spring - spring security不支持的配置属性hasRole(),spring升级后permitAll
问题描述
当应用服务器(tomcat)启动时,出现几个关于spring的错误:
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChains': Cannot resolve reference to bean 'org.springframework.security.web.DefaultSecurityFilterChain#0' while setting bean property 'sourceList' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot resolve reference to bean 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0' while setting constructor argument with key [8]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [hasRole('SUPERADMIN'), hasRole('ADMIN'), hasRole('USER'), permitAll]
这是我的 spring-security.xml 文件:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<import resource="businessContext.xml"/>
<!-- Spring security configs -->
<bean id="valuUserDetailsService" class="com.xxx.business.remote.ValuUserDetailsService">
<property name="userService" ref="userService"/>
</bean>
<bean id="valuPasswordEncoderService" class="com.xxx.business.remote.ValuPasswordEncoderService">
</bean>
<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="valuUserDetailsService"/>
<property name="passwordEncoder" ref="valuPasswordEncoderService"/>
</bean>
<sec:authentication-manager>
<sec:authentication-provider ref="daoAuthenticationProvider"/>
</sec:authentication-manager>
<!-- Note: use IS_AUTHENTICATED_ANONYMOUSLY for any target that is allowed to be accessed anonymously. The patterns are matched in the listed order. -->
<sec:http disable-url-rewriting="false" use-expressions="false" create-session="always">
<sec:headers disabled="true"/>
<sec:csrf disabled="true"/>
<sec:intercept-url pattern="/remoteservices/superadmin/**" access="hasRole('SUPERADMIN')"/>
<sec:intercept-url pattern="/remoteservices/admin/**" access="hasRole('ADMIN')"/>
<sec:intercept-url pattern="/remoteservices/**" access="permitAll"/>
<sec:intercept-url pattern="/rest/401" access="permitAll"/>
<sec:intercept-url pattern="/rest/**" access="hasRole('USER')"/>
<sec:http-basic/>
</sec:http>
</beans>
库升级后它有一些修改,但是这个相同的文件与 spring 3 一起使用。有什么想法会出错吗?
解决方案
通过显式设置use-expressions="false",您将禁用 <intercept-url> 中的“访问”属性中的表达式。
由于hasRole('SUPERADMIN'), permitAlletc 是表达式,因此会抛出异常,表示它们不受支持。
您可以设置use-expressions为true默认值,也可以将规则更改为 state <sec:intercept-url pattern="/remoteservices/superadmin/**" access="ROLE_SUPERADMIN"/>。
这在迁移指南的Migrate <http>部分中有详细描述。
请注意,自2020 年 10 月以来,Spring Security 4 已达到其生命周期的尽头。我建议您尽快迁移到受支持的 Spring Security 5 版本。
推荐阅读
- android - Firebase 实时数据库未显示现有数据库但工作正常
- javascript - 如何使用 window.open 应用样式并使窗口可扩展
- cytoscape - Cytoscape 多变量样式
- python-3.x - 通过systemd找不到python模块,但手动工作
- reactjs - React、Redux 和 Recompose:“调度不是函数”
- database - 我可以在不传递用户名和密码的情况下使用 Type 2 JDBC Driver 从 java 中调用 SP 吗?
- haskell - 这甚至是 Haskell 中的一个函数吗?如果是这样,我们应该如何阅读它?
- pentaho - Pentaho 报告缓慢
- wordpress - 在 Wordpress 中自动重定向/重写 1000 个旧帖子 url
- facebook - Facebook 新权限 - 无法将视频发布到用户时间轴