无法评估表达式“hasRole(USER)”

Posted 2023-02-27

【中文标题】无法评估表达式“hasRole(USER)”

【英文标题】：Failed to evaluate expression 'hasRole(USER)'

【发布时间】：2020-06-26 18:54:43

【问题描述】：

我想使用 Spring Security 5.3

像这样在 xml 上配置

<http auto-config="true">
    <intercept-url pattern="/list" access="hasRole(USER)"/>
    <intercept-url pattern="/security" access="isAnonymous()"/>
    <http-basic />
    <form-login login-page="/security"
                  login-processing-url="/security"
                  default-target-url="/list"
                  authentication-failure-url="/security?error"
                  username-parameter="username"
                  password-parameter="password"/>

    <logout logout-success-url="/security?logout"/>
    <csrf disabled="true"/>
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="user" password="$2a$10$BHjEcnhAgqRH0Vj6aPmGTOtQfYdx3PsvTWjsVxVBouiLTzGSLTSz2" authorities="USER"/>
        </user-service>
        <password-encoder ref="encoder" />
    </authentication-provider>
</authentication-manager>

<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

登录时出现此错误：

java.lang.IllegalArgumentException：无法评估表达式 '有角色（用户）' org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:30) org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:52) org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:33) org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:63) org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:155) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)

根本原因

org.springframework.expression.spel.SpelEvaluationException: EL1008E: 在类型的对象上找不到属性或字段“用户” 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot' - 也许不公开或无效？ org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:217) org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:104) org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:91) org.springframework.expression.spel.ast.MethodReference.getArguments(MethodReference.java:164) org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:94) org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:117) org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:302) org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:26) org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:52) org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:33) org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:63) org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:155) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)

我的代码有什么错误？

【参考方案1】：

org.springframework.expression.spel.SpelEvaluationException: EL1008E: Property or field 'USER' cannot be found on object of type

从上面的错误中您可以看到问题是弹簧安全框架无法识别的 hte USER。您忘记添加将 USER 括在 '' 中。

问题在于表达式：<intercept-url pattern="/list" access="hasRole(USER)"/>。 将其替换为<intercept-url pattern="/list" access="hasRole('USER')"/> 即可。

另一个问题我看到你正在使用 hasRole 来保护你的 /list 资源，但是你给了用户权限 USER authorities="USER"。将会发生的是，hasRole 会将前缀 ROLE_ 添加到您传入的 USER 参数中。因此 ROLE_USER 不会等于 USER ，这是您分配给用户的权限。

要解决此问题，您可以将权限更改为 ```authorities="ROLE_USER"``。

或者您可以将 hasRole 替换为 hasAuthority ，如下所示： access="hasAuthority('USER')".

【讨论】：

我按照你说的做了，但是报错：服务器收到请求，但拒绝授权。

我想我找到了 Spring Security 拒绝授权您的请求的问题。这是因为 ``` access="hasRole(USER)"``` 并为用户分配了权限 USER authorities="USER"。 hasRole 检查给定的权限，但会添加前缀 ROLE_。所以你可以做的是用authorities="ROLE_USER"替换authorities="USER"，它会起作用。

解决这个问题的另一种方法是不使用hasRole，而是使用hasAuthority。在这些情况下，您不需要添加前缀 ROLE_。在这种情况下，您需要做的是将 access="hasRole(USER)"``` 替换为 access="hasAuthority('USER')"```。

【参考方案2】：

我用hasAuthority('USER') 替换了hasRole(USER)，它成功了

【讨论】：

是的，因为 hasRole('USER') 与 hasAuthority('ROLE_USER') 相同。这是大多数人都会遇到的一件小事。

您为什么要发布 2 个问题的答案？这个问题真的有4个解决方案吗？

这不应该碰到java编译器的ant类型错误吗？

@delijati Java 编译器应该评估字符串内容吗？

【参考方案3】：

应该是

hasRole('USER')

注意：USER 周围的单引号。

【讨论】：

我收到错误：服务器收到请求，但拒绝授权。