[英]Custom permission evaluator for spring security throws ClassCastException
我已經發現了問題所在,只需將其發布在此處,以便谷歌搜索該異常將返回除Hibernate問題以外的其他信息。
我正在嘗試使用自定義權限評估程序設置Spring Security 4,但是卻收到以下異常:
HTTP Status 500 - Request processing failed; nested exception is java.lang.ClassCastException: org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation cannot be cast to org.springframework.security.web.FilterInvocation
然后我請求一個http://localhost:8080/my-service/secured/root@boss
,應該對這種方法進行評估:
@Controller
public class SecuredServiceController {
@Autowired
private SecuredService securedService;
@RequestMapping(value = "/secured/{name:.+}", method = RequestMethod.GET)
@PreAuthorize("hasPermission(#name, 'view.%')")
public ModelAndView stuff(@PathVariable("name") String name) throws ServletException, IOException {
ModelAndView model = new ModelAndView();
model.setViewName("hello");
model.addObject("message", securedService.getSecret(name));
return model;
}}
但是它沒有被調用,在此之前引發了異常。
這是我的spring-security.xml
:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.0.xsd">
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<security:intercept-url pattern="/free" access="permitAll"/>
<security:intercept-url pattern="/test*" access="isAuthenticated()"/>
<security:logout invalidate-session="true" delete-cookies="JSESSIONID" logout-url="/logout"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider ref="myAuthenticationProvider"/>
</security:authentication-manager>
<bean id="myAuthenticationProvider"
class="com.me.webcommon.spring_auth.MySpringAuthenticationProvider"/>
<security:global-method-security pre-post-annotations="enabled" secured-annotations="enabled">
<security:expression-handler ref="expressionHandler"/>
</security:global-method-security>
<bean id="permissionEvaluator" class="com.me.webcommon.spring_auth.MyPermissionEvaluator"/>
<context:component-scan
base-package="com.me.webcommon.spring_auth"/>
<bean id="expressionHandler"
class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<property name="permissionEvaluator" ref="permissionEvaluator"/>
</bean>
仔細觀察該異常,它說方法代理不能轉換為過濾器代理。 這是因為我應該使用方法表達式處理程序org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler
相反,如果org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler
Spring創建了錯誤的代理對象,無法從調用中檢索參數,並在調用該方法之前將其傳遞給我的permissionEvaluator
。
這是一個正常的spring-security.xml
:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.0.xsd">
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<security:intercept-url pattern="/free" access="permitAll"/>
<security:intercept-url pattern="/test*" access="isAuthenticated()"/>
<security:logout invalidate-session="true" delete-cookies="JSESSIONID" logout-url="/logout"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider ref="myAuthenticationProvider"/>
</security:authentication-manager>
<bean id="myAuthenticationProvider"
class="com.me.webcommon.spring_auth.MySpringAuthenticationProvider"/>
<security:global-method-security pre-post-annotations="enabled" secured-annotations="enabled">
<security:expression-handler ref="expressionHandler"/>
</security:global-method-security>
<bean id="permissionEvaluator" class="com.me.webcommon.spring_auth.MyPermissionEvaluator"/>
<context:component-scan
base-package="com.me.webcommon.spring_auth"/>
<!--here, it must be a method expression handler-->
<bean id="expressionHandler"
class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="permissionEvaluator"/>
</bean>
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.