Reputation: 85
Java Spring Security AccessDecisionManager: UnanimousBased Failed to parse expression 'ROLE_ADMIN, IS_AUTHENTICATED_FULLY'
I try to make some simple rememmber me authentication with spring security, but I found this error when I try to implement accessDecisionManager. here the error log :
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChains': Cannot resolve reference to bean 'org.springframework.security.web.DefaultSecurityFilterChain#0' while setting bean property 'sourceList' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot resolve reference to bean 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0' while setting constructor argument with key [10]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0': Cannot create inner bean '(inner bean)' of type [org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource] while setting bean property 'securityMetadataSource'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#19': Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource]: Constructor threw exception; nested exception is java.lang.IllegalArgumentException: Failed to parse expression 'ROLE_ADMIN, IS_AUTHENTICATED_FULLY'
and this is my xml file. web.xml
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>Spring Security Eksplorasi</display-name>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Spring MVC -->
<servlet>
<servlet-name>kampus</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>kampus</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-database.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
so this is my spring-security.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="ROLE_"/>
</beans:bean>
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</beans:list>
</beans:property>
</beans:bean>
<security:http auto-config="true" use-expressions="true" access-decision-manager-ref="accessDecisionManager">
<security:remember-me key="kampus-rememberme" data-source-ref="dataSource" />
<security:intercept-url pattern="/admin/*" access="ROLE_ADMIN, IS_AUTHENTICATED_FULLY" />
<security:access-denied-handler error-page="/403" />
<security:form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<security:logout logout-success-url="/login?logout" />
<!-- enable csrf protection
<csrf/>-->
</security:http>
<!--
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
-->
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource"
users-by-username-query=
"select username,password, status from users where username=?"
authorities-by-username-query=
"select username, role from user_roles where username =? " />
</security:authentication-provider>
</security:authentication-manager>
</beans>
many thanks for your help friend.
Upvotes: 3
Views: 5962
Answers (2)
Reputation: 2240
You are using expression based access control (default and you explicitly declare it with use-expressions="true") and ROLE_ADMIN, IS_AUTHENTICATED_FULLY is not a valid expression but an "old style" roles list so either set use-expressions to false or substitute the "old style" roles list with the expression hasRole('ROLE_ADMIN') or isFullyAuthenticated()
Upvotes: 4
Reputation: 7745
Probably you just need to remove blank space in access attribute:
access="ROLE_ADMIN, IS_AUTHENTICATED_FULLY"
to
access="ROLE_ADMIN,IS_AUTHENTICATED_FULLY"
If this doesn't work, try it like:
access="hasAnyRole('ROLE_ADMIN', 'IS_AUTHENTICATED_FULLY')"
Similar question: Spring Security 3 specify multiple intercept-url access roles
Check Teja's answer.
Upvotes: 2
Related Questions
- Failed to evaluate expression 'hasRole(USER)'
- Implementing Spring Security AccessDecisionManager by example
- Spring Security: Cannot determine value type from string 'admin'
- It throws me 500 Failed to evaluate expression 'ROLE_USER' in spring security
- AccessDecisionManager, how to add RoleVoter
- Spring Security does not work with "hasRole('ROLE_ADMIN')" or ROLE_ADMIN
- Spring Security fullyAuthenticated() and hasRole("ADMIN")
- Spring security AccessDecisionManager: roleVoter, Acl Voter
- Spring security access="IS_AUTHENTICATED_ANONYMOUSLY, IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED"
- @Secured throws AccessDeniedException although roles are correct