【发布时间】:2015-06-30 02:53:05
【问题描述】:
我应该怎么做才能在方法级别使用#oauth2 安全表达式,如下例所示?
@RequestMapping(value = "email", method = RequestMethod.GET)
@ResponseBody
@PreAuthorize("#oauth2.hasScope('read')")
public String email() {
return "test@email.com";
}
如果我对该资源发出请求,我会收到
[INFO] java.lang.IllegalArgumentException: Failed to evaluate expression '#oauth2.hasScope('read')'
[INFO] at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:14)
[INFO] at org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice.before(ExpressionBasedPreInvocationAdvice.java:44)
[INFO] at org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter.vote(PreInvocationAuthorizationAdviceVoter.java:57)
[INFO] at org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter.vote(PreInvocationAuthorizationAdviceVoter.java:25)
[INFO] at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:62)
[INFO] at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:232)
[INFO] at org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor.invoke(AspectJMethodSecurityInterceptor.java:43)
[INFO] at org.springframework.security.access.intercept.aspectj.aspect.AnnotationSecurityAspect.ajc$around$org_springframework_security_access_intercept_aspectj_aspect_AnnotationSecurityAspect$1$c4d57a2b(AnnotationSecurityAspect.aj:63)
[INFO] at pl.insert.controllers.ResourceController.email(ResourceController.java:22)
如果我在我的 ResourceServerConfiguration 而不是 @Controllers 的方法中指定访问权限,同样的事情也很有效
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers().antMatchers("/oauth/resources/**");
http.authorizeRequests().anyRequest().access("#oauth2.hasScope('read')");
}
}
@PreAuthorize("permitAll") 或 @PreAuthorize("denyAll") 等标准安全表达式按预期工作。所以,可能我必须以某种方式告诉我的 AspectJMethodSecurityInterceptor 使用 OAuth2WebSecurityExpressionHandler。有任何想法吗?
【问题讨论】:
-
嗨@Marek!您找到解决问题的方法了吗?同样的问题...
-
不幸的是,没有,据我记得我花了一些时间来解决这个问题,但解决方案太复杂了,最终不值得实施。我使用@Configuration 手动执行此操作:( 就我而言,这并不那么痛苦,但我可以想象在某些情况下可能会这样。
-
好的,谢谢你的回答
-
我刚刚在这里提交了一个问题:github.com/spring-projects/spring-boot/issues/3910
-
@SébastienNussbaumer 检查下面的答案。我刚刚通过解决另一个问题找到了解决方案。它对我来说很好。
标签: java spring-mvc spring-security oauth-2.0