from :http://www.iteye.com/topic/1122629

General
No doubt about it ,spring security In how to protect the security of web applications to do very strong, very comprehensive , But in some places, it's still very unsatisfactory , For example, yes. <http/> This tag , Yes auto-config="true" And use-expressions="true" On the description and relationship analysis of , I don't know . Upgrade to 3.1 After version , I found that there was a strange mistake , For example, it can't be parsed 'ROLE_ADMIN' This standard configuration , Or newspaper :

quote Field or property cannot be found on object of type 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot'

Such a muddled mistake . If there's a problem like this , One needs to read the official documents carefully , Thoroughly understand use-expressions The meaning of , such as ,

In use use-expressions after , You can't use access="ROLE_USER" This configuration ;

And in 3.1 after , If you use it at the same time auto-config='true' and use-expression="true" You can't , It's like hitting two walls , Right and left is not , This kind of problem is really the use of spring security What's more daunting about such a giant , Well used, things can be easily solved , It's not easy to defeat the enemy 800 Since the loss 3000, That's because security itself is complex , Generally only case by case The realization and solution of , It's hard to do spring security This group of people .

how to do it?

Chew it , Focus on deep learning spring security, From its manual tutorial A little bit .

Problem solving :

<http use-expressions="true">
<logout />
<remember-me />
<session-management invalid-session-url="/timeout.jsp">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management> <!-- The lower one access="xxxxx" I don't know if I add the attribute in -->
<intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/admin.jsp" access="ROLE_ADMIN" />
<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=true" default-target-url="/" />
</http>

Report errors :

java.lang.IllegalArgumentException: Failed to evaluate expression 'IS_AUTHENTICATED_ANONYMOUSLY'
at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:13)
at org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:34)
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:50)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:112)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:109)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:261)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:581)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1008E:(pos 0): Field or property 'IS_AUTHENTICATED_ANONYMOUSLY' cannot be found on object of type 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot'
at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:206)
at org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:71)
at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:102)
at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:97)
at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:11)
... 41 more

solve :
Change to access="hasRole('ROLE_USER')" That's it

problem 2:
Found today spring All up to 3.1 了 , The official website says 100% And 3.0 compatible , Of course, this means spring framework, It may not contain spring security.

According to my advanced experience , First of all xml On the head xsd The file version needs to be updated , from 3.0.xsd Change it to 3.1.xsd
other , There's a problem spring security3.1 There's no more support in this filter="none" 了

such as :

<http use-expression="true" auto-config="true">
<intercept-url pattern="/static/**" filters="none"/>
<intercept-url pattern="/security/**" access="hasRole(""ROLE_ADMIN"")" />
<intercept-url pattern="/**" access="hasRole(""ROLE_USER"")"/>
<http-basic/>
</http>
It needs to be changed to :
<http pattern="/static/**" security="none"/>
<http use-expression="true" auto-config="true">
<intercept-url pattern="/security/**" access="hasRole(""ROLE_ADMIN"")" />
<intercept-url pattern="/**" access="hasRole(""ROLE_USER"")"/>
<http-basic/>
</http>

spring security3.1 The configuration is complicated 2 More related articles on these questions

  1. Spring Security3 Detailed configuration

    Spring Security3 Detailed configuration Table name :RESOURCE explain : Resource table notes :  Resource table RESOURCE( Resource table ) Is the primary key? Field name Field description data type length Can be empty constraint The default value remarks yes ID ...

  2. spring security3.2 To configure --- Rights management

    I've posted it on my blog before security The implementation flow chart of , You can look at that picture first, and then look at this one . Today I mainly post here security Several important classes and two xml The configuration file , Basically, these are the files that control the permissions ...

  3. Use Spring Security3 An overview of the four methods of

    Use Spring Security3 An overview of the four methods of So in Spring Security3 In use , Yes 4 Methods : One is to make full use of configuration files , Will the user . jurisdiction . resources (url) Hard coded in xml In file , It has been realized , ...

  4. Spring Security3 Learning examples

    Spring Security What is it? ? Spring Security, It's based on Spring AOP and Servlet Safety framework of filter . It provides a comprehensive security solution , At the same time Web Request level and method call level processing ...

  5. Spring security3

    I've been learning spring security3, Trying to build the environment : structure maven Environmental Science Project configuration pom.xml file <project xmlns="http://maven.apache ...

  6. Spring Security3 Realization , Dynamic access to permissions

    Spring Security3 Realization , Dynamic access to permissions original text   http://blog.csdn.net/yangwei19680827/article/details/9359113 The theme   Network security Sp ...

  7. Spring Security3 - MVC Integrate the tutorial

    Now we're going to do something about Spring Security3 A series of tutorials .  The ultimate goal is to integrate Spring Security + Spring3MVC  Completion is similar to SpringSide3 in mini-web The function of ...

  8. JavaEE learning Spring Security3.x—— Simulate database to realize user , jurisdiction , Management of resources

    One . introduction Due to the need of the project, I have recently studied Spring Security3.x, And simulate the database to realize the user , jurisdiction , Management of resources . Two . Get ready 1. Learn some Spring MVC Related knowledge : 2. Learn some AOP Related knowledge : 3. ...

  9. Spring Security3 15 days research ( Reprint )

    Preface In the < Tell the difference > Record in , The king of Jin went up to the mountain to cut firewood , See two boys playing chess , Not finished , The handle of the axe is rotten , Go down the mountain to the village , It's said that people of the same generation have passed away , I'm not old yet .     So send out “ In the mountains , For thousands of years ” The lament . There are only a few words in the original , Read it ...

Random recommendation

  1. innodb Lock splitting, inheritance and migration

    innodb Introduction to row lock Row lock type LOCK_S: Shared lock LOCK_X: Exclusive lock GAP type LOCK_GAP: Just lock the gap LOCK_REC_NO_GAP: Lock records only LOCK_ORDINARY: Lock record and record ...

  2. C Bit operations in languages

    Bit operation acceleration technique 1.  If you take one 2 The multiple value of , You can use the shift left operation instead (Left Shift) Speed up 300% x = x * 2;x = x * 64;// Change it to :x = x << 1; // 2 ...

  3. winform File migration tool

    The server D There are too many files uploaded on the disk , There's very little space left , So I want to put some of the files in it , About tens of thousands of files were transferred to E disc , I made this little tool . First, find out the list of files to transfer , Keep it in a notepad , As shown below : Then read the file name , Move one by one to the specified directory ...

  4. EBS Database pre clone log

    ora02@[/u07/CCTEST02/db/tech_st/11.1.0/appsutil/scripts/CCTEST02_test01] $ T02_test01/StageDBTier_06 ...

  5. CentOS python Upgrade to 3.5 when yum Report errors

    File except KeyboardInterrupt, e: ^ SyntaxError: invalid syntax Solution steps : #vi /usr/bin/yum take #!/usr/bin/p ...

  6. ibatis Parameter passing tips - Crazy spinach - ITeye Technology website

    body { font-family: "Microsoft YaHei UI","Microsoft YaHei",SimSun,"Segoe UI ...

  7. take Excle Batch import of data in the database

    namespace take Excle Batch import of data in the database {    class Program    {        static void Main(string[] args)        { S ...

  8. SGU180( Tree array , Reverse alignment , discrete )

    Inversions time limit per test: 0.25 sec. memory limit per test: 4096 KB input: standard output: sta ...

  9. Android View Framework summary ( One )

    View and Activity The difference between View What are they? ? ViewGroup What is it? ? Why? Google produce ViewGroup? View What is the hierarchy of ? View Of onMeasure()/onLayou ...

  10. AB PLC For the first time IP How to assign addresses

    AB PLC For the first time IP How to assign addresses , The method introduced here is aimed at CompactLogix and ControlLogix controller One . preparation AB PLC A controller , This article takes 5069-L330ER For example , Turn it on : note ...