无法验证Spring Security中的url模式角色

时间:2015-02-11 16:31:13

标签: spring spring-mvc spring-security spelevaluationexception

我使用spring security 3.1.7.RELEASE with spring 3.2.13.RELEASE。

我在spring-security.xml中输入如下内容:

<http auto-config="true" use-expressions="true"> 
    <intercept-url pattern=".*admin.htm" access="hasRole(ROLE_ADMIN)" />
    <intercept-url pattern="/siteadmin/*.htm" access="ROLE_ADMIN" />
    <intercept-url pattern="/siteadmin/cleancache.htm" access="hasRole('ROLE_ADMIN')" />

当我尝试点击url /siteadmin/cleancache.htm时,我得到以下异常:

  

java.lang.IllegalArgumentException:无法计算表达式   &#39; ROLE_ADMIN&#39;     org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:13)     org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:34)     org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:18)     org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:62)

     

根本原因:

     

org.springframework.expression.spel.SpelEvaluationException:   EL1008E:(pos 0):属性或字段&#39; ROLE_ADMIN&#39;无法找到   对象类型   &#39; org.springframework.security.web.access.expression.WebSecurityExpressionRoot&#39;    - 也许不公开? org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:214)     org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:85)     org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:78)     org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:102)     org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:98)     org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:11)     org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:34)

高度赞赏任何关于它的指针。

2 个答案:

答案 0 :(得分:43)

你有一些错别字。第一个intercept-url行缺少ROLE_ADMIN周围的单引号,第二行缺少hasRole。它应该是

<http auto-config="true" use-expressions="true"> 
    <intercept-url pattern=".*admin.htm" access="hasRole('ROLE_ADMIN')" />
    <intercept-url pattern="/siteadmin/*.htm" access="hasRole('ROLE_ADMIN')" />
    <intercept-url pattern="/siteadmin/cleancache.htm" access="hasRole('ROLE_ADMIN')" />

答案 1 :(得分:6)

安全弹簧的官方文档会带来您放置的示例:

<Intercept-url pattern = "/ siteadmin / *. Htm" access = "ROLE_ADMIN" />

但你应该穿上

<Intercept-url pattern = ". * Admin.htm" access = "hasRole ('ROLE_ADMIN')" />
相关问题
最新问题