spring 无法计算表达式“hasRole(USER)”

14ifxucb  于 12个月前  发布在  Spring
关注(0)|答案(4)|浏览(85)

我想使用Spring Security 5.3
像这样在xml上配置

<http auto-config="true">
    <intercept-url pattern="/list" access="hasRole(USER)"/>
    <intercept-url pattern="/security" access="isAnonymous()"/>
    <http-basic />
    <form-login login-page="/security"
                  login-processing-url="/security"
                  default-target-url="/list"
                  authentication-failure-url="/security?error"
                  username-parameter="username"
                  password-parameter="password"/>

    <logout logout-success-url="/security?logout"/>
    <csrf disabled="true"/>
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="user" password="$2a$10$BHjEcnhAgqRH0Vj6aPmGTOtQfYdx3PsvTWjsVxVBouiLTzGSLTSz2" authorities="USER"/>
        </user-service>
        <password-encoder ref="encoder" />
    </authentication-provider>
</authentication-manager>

<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

当我登录时,我得到这个错误:
java. lang. IllegalArgumentException:无法计算表达式"hasRole(USER)" org。SpringFramework安全。访问。表情ExpressionUtils。evaluateAsBoolean(ExpressionUtils.java:30)www.example.com(WebExpressionVoter.java:52)www.example.com(WebExpressionVoter.java:33)org. SpringFramework安全访问。投票基于肯定。decide(AffirmativeBased.java:63)org. SpringFramework安全。访问。拦截AbstractSecurityInterceptor. beforeInvocation(AbstractSecurityInterceptor.java:233)org. SpringFramework安全网站访问。拦截FilterSecurityInterceptor。invoke(FilterSecurityInterceptor.java:123)org. SpringFramework安全网站访问拦截FilterSecurityInterceptor。doFilter(FilterSecurityInterceptor.java:90)org. SpringFramework。安全Web.FilterChainProxy $VirtualFilterChain。doFilter(FilterChainProxy.java:334)org. SpringFramework。安全网站访问ExceptionTranslationFilter。doFilter(ExceptionTranslationFilter.java:118)org. SpringFramework安全Web.FilterChainProxy $VirtualFilterChain。doFilter(FilterChainProxy.java:334)org. SpringFramework安全web. session. SessionManagementFilter。doFilter(SessionManagementFilter.java:137)org. SpringFramework安全Web.FilterChainProxy $VirtualFilterChain。doFilter(FilterChainProxy.java:334)org. SpringFramework安全web. authentication. AnonymousAuthenticationFilter。doFilter(AnonymousAuthenticationFilter.java:111)org. SpringFramework安全Web.FilterChainProxy $VirtualFilterChain。doFilter(FilterChainProxy.java:334)org. SpringFramework安全web. servletapi. SecurityContextHolderAwareRequestFilter。doFilter(SecurityContextHolderAwareRequestFilter.java:158)org. SpringFramework安全Web.FilterChainProxy $VirtualFilterChain。doFilter(FilterChainProxy.java:334)org. SpringFramework。安全web. savedrequest. RequestCacheAwareFilter。doFilter(RequestCacheAwareFilter.java:63)org. SpringFramework安全Web.FilterChainProxy $VirtualFilterChain。doFilter(FilterChainProxy.java:334)org. SpringFramework安全web. authentication. www.BasicAuthenticationFilter. doFilterInternal(BasicAuthenticationFilter.java:155)org. SpringFramework web. filter. OncePerRequestFilter。doFilter(OncePerRequestFilter.java:119)org. SpringFramework安全。Web.FilterChainProxy $VirtualFilterChain。doFilter(FilterChainProxy.java:334)org. SpringFramework安全web. authentication. AbstractAuthenticationProcessingFilter。doFilter(AbstractAuthenticationProcessingFilter.java:200)org. SpringFramework安全Web.FilterChainProxy $VirtualFilterChain。doFilter(FilterChainProxy.java:334)org. SpringFramework安全web. authentication注销。注销过滤器。doFilter(LogoutFilter.java:116)org. SpringFramework安全。Web.FilterChainProxy $VirtualFilterChain。doFilter(FilterChainProxy.java:334)org. SpringFramework安全web. header. HeaderWriterFilter。doHeadersAfter(HeaderWriterFilter.java:92)org. SpringFramework安全web. header. HeaderWriterFilter。doFilterInternal(HeaderWriterFilter.java:77)org. SpringFramework web. filter. OncePerRequestFilter。doFilter(OncePerRequestFilter.java:119)org. SpringFramework安全Web.FilterChainProxy $VirtualFilterChain。doFilter(FilterChainProxy.java:334)org. SpringFramework安全web. context.请求。异步WebAsyncManagerIntegrationFilter。doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)org. SpringFramework web. filter. OncePerRequestFilter。doFilter(OncePerRequestFilter.java:119)org. SpringFramework安全Web.FilterChainProxy $VirtualFilterChain。doFilter(FilterChainProxy.java:334)org. SpringFramework安全web. context. SecurityContextPersistenceFilter。doFilter(SecurityContextPersistenceFilter.java:105)org. SpringFramework安全web. FilterChainProxy $VirtualFilterChain。doFilter(FilterChainProxy.java:334)org. SpringFramework安全web. FilterChainProxy. doFilterInternal(FilterChainProxy.java:215)org. SpringFramework安全web. FilterChainProxy. doFilter(FilterChainProxy.java:178)org. SpringFramework web. filter. DelegatingFilterProxy。invokeDelegate(DelegatingFilterProxy.java:358)org. SpringFramework web. filter. DelegatingFilterProxy。doFilter(DelegatingFilterProxy.java:271)
根本原因

org. springframework. expression. spel. SpelEvaluationException:EL1008E:在类型为“org. springframework. security. web. access. expression. WebSecurityExpressionRoot”的对象上找不到属性或字段“USER”-可能不是公共的或无效?org. springframework.表情斯 perl 。ast. PropertyOrFieldReference。readProperty(PropertyOrFieldReference.java:217)org. SpringFramework表情斯 perl 。ast. PropertyOrFieldReference。getValueInternal(PropertyOrFieldReference.java:104)org. SpringFramework表情斯 perl 。ast. PropertyOrFieldReference。getValueInternal(PropertyOrFieldReference.java:91)org. SpringFramework表情斯 perl 。方法参考。getArguments(MethodReference.java:164)org. SpringFramework表情斯 perl 。方法参考。getValueInternal(MethodReference.java:94)org. SpringFramework。表情斯 perl 。ast. SpelNodeImpl. getTypedValue(SpelNodeImpl.java:117)org. SpringFramework表情斯 perl 。标准SpelExpression。getValue(SpelExpression.java:302)org. SpringFramework安全访问。表情。ExpressionUtils。evaluateAsBoolean(ExpressionUtils.java:26)

我的代码中有什么错误?

spring

4条答案

按热度按时间
lb3vh1jj

lb3vh1jj1#

应当

hasRole('USER')

注意:USER前后的单引号

赞(0)分享  回复(0)举报  12个月前
xqkwcwgp

xqkwcwgp2#

org.springframework.expression.spel.SpelEvaluationException: EL1008E: Property or field 'USER' cannot be found on object of type
从上面的错误中,你可以看到问题是无法从Spring安全框架中识别的User。您忘记添加将USER括在“”中。
问题是表达式:<intercept-url pattern="/list" access="hasRole(USER)"/>。用<intercept-url pattern="/list" access="hasRole('USER')"/>替换它就可以了。
我看到的另一个问题是,您正在使用hasRole来保护您的/list资源,但您已经为用户提供了USER authorities="USER"权限。hasRole会将前缀ROLE_添加到您传入的USER参数中。所以ROLE_USER不等于USER,USER是你分配给用户的权限。
要解决这个问题,您可以将权限更改为authorities=“ROLE_USER”``。 或者你可以用hasAuthority替换hasRole,如下所示:access="hasAuthority('USER')"`。

赞(0)分享  回复(0)举报  12个月前
z4iuyo4d

z4iuyo4d3#

当我在多个角色的控制器方法上使用@PreAuthorize时,我得到了同样的错误。它被用作@PreAuthorize("hasRole('ROLE_ADMIN','ROLE_USER')")
但正确的语法应该是@PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')")

赞(0)分享  回复(0)举报  12个月前
4urapxun

4urapxun4#

我用hasAuthority('USER')替换了hasRole(USER),它工作正常。

赞(0)分享  回复(0)举报  12个月前
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com