Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Unable to validate role in Spring Security for url pattern

Tags:

I am using spring security 3.1.7.RELEASE with spring 3.2.13.RELEASE.

I have entry in my spring-security.xml as follows:

<http auto-config="true" use-expressions="true">      <intercept-url pattern=".*admin.htm" access="hasRole(ROLE_ADMIN)" />     <intercept-url pattern="/siteadmin/*.htm" access="ROLE_ADMIN" />     <intercept-url pattern="/siteadmin/cleancache.htm" access="hasRole('ROLE_ADMIN')" />

When I try to hit url /siteadmin/cleancache.htm I get following exception:

java.lang.IllegalArgumentException: Failed to evaluate expression 'ROLE_ADMIN' org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:13) org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:34) org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:18) org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:62)

Root Cause:

org.springframework.expression.spel.SpelEvaluationException: EL1008E:(pos 0): Property or field 'ROLE_ADMIN' cannot be found on object of type 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot' - maybe not public? org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:214) org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:85) org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:78) org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:102) org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:98) org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:11) org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:34)

Any pointers on same are highly appreciated.

like image 933
tarunkumar Avatar asked Feb 11 '15 16:02

tarunkumar

2 Answers

You have a couple of typos. The first intercept-url line is missing single quotes around ROLE_ADMIN and the second line is missing hasRole. It should be

<http auto-config="true" use-expressions="true">      <intercept-url pattern=".*admin.htm" access="hasRole('ROLE_ADMIN')" />     <intercept-url pattern="/siteadmin/*.htm" access="hasRole('ROLE_ADMIN')" />     <intercept-url pattern="/siteadmin/cleancache.htm" access="hasRole('ROLE_ADMIN')" />
like image 58
thedoctor Avatar answered Dec 27 '22 03:12

thedoctor

what happens is that the official documentation of security spring brings the examples as you placed:

<Intercept-url pattern = "/ siteadmin / *. Htm" access = "ROLE_ADMIN" />

but you should putting on

<Intercept-url pattern = ". * Admin.htm" access = "hasRole ('ROLE_ADMIN')" />
like image 45
Rubens Avatar answered Dec 27 '22 04:12

Rubens
Sign in to Comment

Related questions

rbind dataframes with a different column name
Adding border to CSS triangle [duplicate]
Global functions in javascript
What are the arguments to Tkinter variable trace method callbacks?
Changing an existing submodule's branch
Why does DateTime::createFromFormat() fails and returns a boolean in my second example?
Detect UITabBar Selected Index/ Item Changes that is set Programmatically
Update all properties of object in MongoDb
Using a Type Variable in a Generic
How to find all elements with a custom html attribute regardless of html tag using Beautiful Soup?
when initializing PDO - should I do: charset=UTF8 or charset=UTF8MB4?
Google Translate TTS API blocked

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!