英文:
Failed to evaluate expression 'hasRole(USER)'
问题
我想使用 Spring Security 5.3,在 XML 中进行配置,如下所示:
<http auto-config="true">
<intercept-url pattern="/list" access="hasRole('USER')"/>
<intercept-url pattern="/security" access="isAnonymous()"/>
<http-basic/>
<form-login login-page="/security"
login-processing-url="/security"
default-target-url="/list"
authentication-failure-url="/security?error"
username-parameter="username"
password-parameter="password"/>
<logout logout-success-url="/security?logout"/>
<csrf disabled="true"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="$2a$10$BHjEcnhAgqRH0Vj6aPmGTOtQfYdx3PsvTWjsVxVBouiLTzGSLTSz2" authorities="USER"/>
</user-service>
<password-encoder ref="encoder"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
当我登录时,出现以下错误:
java.lang.IllegalArgumentException: Failed to evaluate expression 'hasRole('USER')'
org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:30)
...
org.springframework.expression.spel.SpelEvaluationException: EL1008E:
Property or field 'USER' cannot be found on object of type 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot' - maybe not public or not valid?
...
我的代码中有什么错误?
英文:
I want to use spring security 5.3
configure on xml like this
<http auto-config="true">
<intercept-url pattern="/list" access="hasRole(USER)"/>
<intercept-url pattern="/security" access="isAnonymous()"/>
<http-basic />
<form-login login-page="/security"
login-processing-url="/security"
default-target-url="/list"
authentication-failure-url="/security?error"
username-parameter="username"
password-parameter="password"/>
<logout logout-success-url="/security?logout"/>
<csrf disabled="true"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="$2a$10$BHjEcnhAgqRH0Vj6aPmGTOtQfYdx3PsvTWjsVxVBouiLTzGSLTSz2" authorities="USER"/>
</user-service>
<password-encoder ref="encoder" />
</authentication-provider>
</authentication-manager>
<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
when I log in I get this error:
> java.lang.IllegalArgumentException: Failed to evaluate expression
> 'hasRole(USER)'
> org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:30)
> org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:52)
> org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:33)
> org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:63)
> org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123)
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:155)
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
> org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
>
> Root Cause
>
> org.springframework.expression.spel.SpelEvaluationException: EL1008E:
> Property or field 'USER' cannot be found on object of type
> 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot'
> - maybe not public or not valid? org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:217)
> org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:104)
> org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:91)
> org.springframework.expression.spel.ast.MethodReference.getArguments(MethodReference.java:164)
> org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:94)
> org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:117)
> org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:302)
> org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:26)
> org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:52)
> org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:33)
> org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:63)
> org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123)
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:155)
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
> org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
what error in my code?
答案1
得分: 2
org.springframework.expression.spel.SpelEvaluationException: EL1008E: 无法在类型为USER的对象上找到属性或字段'USER'。
从上面的错误中可以看出问题是USER未在Spring Security框架中被识别。您忘记在''中添加USER。
问题出在表达式上:<intercept-url pattern="/list" access="hasRole(USER)"/>。
将其替换为<intercept-url pattern="/list" access="hasRole('USER')"/>即可解决。
我看到的另一个问题是,您正在使用hasRole来保护您的/list资源,但您已经将用户的权限设置为USER,这会导致hasRole在传递的USER参数前添加前缀ROLE_。因此,ROLE_USER将不等于您分配给用户的权限USER。
要解决此问题,您可以将authorities更改为authorities="ROLE_USER"。
或者您可以将hasRole替换为hasAuthority,如下所示:access="hasAuthority('USER')"。
英文:
org.springframework.expression.spel.SpelEvaluationException: EL1008E: Property or field 'USER' cannot be found on object of type
From the error above you can see the problem is hte USER that is not being recognized from the spring security framework. You have forgotten to add enclose the USER in '' .
The problem is with the expression: <intercept-url pattern="/list" access="hasRole(USER)"/>.
Replace it with <intercept-url pattern="/list" access="hasRole('USER')"/> and it will work.
A another problem I saw it that you are using hasRole to protect your /list resource but you have given the user the authority USER authorities="USER". What will happen is that hasRole is going to add the prefix ROLE_ to USER argument you passed in. So ROLE_USER is not going to equal USER which is the autority you have assign to the user.
To fix this you can either change authorities to ```authorities="ROLE_USER"``.
Or you can substitute hasRole with hasAuthority , like below:
access="hasAuthority('USER')".
答案2
得分: 2
应为
hasRole('USER')
注意:在USER周围需要单引号。
英文:
It should be
hasRole('USER')
Note: the single quotes around USER.
答案3
得分: -1
我用hasAuthority('USER')替换了hasRole(USER),然后它就起作用了。
英文:
I replaced hasRole(USER) with hasAuthority('USER') and it worked
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论