Spring安全性的自定义权限评估程序抛出ClassCastException

时间:2015-12-22 19:39:46

标签: java spring spring-security proxy

  

我已经发现了什么是错的,只是在这里发布,所以谷歌搜索这个异常将返回除Hibernate问题以外的东西。

我尝试使用自定义权限评估程序设置Spring Security 4,但是遇到此异常:

HTTP Status 500 - Request processing failed; nested exception is java.lang.ClassCastException: org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation cannot be cast to org.springframework.security.web.FilterInvocation

然后我要求http://localhost:8080/my-service/secured/root@boss,它应该评估此方法:

@Controller
public class SecuredServiceController {

@Autowired
private SecuredService securedService;

@RequestMapping(value = "/secured/{name:.+}", method = RequestMethod.GET)
@PreAuthorize("hasPermission(#name, 'view.%')")
public ModelAndView stuff(@PathVariable("name") String name) throws ServletException, IOException {

    ModelAndView model = new ModelAndView();
    model.setViewName("hello");

    model.addObject("message", securedService.getSecret(name));
    return model;
}}

但它没有被调用,在此之前就抛出了异常。

这是我的spring-security.xml

<?xml version="1.0" encoding="UTF-8" ?>

<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:security="http://www.springframework.org/schema/security"
   xmlns:context="http://www.springframework.org/schema/context"
   xsi:schemaLocation="
    http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-4.0.xsd
    http://www.springframework.org/schema/context
    http://www.springframework.org/schema/context/spring-context-4.0.xsd">

<security:http auto-config="true" use-expressions="true">
    <security:intercept-url pattern="/j_spring_security_check" access="permitAll"/>
    <security:intercept-url pattern="/free" access="permitAll"/>
    <security:intercept-url pattern="/test*" access="isAuthenticated()"/>
    <security:logout invalidate-session="true" delete-cookies="JSESSIONID" logout-url="/logout"/>
</security:http>

<security:authentication-manager>
    <security:authentication-provider ref="myAuthenticationProvider"/>
</security:authentication-manager>
<bean id="myAuthenticationProvider"
      class="com.me.webcommon.spring_auth.MySpringAuthenticationProvider"/>

<security:global-method-security pre-post-annotations="enabled" secured-annotations="enabled">
    <security:expression-handler ref="expressionHandler"/>
</security:global-method-security>

<bean id="permissionEvaluator" class="com.me.webcommon.spring_auth.MyPermissionEvaluator"/>

<context:component-scan
        base-package="com.me.webcommon.spring_auth"/>
<bean id="expressionHandler"
      class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
    <property name="permissionEvaluator" ref="permissionEvaluator"/>
</bean>

1 个答案:

答案 0 :(得分:1)

仔细查看异常,它表示方法代理不能转换为过滤器代理。这是因为我应该使用方法表达式处理程序 org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler
相反,如果org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler
和spring创建了一种错误的代理对象来从调用中检索参数,并在调用方法之前将它们传递给我的permissionEvaluator

这是一个有效的spring-security.xml

<?xml version="1.0" encoding="UTF-8" ?>

<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:security="http://www.springframework.org/schema/security"
   xmlns:context="http://www.springframework.org/schema/context"
   xsi:schemaLocation="
    http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-4.0.xsd
    http://www.springframework.org/schema/context
    http://www.springframework.org/schema/context/spring-context-4.0.xsd">

<security:http auto-config="true" use-expressions="true">
    <security:intercept-url pattern="/j_spring_security_check" access="permitAll"/>
    <security:intercept-url pattern="/free" access="permitAll"/>
    <security:intercept-url pattern="/test*" access="isAuthenticated()"/>
    <security:logout invalidate-session="true" delete-cookies="JSESSIONID" logout-url="/logout"/>
</security:http>

<security:authentication-manager>
    <security:authentication-provider ref="myAuthenticationProvider"/>
</security:authentication-manager>
<bean id="myAuthenticationProvider"
      class="com.me.webcommon.spring_auth.MySpringAuthenticationProvider"/>

<security:global-method-security pre-post-annotations="enabled" secured-annotations="enabled">
    <security:expression-handler ref="expressionHandler"/>
</security:global-method-security>

<bean id="permissionEvaluator" class="com.me.webcommon.spring_auth.MyPermissionEvaluator"/>

<context:component-scan
        base-package="com.me.webcommon.spring_auth"/>
<!--here, it must be a method expression handler-->
<bean id="expressionHandler"
      class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
    <property name="permissionEvaluator" ref="permissionEvaluator"/>
</bean>

相关问题
最新问题