我有一个 Spring 休息服务,我正在尝试为其添加安全性。我关注了this tutorial ,但是当我尝试直接访问该服务时,出现以下错误:
There was an unexpected error (type=Internal Server Error, status=500). Failed to evaluate expression 'ROLE_USER'
这是我的安全配置:
webSecurityConfig.xml
<http entry-point-ref="restAuthenticationEntryPoint">
<intercept-url pattern="/**" access="ROLE_USER"/>
<form-login
authentication-success-handler-ref="mySuccessHandler"
authentication-failure-handler-ref="myFailureHandler"
/>
<logout />
</http>
<beans:bean id="mySuccessHandler"
class="com.eficid.cloud.security.rest.AuthenticationSuccessHandler"/>
<beans:bean id="myFailureHandler" class=
"org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"/>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="temp" password="temp" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
SpringSecurityConfig:
public class SpringSecurityConfig {
public SpringSecurityConfig() {
super();
}
}
我在尝试使用curl登录时也遇到此错误:
{
"timestamp":1460399841286,
"status":403,"error":"Forbidden",
"message":"Could not verify the provided CSRF token because your session was not found.",
"path":"/spring-security-rest/login"
}
我需要手动将 csrf token 添加到命令中吗?该服务有一个自签名证书(如果有什么不同的话)。
最佳答案
如果您不需要启用 CRF,则可以在 webSecurityConfig.xml 文件中禁用它,如下所示:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login.html" access="hasRole('ANONYMOUS')" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<!-- This form is a default form that used to login
<http-basic/>
-->
<form-login login-page="/login.html"/>
<csrf disabled="true"/>
</http>
如果启用了 CSRF,您必须在要登录或注销的页面中包含 _csrf.token。以下代码需要添加到表单中:
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" />
关于spring - 无法使用 Spring Security 评估表达式,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/36557321/