AbstractSecurityInterceptor 必须提供一个非空的 AccessDecisionManager
自从 Spring Security 升级到 5.6.2 后,我在运行应用程序时遇到了问题,因为我不断收到以下信息:
Caused by: java.lang.IllegalArgumentException: AbstractSecurityInterceptor must provide a non-null AccessDecisionManager
at org.springframework.util.Assert.notNull(Assert.java:201) ~[spring-core-5.3.16.jar:5.3.16]
at org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator.<init>(DefaultWebInvocationPrivilegeEvaluator.java:54) ~[spring-security-web-5.6.2.jar:5.6.2]
at org.springframework.security.config.annotation.web.builders.WebSecurity.getRequestMatcherPrivilegeEvaluatorsEntry(WebSecurity.java:338) ~[spring-security-config-5.6.2.jar:5.6.2]
at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:305) ~[spring-security-config-5.6.2.jar:5.6.2]
at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:90) ~[spring-security-config-5.6.2.jar:5.6.2]
at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:305) ~[spring-security-config-5.6.2.jar:5.6.2]
at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:38) ~[spring-security-config-5.6.2.jar:5.6.2]
到目前为止,我不需要 AccessDecisionManager bean,一切都像魅力一样工作this:
@Configuration
@EnableWebSecurity
open class OpenApiSecurityConfig() : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http.requestMatchers()
.antMatchers("/docs")
.and()
.addFilter(OpenApiFilter(authService))
}
open class OpenApiFilter(private val authService: AuthService) : FilterSecurityInterceptor() {
override fun doFilter(request: ServletRequest, response: ServletResponse, chain: FilterChain) {
if (userAuthorized()) {
chain.doFilter(request, response)
} else {
throw AccessDeniedException("Forbidden.")
}
}
}
}
所以我想这只是某种新的要求。我将配置添加为:
@Configuration
@Import(AccessManager::class)
@EnableWebSecurity
open class OpenApiSecurityConfig() : WebSecurityConfigurerAdapter() { … }
…
@Configuration
open class AccessManager : AccessDecisionManager {
override fun decide(authentication: Authentication, `object`: Any?, configAttributes: MutableCollection<ConfigAttribute>?) {}
override fun supports(attribute: ConfigAttribute?): Boolean = false
override fun supports(clazz: Class<*>?): Boolean = false
}
但是没有效果。
- 是否可以避免对
AccessManager的需要? - 实例化它的正确方法是什么?
Since upgrade of Spring Security to 5.6.2 I have issues running my application as I keep getting:
Caused by: java.lang.IllegalArgumentException: AbstractSecurityInterceptor must provide a non-null AccessDecisionManager
at org.springframework.util.Assert.notNull(Assert.java:201) ~[spring-core-5.3.16.jar:5.3.16]
at org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator.<init>(DefaultWebInvocationPrivilegeEvaluator.java:54) ~[spring-security-web-5.6.2.jar:5.6.2]
at org.springframework.security.config.annotation.web.builders.WebSecurity.getRequestMatcherPrivilegeEvaluatorsEntry(WebSecurity.java:338) ~[spring-security-config-5.6.2.jar:5.6.2]
at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:305) ~[spring-security-config-5.6.2.jar:5.6.2]
at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:90) ~[spring-security-config-5.6.2.jar:5.6.2]
at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:305) ~[spring-security-config-5.6.2.jar:5.6.2]
at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:38) ~[spring-security-config-5.6.2.jar:5.6.2]
Until now I did not need the AccessDecisionManager bean and everything worked like a charm like this:
@Configuration
@EnableWebSecurity
open class OpenApiSecurityConfig() : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http.requestMatchers()
.antMatchers("/docs")
.and()
.addFilter(OpenApiFilter(authService))
}
open class OpenApiFilter(private val authService: AuthService) : FilterSecurityInterceptor() {
override fun doFilter(request: ServletRequest, response: ServletResponse, chain: FilterChain) {
if (userAuthorized()) {
chain.doFilter(request, response)
} else {
throw AccessDeniedException("Forbidden.")
}
}
}
}
So I guess this is just a some kind of new requirement. I added the configuration as:
@Configuration
@Import(AccessManager::class)
@EnableWebSecurity
open class OpenApiSecurityConfig() : WebSecurityConfigurerAdapter() { … }
…
@Configuration
open class AccessManager : AccessDecisionManager {
override fun decide(authentication: Authentication, `object`: Any?, configAttributes: MutableCollection<ConfigAttribute>?) {}
override fun supports(attribute: ConfigAttribute?): Boolean = false
override fun supports(clazz: Class<*>?): Boolean = false
}
However with no effect.
- Is it possible to avoid the need for
AccessManager? - What is the correct way of instantiating it?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
此问题源于创建自定义
FilterSecurityInterceptor。该过滤器不应在过滤器链中被替换。
最好创建不同类型的自定义过滤器并将其插入到 FilterSecurityInterceptor 之前。例如,它可以扩展
OncePerRequestFilter,并且如果用户未经授权,它可以简单地返回,而不是抛出AccessDeniedException。This issue stems from creating a custom
FilterSecurityInterceptor.This filter is not meant to be replaced in the filter chain.
It would be best to create a different type of custom filter and insert it before the
FilterSecurityInterceptor. For example, it could extendOncePerRequestFilterand instead of throwing anAccessDeniedExceptionif the user is unauthorized it could simply return.