Java Spring Security AccessDecisionManager:UnanimousBased无法解析表达式'ROLE_ADMIN,IS_AUTHENTICATED_FULLY'

时间:2014-11-14 15:36:27

标签: java spring spring-security

我尝试用spring spring来简单地记住我的身份验证,但是当我尝试实现accessDecisionManager时,我发现了这个错误。这里是错误日志:

  

org.springframework.beans.factory.BeanCreationException:错误   创建名为'org.springframework.security.filterChains'的bean:   无法解析对bean的引用   'org.springframework.security.web.DefaultSecurityFilterChain#0'而   使用键[0]设置bean属性'sourceList';嵌套异常是   org.springframework.beans.factory.BeanCreationException:错误   用名字创建bean   'org.springframework.security.web.DefaultSecurityFilterChain#0':   无法解析对bean的引用   'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0'   用key [10]设置构造函数参数;嵌套异常是   org.springframework.beans.factory.BeanCreationException:错误   用名字创建bean   'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0':   无法创建类型的内部bean'(内部bean)'   [org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource]   设置bean属性'securityMetadataSource';嵌套异常   是org.springframework.beans.factory.BeanCreationException:错误   创建名为'(内部bean)#19'的bean:bean的实例化   失败;嵌套异常是   org.springframework.beans.BeanInstantiationException:不能   实例化bean类   [org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource]:   构造函数抛出异常;嵌套异常是   java.lang.IllegalArgumentException:无法解析表达式   'ROLE_ADMIN,IS_AUTHENTICATED_FULLY'

这是我的xml文件。 的web.xml

<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<display-name>Spring Security Eksplorasi</display-name>
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<!-- Spring MVC -->
<servlet>
    <servlet-name>kampus</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>kampus</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<!-- Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring-database.xml,
        /WEB-INF/spring-security.xml
    </param-value>
</context-param>

所以这是我的spring-security.xml

    <beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
        <beans:property name="decisionVoters">
            <beans:list>
                <beans:bean class="org.springframework.security.access.vote.RoleVoter">
                    <beans:property name="rolePrefix" value="ROLE_"/>
                </beans:bean>
                <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
            </beans:list>
        </beans:property>
    </beans:bean>

    <security:http auto-config="true" use-expressions="true" access-decision-manager-ref="accessDecisionManager">
        <security:remember-me key="kampus-rememberme" data-source-ref="dataSource" />
        <security:intercept-url pattern="/admin/*" access="ROLE_ADMIN, IS_AUTHENTICATED_FULLY" />
        <security:access-denied-handler error-page="/403" />
        <security:form-login 
            login-page="/login" 
            default-target-url="/welcome" 
            authentication-failure-url="/login?error" 
            username-parameter="username"
            password-parameter="password" />
        <security:logout logout-success-url="/login?logout"  />
        <!-- enable csrf protection 
        <csrf/>-->
    </security:http>
    <!-- 
    <bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
        <constructor-arg>
            <list>
                <bean class="org.springframework.security.access.vote.RoleVoter" />
                <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
            </list>
        </constructor-arg>
    </bean>
     -->

    <security:authentication-manager>
        <security:authentication-provider>
            <security:jdbc-user-service data-source-ref="dataSource"
                users-by-username-query=
                    "select username,password, status from users where username=?"
                authorities-by-username-query=
                    "select username, role from user_roles where username =?  " />
        </security:authentication-provider>
    </security:authentication-manager>

</beans>
非常感谢你的帮助朋友。

2 个答案:

答案 0 :(得分:2)

您可能只需删除访问属性中的空格:

access="ROLE_ADMIN, IS_AUTHENTICATED_FULLY"

access="ROLE_ADMIN,IS_AUTHENTICATED_FULLY"

如果这不起作用,请尝试:

access="hasAnyRole('ROLE_ADMIN', 'IS_AUTHENTICATED_FULLY')"

类似的问题:Spring Security 3 specify multiple intercept-url access roles

检查Teja的答案。

答案 1 :(得分:0)

您正在使用expression based access control(默认情况下,您使用use-expressions="true"明确声明它)并且ROLE_ADMIN, IS_AUTHENTICATED_FULLY不是有效的表达式,而是一种旧样式&#34;角色列表,以便将use-expressions设置为false或替换&#34;旧样式&#34;带有表达式hasRole('ROLE_ADMIN') or isFullyAuthenticated()

的角色列表