Spring 安全中的多个角色定义
Multiple roles definition in Spring Security
我在 Spring Security 4.2.5 中有以下角色定义:
<security:http>
<security:intercept-url pattern="/api/doSomething*"
access="ROLE_SOMETHING_COMPLETELY_DIFFERENT,ROLE_ONE,ROLE_TWO"/>
<security:form-login />
<security:logout />
</security:http>
由于以下异常,上下文无法加载:
Caused by: java.lang.IllegalArgumentException: Failed to parse expression "ROLE_SOMETHING_COMPLETELY_DIFFERENT,ROLE_ONE,ROLE_TWO"
at org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource.processMap(ExpressionBasedFilterInvocationSecurityMetadataSource.java:84)
at org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource.<init>(ExpressionBasedFilterInvocationSecurityMetadataSource.java:53)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:142)
... 79 more
我正在从 Spring Security 3.2 升级,上面提到的代码片段工作正常。以下不起作用:
access="ROLE_SOMETHING_COMPLETELY_DIFFERENT,ROLE_ONE,ROLE_TWO"access="ROLE_SOMETHING_COMPLETELY_DIFFERENT, ROLE_ONE, ROLE_TWO"access='ROLE_SOMETHING_COMPLETELY_DIFFERENT,ROLE_ONE,ROLE_TWO'access='ROLE_SOMETHING_COMPLETELY_DIFFERENT, ROLE_ONE, ROLE_TWO'
然而,这有效:
access="hasAnyRole('ROLE_SOMETHING_COMPLETELY_DIFFERENT','ROLE_ONE','ROLE_TWO')
在 Spring 安全文档中没有任何迹象表明 access 标记中的此类参数是不可解析的,至少从我已经阅读的内容来看是这样。反而有很多examples using the exact same syntax.
我想在访问字段中保留相同的语法,因为在项目的访问管理配置中有很多。
编辑:使用 4.3.15 Spring 核心版本。
Spring 安全性 4.x 更改了 http 元素的 use-expressions 属性的默认值。见 Migrating from Spring Security 3.x to 4.x (XML Configuration):
6.2. Migrate
The http@use-expressions attribute’s default value changed from false to true. This means if the use-expression attribute is not explicitly configured, then the configuration will need updated. For example, if an application using Spring Security 3.2.x contains a configuration similar to the following:
Spring Security 3.2.x Sample Configuration
<http>
<intercept-url pattern="/login" access="ROLE_ANONYMOUS"/>
<intercept-url pattern="/**" access="ROLE_USER"/>
...
</http>
Observe that the use-expressions attribute is not provided. If it were provided, then nothing needs to be done.
The configuration will need to be updated to something similar to the following when Spring Security 4.x:
Migration to Spring Security 4 Configuration
<http use-expressions="false">
<intercept-url pattern="/login" access="ROLE_ANONYMOUS"/>
<intercept-url pattern="/**" access="ROLE_USER"/>
...
</http>
We explicitly provide the use-expressions attribute. Again, if the attribute was already provided, then nothing needs to be done.
我在 Spring Security 4.2.5 中有以下角色定义:
<security:http>
<security:intercept-url pattern="/api/doSomething*"
access="ROLE_SOMETHING_COMPLETELY_DIFFERENT,ROLE_ONE,ROLE_TWO"/>
<security:form-login />
<security:logout />
</security:http>
由于以下异常,上下文无法加载:
Caused by: java.lang.IllegalArgumentException: Failed to parse expression "ROLE_SOMETHING_COMPLETELY_DIFFERENT,ROLE_ONE,ROLE_TWO"
at org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource.processMap(ExpressionBasedFilterInvocationSecurityMetadataSource.java:84)
at org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource.<init>(ExpressionBasedFilterInvocationSecurityMetadataSource.java:53)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:142)
... 79 more
我正在从 Spring Security 3.2 升级,上面提到的代码片段工作正常。以下不起作用:
access="ROLE_SOMETHING_COMPLETELY_DIFFERENT,ROLE_ONE,ROLE_TWO"access="ROLE_SOMETHING_COMPLETELY_DIFFERENT, ROLE_ONE, ROLE_TWO"access='ROLE_SOMETHING_COMPLETELY_DIFFERENT,ROLE_ONE,ROLE_TWO'access='ROLE_SOMETHING_COMPLETELY_DIFFERENT, ROLE_ONE, ROLE_TWO'
然而,这有效:
access="hasAnyRole('ROLE_SOMETHING_COMPLETELY_DIFFERENT','ROLE_ONE','ROLE_TWO')
在 Spring 安全文档中没有任何迹象表明 access 标记中的此类参数是不可解析的,至少从我已经阅读的内容来看是这样。反而有很多examples using the exact same syntax.
我想在访问字段中保留相同的语法,因为在项目的访问管理配置中有很多。
编辑:使用 4.3.15 Spring 核心版本。
Spring 安全性 4.x 更改了 http 元素的 use-expressions 属性的默认值。见 Migrating from Spring Security 3.x to 4.x (XML Configuration):
6.2. Migrate
The http@use-expressions attribute’s default value changed from false to true. This means if the use-expression attribute is not explicitly configured, then the configuration will need updated. For example, if an application using Spring Security 3.2.x contains a configuration similar to the following:
Spring Security 3.2.x Sample Configuration
<http> <intercept-url pattern="/login" access="ROLE_ANONYMOUS"/> <intercept-url pattern="/**" access="ROLE_USER"/> ... </http>Observe that the use-expressions attribute is not provided. If it were provided, then nothing needs to be done. The configuration will need to be updated to something similar to the following when Spring Security 4.x:
Migration to Spring Security 4 Configuration
<http use-expressions="false"> <intercept-url pattern="/login" access="ROLE_ANONYMOUS"/> <intercept-url pattern="/**" access="ROLE_USER"/> ... </http>We explicitly provide the use-expressions attribute. Again, if the attribute was already provided, then nothing needs to be done.