我用spring-boot和oauth开始一个新项目。我试着保护我项目的一些网址。
这是我的Httpsecurty配置:
http.authorizeRequests()
.antMatchers("/test")
.access("#oauth2.hasRole('USER')")
我的clientdetails服务配置器也有这个配置:
clients.inMemory()
.withClient("xxxxx")
.authorizedGrantTypes("password", "refresh_token")
.authorities("USER")
.scopes("read")
.resourceIds(RESOURCE_ID)
.secret("sssss")
我向用户注册了#34; USER"我从服务器收到了access_token。但是当我尝试使用此令牌访问/ test / url时,我得到了这个execption
java.lang.IllegalArgumentException: Failed to evaluate expression '#oauth2.throwOnError(#oauth2.hasRole('USER'))'
at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:13)
at org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:34)
at org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:18)
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:62)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter(OAuth2AuthenticationProcessingFilter.java:176)
当我尝试没有#oauth2参数时:
.access("hasRole('USER')")
,我得到了:
type=AUTHORIZATION_FAILURE, data={type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
有人有什么想法吗? 谢谢 干杯
答案 0 :(得分:0)
我知道问题很严重,但幸运的是,解决方案.access("hasRole('USER')")帮助了我。谢谢你的帮助。
但是对于其他人(学习弹簧安全性)让我分享我对这个问题的了解,看起来你尝试登录的用户无法访问该角色,所以检查你的数据库(USER_ROLE)如果该用户具有该角色关联。因为在我的场景中我正在检查管理员角色,当我尝试使用非管理员用户登录时,出现了同样的错误'Access Denied'。
答案 1 :(得分:0)
尝试将WebExpressionVoter' expressionHandler设为OAuth2WebSecurityExpressionHandler的实例:
webExpressionVoter.setExpressionHandler(new OAuth2WebSecurityExpressionHandler());
您也可以尝试使用.hasRole( "USER" )代替.access(...)。