Why Does My Spring Security Role-Based Access Control Fail Despite Database Role Assignments?

Resolving Invalid Role Checking in Spring Security

In Spring Security, configuring authorization can sometimes lead to unexpected role checks. Let's address the issue highlighted in the code snippet provided:

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    // ...
    auth
        .jdbcAuthentication()
            .dataSource(dataSource)
            .usersByUsernameQuery("select username, password, 1 from users where username=?")
            .authoritiesByUsernameQuery("select users_username, roles_id  from roles_users where users_username=?")
            .rolePrefix("ROLE_");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    // ...
    http
        .csrf().disable();      
    http
        .httpBasic();
    http
        .authorizeRequests()
            .anyRequest().authenticated();
    http
        .authorizeRequests()
            .antMatchers("/users/all").hasRole("admin")
            .and()
        .formLogin();
    http
        .exceptionHandling().accessDeniedPage("/403");
}

Problem:

When a user with only the "USER" role logs in, they are able to access a resource protected by the "admin" role. The issue lies in the primary key constraint on the username column in the "users" table.

Solution:

The supplied query "select username, password, 1 from users where username=?" is inadequate because it always returns a single row, regardless of the user's role. This allows users to assume any role they desire, even if not granted in the database.

To address this, the query should be updated to return the user's role:

.usersByUsernameQuery("select username, password, role from users where username=?")

Additional Note:

The order of matchers in the authorization configuration is crucial. The following matcher "anyRequest().authenticated() should come before antMatchers("/users/all").hasRole("admin") to ensure that only authenticated users can access the application.

The above is the detailed content of Why Does My Spring Security Role-Based Access Control Fail Despite Database Role Assignments?. For more information, please follow other related articles on the PHP Chinese website!