Error 403 when I tried open page with spring security

Question

I am new in Spring security. I need create 3 types of autontification.

by ip 
by sms 
by pin code

Now I tried realize auth by ip. I use spring security.

I get ip address of client(my spring-boot app) and pass to backend server(another remote java server) by rest. if user is authenticated I get this User in my spring app and I wand show him index.html or if not - I get null and I want show him login.html

I create AuthenticationProvider

@Component
public class IPAddressBasedAuthenticationProvider implements AuthenticationProvider {
    @Autowired
    private HttpServletRequest request;
    @Autowired
    AuthService authService;

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        String ipAddress = request.getRemoteAddr();
        AuthLkUser authLkUserByIp = authService.getAuthLkUserByIp(ipAddress);

        if (authLkUserByIp == null) return null;

        boolean b = authService.checkAuthLkUser(authLkUserByIp);
        if (b) return null;
        UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken("John Principal", "PlaceholderPWE");
        result.setDetails(authentication.getDetails());
        result.setAuthenticated(true);
        return result;
    }

    @Override
    public boolean supports(Class<?> aClass) {
        return true;
    }
}

When I open page for example index.html and my spring app in debbug mode I check in debbug point(method is worcked) and i have my authLkUserByIp (user is authenticated normaly). I have result and returne it. But on the page I have error

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.

Mon Jul 11 12:48:25 ALMT 2016
There was an unexpected error (type=Forbidden, status=403).
Access is denied

But user is authenticated normaly. Why I have error?

I tried by this example

But I do not have web.xml. All configs in code.

I have some quations: 1. Why I get error and how can fix it? 2. When I trid realize another two types authontification How can I manage it?

Answer 1

i think you're missing the grantedAuths, because Spring security works with roles.

this is an example of how i handle authorization with a CustomAuthenticationProvider

@Override
    public Authentication authenticate(Authentication auth) throws AuthenticationException {
        String username = String.valueOf(auth.getName());
        String password = String.valueOf(auth.getCredentials().toString());

        Usuarios us = null;
        boolean success = false;
        try {
            us = user.findByName(username);
            success = passwordEncoder.matches(password, us.getClave());
        } catch (Exception ex) {
        }    
        if (success == true) {
            final List<GrantedAuthority> grantedAuths = new ArrayList<>();
            String authority;
            switch (us.getRoles().getNombre()) {
                case "administrador":
                    authority = "ROLE_ADMIN";
                    break;
                case "vendedor":
                    authority = "ROLE_VENDEDOR";
                    break;
                default:
                    authority = "ROLE_NONE";
                    break;
            }
            GrantedAuthority grantedAuthority = new SimpleGrantedAuthority(authority);
            grantedAuths.add(grantedAuthority);
            final UserDetails principal = new User(username, password, grantedAuths);
            final Authentication authentication = new UsernamePasswordAuthenticationToken(principal, password, grantedAuths);
            us = null;
            return authentication;
        } else {
            throw new BadCredentialsException("Bad Credentials");
        }
    }

First i check the user authority on my service, find it in my database, i think you can skip this, and assing directly your role with GrantedAuthority.

Then you can build your UserDetails and set the information of the user and his role with GrantedAuthority.

And finally build your Authentication to return it. with all the previus steps.