无法评估表达式 ‘hasRole(USER)’

huangapple go评论158阅读模式
英文:

Failed to evaluate expression 'hasRole(USER)'

问题

我想使用 Spring Security 5.3,在 XML 中进行配置,如下所示:

<http auto-config="true">
    <intercept-url pattern="/list" access="hasRole('USER')"/>
    <intercept-url pattern="/security" access="isAnonymous()"/>
    <http-basic/>
    <form-login login-page="/security"
                login-processing-url="/security"
                default-target-url="/list"
                authentication-failure-url="/security?error"
                username-parameter="username"
                password-parameter="password"/>

    <logout logout-success-url="/security?logout"/>
    <csrf disabled="true"/>
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="user" password="$2a$10$BHjEcnhAgqRH0Vj6aPmGTOtQfYdx3PsvTWjsVxVBouiLTzGSLTSz2" authorities="USER"/>
        </user-service>
        <password-encoder ref="encoder"/>
    </authentication-provider>
</authentication-manager>

<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

当我登录时,出现以下错误:

java.lang.IllegalArgumentException: Failed to evaluate expression 'hasRole('USER')'
org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:30)
...
org.springframework.expression.spel.SpelEvaluationException: EL1008E:
Property or field 'USER' cannot be found on object of type 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot' - maybe not public or not valid?
...

我的代码中有什么错误?

英文:

I want to use spring security 5.3

configure on xml like this

&lt;http auto-config=&quot;true&quot;&gt;
    &lt;intercept-url pattern=&quot;/list&quot; access=&quot;hasRole(USER)&quot;/&gt;
    &lt;intercept-url pattern=&quot;/security&quot; access=&quot;isAnonymous()&quot;/&gt;
    &lt;http-basic /&gt;
    &lt;form-login login-page=&quot;/security&quot;
                  login-processing-url=&quot;/security&quot;
                  default-target-url=&quot;/list&quot;
                  authentication-failure-url=&quot;/security?error&quot;
                  username-parameter=&quot;username&quot;
                  password-parameter=&quot;password&quot;/&gt;

    &lt;logout logout-success-url=&quot;/security?logout&quot;/&gt;
    &lt;csrf disabled=&quot;true&quot;/&gt;
&lt;/http&gt;

&lt;authentication-manager&gt;
    &lt;authentication-provider&gt;
        &lt;user-service&gt;
            &lt;user name=&quot;user&quot; password=&quot;$2a$10$BHjEcnhAgqRH0Vj6aPmGTOtQfYdx3PsvTWjsVxVBouiLTzGSLTSz2&quot; authorities=&quot;USER&quot;/&gt;
        &lt;/user-service&gt;
        &lt;password-encoder ref=&quot;encoder&quot; /&gt;
    &lt;/authentication-provider&gt;
&lt;/authentication-manager&gt;

&lt;beans:bean id=&quot;encoder&quot; class=&quot;org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder&quot;/&gt;

when I log in I get this error:

> java.lang.IllegalArgumentException: Failed to evaluate expression
> 'hasRole(USER)'
> org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:30)
> org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:52)
> org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:33)
> org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:63)
> org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123)
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:155)
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
> org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
>
> Root Cause
>
> org.springframework.expression.spel.SpelEvaluationException: EL1008E:
> Property or field 'USER' cannot be found on object of type
> 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot'
> - maybe not public or not valid? org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:217)
> org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:104)
> org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:91)
> org.springframework.expression.spel.ast.MethodReference.getArguments(MethodReference.java:164)
> org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:94)
> org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:117)
> org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:302)
> org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:26)
> org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:52)
> org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:33)
> org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:63)
> org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123)
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:155)
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
> org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)

what error in my code?

答案1

得分: 2

org.springframework.expression.spel.SpelEvaluationException: EL1008E: 无法在类型为USER的对象上找到属性或字段&#39;USER&#39;。

从上面的错误中可以看出问题是USER未在Spring Security框架中被识别。您忘记在&#39;&#39;中添加USER

问题出在表达式上:&lt;intercept-url pattern=&quot;/list&quot; access=&quot;hasRole(USER)&quot;/&gt;
将其替换为&lt;intercept-url pattern=&quot;/list&quot; access=&quot;hasRole(&#39;USER&#39;)&quot;/&gt;即可解决。

我看到的另一个问题是,您正在使用hasRole来保护您的/list资源,但您已经将用户的权限设置为USER,这会导致hasRole在传递的USER参数前添加前缀ROLE_。因此,ROLE_USER将不等于您分配给用户的权限USER

要解决此问题,您可以将authorities更改为authorities=&quot;ROLE_USER&quot;

或者您可以将hasRole替换为hasAuthority,如下所示:access=&quot;hasAuthority(&#39;USER&#39;)&quot;

英文:

org.springframework.expression.spel.SpelEvaluationException: EL1008E: Property or field &#39;USER&#39; cannot be found on object of type

From the error above you can see the problem is hte USER that is not being recognized from the spring security framework. You have forgotten to add enclose the USER in '' .

The problem is with the expression: &lt;intercept-url pattern=&quot;/list&quot; access=&quot;hasRole(USER)&quot;/&gt;.
Replace it with &lt;intercept-url pattern=&quot;/list&quot; access=&quot;hasRole(&#39;USER&#39;)&quot;/&gt; and it will work.

A another problem I saw it that you are using hasRole to protect your /list resource but you have given the user the authority USER authorities=&quot;USER&quot;. What will happen is that hasRole is going to add the prefix ROLE_ to USER argument you passed in. So ROLE_USER is not going to equal USER which is the autority you have assign to the user.

To fix this you can either change authorities to ```authorities="ROLE_USER"``.

Or you can substitute hasRole with hasAuthority , like below:
access=&quot;hasAuthority(&#39;USER&#39;)&quot;.

答案2

得分: 2

应为

hasRole('USER')

注意:在USER周围需要单引号

英文:

It should be

hasRole(&#39;USER&#39;)

Note: the single quotes around USER.

答案3

得分: -1

我用hasAuthority('USER')替换了hasRole(USER),然后它就起作用了。

英文:

I replaced hasRole(USER) with hasAuthority(&#39;USER&#39;) and it worked

huangapple
  • 本文由 发表于 2020年3月15日 20:20:16
  • 转载请务必保留本文链接:https://go.coder-hub.com/60692799.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定