org.springframework.security.access.AccessDeniedException: Access is denied
at grails.plugin.springsecurity.access.vote.AuthenticatedVetoableDecisionManager.decide(AuthenticatedVetoableDecisionManager.java:43)
at grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter.doFilter(GrailsAnonymousAuthenticationFilter.java:53)
at grails.plugin.springsecurity.web.authentication.RequestHolderAuthenticationFilter.doFilter(RequestHolderAuthenticationFilter.java:53)
at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.java:62)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Getting this error while trying to view different pages on the website.
Whenever after logging in I try to visit one of the pages I get this error in the log window in IntelliJ Idea ultimate. I am using secured annotation.
2015-12-28 09:48:54,527 [http-bio-8080-exec-12] DEBUG intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /list.html; Attributes: [_DENY_]
2015-12-28 09:48:54,527 [http-bio-8080-exec-12] DEBUG intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#fec5dc2f: Principal: grails.plugin.springsecurity.userdetails.GrailsUser#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#2eb76: RemoteIpAddress: 127.0.0.1; SessionId: B3587266591A115997973363DF758EB8; Granted Authorities: ROLE_USER, ROLE_ADMIN
2015-12-28 09:48:54,527 [http-bio-8080-exec-12] DEBUG hierarchicalroles.RoleHierarchyImpl - getReachableGrantedAuthorities() - From the roles [ROLE_USER, ROLE_ADMIN] one can reach [ROLE_USER, ROLE_ADMIN] in zero or more steps.
2015-12-28 09:48:54,557 [http-bio-8080-exec-12] DEBUG access.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
Message: Access is denied
Line | Method
->> 43 | decide in grails.plugin.springsecurity.access.vote.AuthenticatedVetoableDecisionManager
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 53 | doFilter in grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter
| 62 | doFilter in grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter
| 1142 | runWorker in java.util.concurrent.ThreadPoolExecutor
| 617 | run . . . in java.util.concurrent.ThreadPoolExecutor$Worker
^ 745 | run in java.lang.Thread
2015-12-28 09:48:54,559 [http-bio-8080-exec-12] DEBUG filter.UrlMappingsFilter - Executing URL mapping filter...
2015-12-28 09:48:54,649 [http-bio-8080-exec-12] DEBUG filter.UrlMappingsFilter - Matched URI [/login/denied] to URL mapping [/(*)/(*)?/(*)?(.(*))?], forwarding to [/grails/login/denied.dispatch] with response [class org.springframework.security.web.context.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper]
2015-12-28 09:48:54,649 [http-bio-8080-exec-12] DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed.
Can anyone please tell me what I can look at to check for the issue. I have tried to change the config.groovy files, URLmapping.groovy files.
Here is my config.groovy
grails.app.context='/'
// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.dtech.security.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.dtech.security.UserRole'
grails.plugin.springsecurity.authority.className = 'com.dtech.security.Role'
grails.plugin.springsecurity.failureHandler.defaultFailureUrl='/?login_error=1'
grails.plugin.springsecurity.auth.loginFormUrl='/' //send to index page for login
//redirect to Dynics home page on logout
grails.plugin.springsecurity.logout.afterLogoutUrl='http://www.google.com'
//grails.plugin.springsecurity.failureHandler.useForward=false
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
'/' : ['permitAll'],
'/index' : ['permitAll'],
'/index.gsp' : ['permitAll'],
'/assets/**' : ['permitAll'],
'/**/js/**' : ['permitAll'],
'/**/css/**' : ['permitAll'],
'/**/images/**' : ['permitAll'],
'/**/favicon.ico' : ['permitAll'],
//'/api/**' : ['permitAll'],
'/rmalog/**' : ['ROLE_ADMIN','ROLE_USER'],
'/api/rmalog/**' : ['ROLE_ADMIN','ROLE_USER'],
Here is my controller with the annotation
package com.dtech.controllers
import com.dtech.PagedRestfulController
import com.dtech.domain.Rmalog
import grails.plugin.springsecurity.annotation.Secured
import org.codehaus.groovy.grails.commons.GrailsApplication
#Secured(['ROLE_ADMIN','ROLE_USER'])
class RmalogController extends PagedRestfulController {
def exportService
GrailsApplication grailsApplication
RmalogController(){
super(Rmalog)
}
def export(){
if(params?.formatRequest && params.formatRequest != "html"){
if(!params.max) params.max = 15000 //set max for records export
response.contentType = grailsApplication.config.grails.mime.types[params.formatRequest]
response.setHeader("Content-disposition", "attachment; filename=rmalog.${params.extension}")
def exportData = loadPagedResults(params);
exportService.export(params.formatRequest,
response.outputStream, exportData, [:], [:])
}
}
}
Here is my viewSource for rmalog
<!DOCTYPE html>
<html>
<head>
<meta name="layout" content="angular"/>
<asset:javascript src="dynics-app/rmalog/module"/>
</head>
<body ng-app="dynicsApp.rmalog">
</body>
</html>
By default access is denied to all URLs unless there's a rule for the requested URL. Read the docs for more info.
Your error indicates that access to /list.html was denied, which makes sense because nothing in the staticRules map covers that URL, and you didn't mention any annotation in the controller that handles that URL.
Related
I'm using 5.3 version and I've configured CAS for delegating authentication to an external Oauth server. My cas.properties looks like:
cas.authn.pac4j.oauth2[0].clientName=oauth1
cas.authn.pac4j.oauth2[0].id=
cas.authn.pac4j.oauth2[0].secret=
cas.authn.pac4j.oauth2[0].authUrl=https://xxxxxxxxxxx/sso/oauth/controller/Server/action/authorize/
cas.authn.pac4j.oauth2[0].tokenUrl=https://xxxxxxxx/sso/oauth/controller/Server/action/token/
cas.authn.pac4j.oauth2[0].profileUrl=https://xxxxxxxx/sso/oauth/controller/Server/action/profile/?fields=username
cas.authn.pac4j.oauth2[0].principalAttributeId=username
In terms of service (JSON) this is the configuration:
{
#class: org.apereo.cas.services.RegexRegisteredService
serviceId: ID
name: name
theme: default
id: 1
description: name
logoutType: FRONT_CHANNEL
attributeReleasePolicy:
{
"#class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
}
logoutUrl: https://yyyyyy/logout
accessStrategy:
{
#class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
order: 0
enabled: true
ssoEnabled: true
delegatedAuthenticationPolicy:
{
"#class": "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy"
"allowedProviders" : [ "java.util.ArrayList", [ "oauth1" ] ]
}
requireAllAttributes: false
caseInsensitive: false
}
}
CAS is able to get properly the information from Oauth protocol but when it tries to get the Principal, the answer is always:`
2019-10-31 14:37:41,070 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationBuilder] - <Recording authentication handler result success under key [ClientAuthenticationHandler]>
2019-10-31 14:37:41,070 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication handler [ClientAuthenticationHandler] successfully authenticated [ClientCredential(typedIdUsed=false, userProfile=#OAuth20Profile# | id: null | attributes: {access_token=8b2eaaa3c8d3d51233df5da4047889c8530a7df4, username=apotheke_alphega} | roles: [] | permissions: [] | isRemembered: false | clientName: oauth1 | linkedId: null |, credentials=#OAuth20Credentials# | code: 5f0d498cfc347b66de544d98ce309d5f1f200716 | accessToken: com.github.scribejava.core.model.OAuth2AccessToken#3b3a98c |, clientName=oauth1)]>
2019-10-31 14:37:41,074 DEBUG [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured single-row JDBC attribute repository for [jdbc:mysql://b2bde-uat-db02.mysql.database.azure.com/lr_b2b_core?useJDBCCompliantTimezoneShift=true&useLegacyDatetimeCode=false&serverTimezone=UTC&useSSL=true]>
2019-10-31 14:37:41,086 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[ClientAuthenticationHandler] is configured to use [ChainingPrincipalResolver(principalFactory=org.apereo.cas.authentication.principal.DefaultPrincipalFactory#1, chain=[EchoingPrincipalResolver(), PersonDirectoryPrincipalResolver(attributeRepository=org.apereo.services.persondir.support.CachingPersonAttributeDaoImpl#63f2c17b, principalFactory=org.apereo.cas.authentication.principal.DefaultPrincipalFactory#1, returnNullIfNoAttributes=true, principalNameTransformer=org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver$$Lambda$130/1783977388#2488625b, principalAttributeNames=username, useCurrentPrincipalId=true)])] but it does not support [ClientCredential(typedIdUsed=false, userProfile=#OAuth20Profile# | id: null | attributes: {access_token=8b2eaaa3c8d3d51233df5da40478df4, username=user} | roles: [] | permissions: [] | isRemembered: false | clientName: oauth1 | linkedId: null |, credentials=#OAuth20Credentials# | code: 5f0d498cfc347b66de544d98ce30916 | accessToken: com.github.scribejava.core.model.OAuth2AccessToken#3b3a98c |, clientName=oauth1)], which suggests a configuration problem.>
2019-10-31 14:37:41,087 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Principal resolution handled by [$Proxy401] produced a null principal. This is likely due to misconfiguration or missing attributes; CAS will attempt to use the principal produced by the authentication handler, if any.>
2019-10-31 14:37:41,087 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Principal resolution for authentication by [ClientAuthenticationHandler] produced a null principal.>
2019-10-31 14:37:41,087 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Final principal resolved for this authentication event is [null]>
Could you help me? I'm very block and I can't find any real example
Kind Regards
Below is my Pgtyp.groovy (domain class):
package marchmock2
class Pgtyp {
Date date_hour
String mv
String pagetype
Integer visits
Integer visits_ly
Integer visits_lw
String time_period
String platform
String device
String browser
static mapping = {
table "pgtyp"
version false
date_hour column: "date_hour"
mv column: "mv"
pagetype column: "pagetype"
visits column: "visits"
visits_ly column:"visits_ly"
visits_lw column:"visits_lw"
time_period column:"time_period"
platform column:"platform"
device column:"device"
browser column:"browser"
}
static constraints = {
}
}
This is how my controller looks like:
package marchmock2
import grails.converters.*
import groovy.sql.Sql
class PgtypController {
def ajaxGetMv = {
def pgtyp = Pgtyp.get(params.id)
render pgtyp as JSON
}
def index() {
}
}
And finally, this is my index.gsp:
<html>
<head>
<g:javascript src="jquery-1.10.2.min.js"/>
<g:javascript src="prototype.js"/>
</head>
<body>
<form>
<g:select from="['AFFILIATES', 'SEO', 'SEM','DISPLAYADS']" name="mv" onchange="${remoteFunction(
controller:'Pgtyp',
action:'ajaxGetMv',
params:'\'id=\' + escape(this.value)',
onSuccess: 'printpgtyp(data)')}"></g:select>
</form>
<g:javascript>
function printpgtyp(data) {
console.log(data)
}
</g:javascript>
</body>
</html>
When I run my app, I get a dropdown and on selecting any option from it I get an error saying:
POST http://localhost:8080/marchmock2/pgtyp/ajaxGetMv 500 (Internal Server Error)
What do I do with it? Is there any error in the way I'm writing it or have I misunderstood anything? Any help would be appreciated.
UPDATE
|
2014-07-04 16:37:23,149 [http-bio-8080-exec-10] ERROR [/marchmock2].[gsp] - Servlet.service() for servlet [gsp] in context with path [/marchmock2] threw exception
Message: It looks like you are missing some calls to the r:layoutResources tag. After rendering your page the following have not been rendered: [defer]
Line | Method
->> 1145 | runWorker in java.util.concurrent.ThreadPoolExecutor
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 615 | run in java.util.concurrent.ThreadPoolExecutor$Worker
^ 744 | run . . . in java.lang.Thread
UPDATE2
Following an answer on stackoverflow, I changed to and the error mentioned in first UPDATE is gone. However, when I select 'SEO' from the dropdown, I get the following error
TypeMismatchException occurred when processing request: [POST] /marchmock2/pgtyp/ajaxGetMv - parameters:
id: SEO
Provided id of the wrong type for class marchmock2.Pgtyp. Expected: class java.lang.Long, got class java.lang.String. Stacktrace follows:
Message: Provided id of the wrong type for class marchmock2.Pgtyp. Expected: class java.lang.Long, got class java.lang.String
using the spring security core plugin I am trying to catch event so I am using
grails.plugin.springsecurity.useSecurityEventListener = true
grails.plugin.springsecurity.onInteractiveAuthenticationSuccessEvent = { e, appCtx ->
def request = org.codehaus.groovy.grails.plugins.springsecurity.SecurityRequestHolder.getRequest()
def session = request.getSession(false)
session.myvar=2
}
but it give me :
2014-06-08 21:49:05,333 [http-bio-8080-exec-6] ERROR [/ammc].[default] - Servlet.service() for servlet [default] in context with path [/ammc] threw exception
Message: No signature of method: groovy.util.ConfigObject.getRequest() is applicable for argument types: () values: []
Line | Method
->> 158 | doCall in Config$_run_closure5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 95 | call in grails.plugin.springsecurity.SecurityEventListener
| 72 | onApplicationEvent in ''
| 49 | doFilter in grails.plugin.springsecurity.web.authentication.RequestHolderAuthenticationFilter
| 82 | doFilter . . . . . in grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter
| 1145 | runWorker in java.util.concurrent.ThreadPoolExecutor
| 615 | run . . . . . . . in java.util.concurrent.ThreadPoolExecutor$Worker
^ 745 | run in java.lang.Thread
notice that the line 158 in the config file is exactly the line
def request = org.codehaus.groovy.grails.plugins.springsecurity.SecurityRequestHolder.getRequest()
which is crazy because I am not invoking groovy.util.ConfigObject.getRequest() in this line
I already tried to clean and compile but nothing change.
and at the same time if I want to catch the failure login event, what event I must catch?
update
I am using grails 2.3.8 and spring-security-core:2.0-RC2
To answer the question
This may be late but...
I believe you mean
def request = grails.plugin.springsecurity.web.SecurityRequestHolder.getRequest()
(note the different package name)
This may not be of much help to #Bilel but it may be to anyone else who happens upon the question.
One a side note:
which is crazy because I am not invoking groovy.util.ConfigObject.getRequest() in this line
When you see weird things like groovy.util.ConfigObject I have come to notice that it usually means a variable in Config does not exist.
Also, on another note:
I don't know if doing it in Config.groovy is an absolute requirement but I believe this gets cleaner if you register a listener.
Here's what I would do:
import org.springframework.context.ApplicationListener
import org.springframework.security.authentication.event. InteractiveAuthenticationSuccessEvent
class MyLoginListener implements ApplicationListener<InteractiveAuthenticationSuccessEvent> {
void onApplicationEvent(InteractiveAuthenticationSuccessEvent event) {
def request = grails.plugin.springsecurity.web.SecurityRequestHolder.getRequest()
def session = request.getSession(false)
session.myvar=2
}
}
and then register it in resources.groovy
beans = {
myLoginListener(MyLoginListener)
}
You need the following line in Config.groovy, but you may already have it there anyway.
grails.plugin.springsecurity.useSecurityEventListener = true
I have a Grails application with spring-security-ldap plugin installed and configured with Active Directory specific options.
Grails version: 2.1.1.
spring-security-core plugin version: 2.0-RC2
spring-security-ldap plugin version: 2.0-RC2
Everything works fine: users log in to the application validating against the Active Directory and their groups are retrieved in order to control the access to the different pages.
My problem: "remember me" option doesn't work. I have configured the application in order to use "remember me" option and I have run the s2-create-persistent-token command. I have also activated the specific traces.
Everything works fine: the user successfully logs in to the application with the "remember me" option checked, the token is created and the cookie is sent to the client. The user closes the browser and then reopens it. At this point, the application successfully validates that the user in the cookie matches with the user in the persistent token.
Then I can see this in the log
userdetails.LdapUserDetailsManager - Loading user 'sAMAccountName' with DN 'cn=sAMAccountName,dc=company,dc=country'
rememberme.PersistentTokenBasedRememberMeServices - Remember-me login was valid but corresponding user not found.
Message: User sAMAccountName not found
Line | Method
->> 49 | doFilter in grails.plugin.springsecurity.web.authentication.RequestHolderAuthenticationFilter
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 82 | doFilter in grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter
| 886 | runTask in java.util.concurrent.ThreadPoolExecutor$Worker
| 908 | run in ''
^ 619 | run . . in java.lang.Thread
Caused by NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=company,DC=country'
The first log line shows a not valid DN for the user. The DN for the user is something like this
cn=name,ou=a group,ou=a super group,dc=company,dc=country
Could be that the problem? How can I solve it?
My configuration
// Spring Security
grails.plugin.springsecurity.logout.postOnly = false
// Spring Security LDAP
grails.plugin.springsecurity.ldap.context.managerDn = 'CN="a user",OU="a group",DC="company",DC="country"'
grails.plugin.springsecurity.ldap.context.managerPassword = '"password"'
grails.plugin.springsecurity.ldap.context.server = 'ldap://"server":389'
grails.plugin.springsecurity.ldap.authorities.ignorePartialResultException = true
grails.plugin.springsecurity.ldap.search.base = 'dc="company",dc="country"'
grails.plugin.springsecurity.ldap.search.filter="sAMAccountName={0}"
grails.plugin.springsecurity.ldap.search.searchSubtree = true
grails.plugin.springsecurity.ldap.auth.hideUserNotFoundExceptions = false
grails.plugin.springsecurity.ldap.search.attributesToReturn = ['dn', 'cn', 'ou', 'givenName', 'sn', 'department']
grails.plugin.springsecurity.ldap.authenticator.attributesToReturn = ['dn', 'cn', 'ou', 'givenName', 'sn', 'department']
grails.plugin.springsecurity.providerNames = ['ldapAuthProvider','anonymousAuthenticationProvider', 'rememberMeAuthenticationProvider']
// role-specific LDAP config
grails.plugin.springsecurity.ldap.authorities.retrieveGroupRoles = true
grails.plugin.springsecurity.ldap.authorities.groupSearchBase = 'dc="company",dc="country"'
grails.plugin.springsecurity.ldap.authorities.groupSearchFilter = '(member:1.2.840.113556.1.4.1941:={0})' // Active Directory specific
grails.plugin.springsecurity.successHandler.defaultTargetUrl = '/home'
grails.plugin.springsecurity.rememberMe.persistent = true
grails.plugin.springsecurity.rememberMe.persistentToken.domainClassName = 'censo.auth.PersistentLogin'
grails.plugin.springsecurity.ldap.useRememberMe = true
grails.plugin.springsecurity.ldap.rememberMe.detailsManager.groupMemberAttributeName = 'member'
grails.plugin.springsecurity.ldap.rememberMe.detailsManager.groupRoleAttribute = 'CN'
grails.plugin.springsecurity.ldap.rememberMe.detailsManager.groupSearchBase = 'OU="another group",dc="company",dc="country"'
grails.plugin.springsecurity.ldap.rememberMe.detailsManager.passwordAttributeName = 'userPassword'
grails.plugin.springsecurity.ldap.rememberMe.usernameMapper.userDnBase = 'dc="company",dc="country"'
grails.plugin.springsecurity.ldap.rememberMe.usernameMapper.usernameAttribute = 'cn'
grails.plugin.springsecurity.ldap.rememberMe.detailsManager.attributesToRetrieve = null
Thank you in advance
Im trying to upload a file, and store it in a file. This is the code in the GSP:
<g:form method="post" enctype="multipart/form-data" action="update">
<input type="file" name="cv" id="cv"/>
<g:actionSubmit action="upload" name="upload" value="Upload" />
</g:form>
In the Controller:
def upload(){
def f = request.getFile('cv')
InputStream file = f.inputStream
byte[] bytes = file.bytes
println('bytes: '+bytes)
}
As I say in the title, i got an exception here. Any help? Thanks.
EDIT (Full Stacktrace, by request):
Error 500: Internal Server Error
URI
/com.publidirecta.azafatas/azafataCertificada/index
Class
groovy.lang.MissingMethodException
Message
No signature of method:org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper.getFile() is applicable for argument types: (java.lang.String) values: [cv] Possible solutions: getXML(), getPart(java.lang.String), getAt(java.lang.String), getAt(java.lang.String), getLocale(), getJSON()
Around line 1158 of grails-app/controllers/com/publidirecta/AzafataCertificadaController.groovy
1155: def upload(){
1156: println("Acción upload. Params: "+params)
1157: Azafata aza=Azafata.findByUsername(params.user)
1158: def f = request.getFile('cv')
1159: InputStream file = f.inputStream
1160: byte[] bytes = file.bytes
1161: }
Trace
Line | Method
->> 1158 | upload in AzafataCertificadaController.groovy
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 886 | runTask in java.util.concurrent.ThreadPoolExecutor$Worker
| 908 | run . . in ''
^ 680 | run in java.lang.Thread
The problem is that your request is not treated as a MultiPartRequest. Do something like this:
MultipartRequest multipartRequest = request as MultipartRequest
if(multipartRequest){
MultipartFile attachmentFile = multipartRequest.getFile("attachment_file".toString())
if (attachmentFile) {
-- copy it ---
}
}