Geek Answers Handbook

Failed to evaluate expression using spring security

I have a Spring service and am trying to add security to it. I followed this tutorial , but when I try to access the service directly, I get the following error:

An unexpected error has occurred (type = Internal Server Error, Status = 500). Failed to evaluate the expression "ROLE_USER"

Here is my security configuration:

webSecurityConfig.xml

<http entry-point-ref="restAuthenticationEntryPoint">
      <intercept-url pattern="/**" access="ROLE_USER"/>

      <form-login
         authentication-success-handler-ref="mySuccessHandler"
         authentication-failure-handler-ref="myFailureHandler"
      />

      <logout />
   </http>

   <beans:bean id="mySuccessHandler"
      class="com.eficid.cloud.security.rest.AuthenticationSuccessHandler"/>
   <beans:bean id="myFailureHandler" class=
     "org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"/>


      <authentication-manager>
        <authentication-provider>
          <user-service>
            <user name="temp" password="temp" authorities="ROLE_USER" />
          </user-service>
        </authentication-provider>
      </authentication-manager>

SpringSecurityConfig:

public class SpringSecurityConfig {

    public SpringSecurityConfig() {
        super();
    }

}

I also get this error when trying to use curl to login:

{
"timestamp":1460399841286,
"status":403,"error":"Forbidden",
"message":"Could not verify the provided CSRF token because your session was not found.",
"path":"/spring-security-rest/login"
}

Do I need to manually add the csrf token to the command? The service has a self-signed certificate, if that matters.

+4
source share
3

hasRole('ROLE_USER') intercept-url.

<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>

. docs , .

+3

CRF, webSecurityConfig.xml, :

        <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/login.html" access="hasRole('ANONYMOUS')" />
        <intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
        <!-- This form is a default form that used to login  
            <http-basic/>
         -->
         <form-login login-page="/login.html"/>
         <csrf disabled="true"/>
    </http>

CSRF , _csrf.token , . :

<input type="hidden" name="${_csrf.parameterName}"
            value="${_csrf.token}" />
+4

Spring POST.

, :

  • :

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" class="form-control" />

(: <form id="computerForm" action="addComputer" method="POST"> <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" class="form-control" />

)

  • , , POST , csrf(). disable WebSecurityConfigurerAdapter ( xml):

    @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')") .and().formLogin() .csrf().disable() ;}

+3

More articles:


All Articles