Spring SecurityUserDetailsImpl userspringsec = new UserDetailsImpl(u.getUsername(), u.getPassword(), u.isEnabled(), true, true, true, ga, u.getId());return (UserDetails) userspringsec;
       }   }
I tested the blue part, errormessages are displayed then on the login-page, but I know that this is not the correct handling of this exception, so what would you advice me to do? How can I catch this error correctly? Thanks in advance! :-)

I'm not sure what exception you are referring to. You said it gets into the blue which is not an exception. If I were you and the user did not have any roles I would throw an exception (this is the same as what the Spring Security provided JdbcDaoImpl does). If it is bad data, you should fail and provided a reason for the failure. If you always want the user to have a role you could add a default role. It really depends on what you want to do.

thanks for your answer.

you are right, there is no exception (like an IOException or something else) - that just was my bad english ;-) I just meant how to deal with this behaviour.

I tried to throw one exception (I really mean quot;exceptionquot;), when there is no authority, but the loadUserByUsername only throws UsernameNotFound-Exceptions, I got an error.

But, anyway, I guess I will find a solution, because, like you said, there are some more options. thank you, I guess this topic can be closed now.

(If I dont get it solved, I will write again ;-))
Favor Share Rate
Reply Quote

Subscribe TOP

¥
Back Forum Reply New