我已经发现了什么是错的,只是在这里发布,所以谷歌搜索这个异常将返回除Hibernate问题以外的东西。
我尝试使用自定义权限评估程序设置Spring Security 4,但是遇到此异常:
HTTP Status 500 - Request processing failed; nested exception is java.lang.ClassCastException: org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation cannot be cast to org.springframework.security.web.FilterInvocation
然后我要求http://localhost:8080/my-service/secured/root@boss
,它应该评估此方法:
@Controller
public class SecuredServiceController {
@Autowired
private SecuredService securedService;
@RequestMapping(value = "/secured/{name:.+}", method = RequestMethod.GET)
@PreAuthorize("hasPermission(#name, 'view.%')")
public ModelAndView stuff(@PathVariable("name") String name) throws ServletException, IOException {
ModelAndView model = new ModelAndView();
model.setViewName("hello");
model.addObject("message", securedService.getSecret(name));
return model;
}}
但它没有被调用,在此之前就抛出了异常。
这是我的spring-security.xml
:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.0.xsd">
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<security:intercept-url pattern="/free" access="permitAll"/>
<security:intercept-url pattern="/test*" access="isAuthenticated()"/>
<security:logout invalidate-session="true" delete-cookies="JSESSIONID" logout-url="/logout"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider ref="myAuthenticationProvider"/>
</security:authentication-manager>
<bean id="myAuthenticationProvider"
class="com.me.webcommon.spring_auth.MySpringAuthenticationProvider"/>
<security:global-method-security pre-post-annotations="enabled" secured-annotations="enabled">
<security:expression-handler ref="expressionHandler"/>
</security:global-method-security>
<bean id="permissionEvaluator" class="com.me.webcommon.spring_auth.MyPermissionEvaluator"/>
<context:component-scan
base-package="com.me.webcommon.spring_auth"/>
<bean id="expressionHandler"
class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<property name="permissionEvaluator" ref="permissionEvaluator"/>
</bean>
答案 0 :(得分:1)
仔细查看异常,它表示方法代理不能转换为过滤器代理。这是因为我应该使用方法表达式处理程序
org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler
相反,如果org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler
和spring创建了一种错误的代理对象来从调用中检索参数,并在调用方法之前将它们传递给我的permissionEvaluator
。
这是一个有效的spring-security.xml
:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.0.xsd">
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<security:intercept-url pattern="/free" access="permitAll"/>
<security:intercept-url pattern="/test*" access="isAuthenticated()"/>
<security:logout invalidate-session="true" delete-cookies="JSESSIONID" logout-url="/logout"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider ref="myAuthenticationProvider"/>
</security:authentication-manager>
<bean id="myAuthenticationProvider"
class="com.me.webcommon.spring_auth.MySpringAuthenticationProvider"/>
<security:global-method-security pre-post-annotations="enabled" secured-annotations="enabled">
<security:expression-handler ref="expressionHandler"/>
</security:global-method-security>
<bean id="permissionEvaluator" class="com.me.webcommon.spring_auth.MyPermissionEvaluator"/>
<context:component-scan
base-package="com.me.webcommon.spring_auth"/>
<!--here, it must be a method expression handler-->
<bean id="expressionHandler"
class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="permissionEvaluator"/>
</bean>