org.springframework.security.web.access.AccessDeniedException:访问被拒绝

Posted

技术标签:

【中文标题】org.springframework.security.web.access.AccessDeniedException:访问被拒绝【英文标题】:org.springframework.security.web.access.AccessDeniedException: Access is Denied 【发布时间】:2021-08-18 04:31:44 【问题描述】:

dispatcher-servlet.xml

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:p="http://www.springframework.org/schema/p" 
xmlns:context="http://www.springframework.org/schema/context" 
xmlns:mvc="http://www.springframework.org/schema/mvc" 
xmlns:aop="http://www.springframework.org/schema/aop" 
xmlns:jee="http://www.springframework.org/schema/jee" 
xmlns:lang="http://www.springframework.org/schema/lang" 
xmlns:tx="http://www.springframework.org/schema/tx" 
xmlns:util="http://www.springframework.org/schema/util" 
xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:security="http://www.springframework.org/schema/security" 
xmlns:task="http://www.springframework.org/schema/task" 
xmlns:cache="http://www.springframework.org/schema/cache" 
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd    
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd 
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd 
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/jee 
http://www.springframework.org/schema/jee/spring-jee.xsd 
http://www.springframework.org/schema/lang 
http://www.springframework.org/schema/lang/spring-lang.xsd
http://www.springframework.org/schema/tx 
http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/util 
http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/security 
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/task 
http://www.springframework.org/schema/task/spring-task.xsd
http://www.springframework.org/schema/cache 
http://www.springframework.org/schema/cache/spring-cache.xsd">

<mvc: annotation-driven /> 

<context: annotation-config /> 
<context:component-scan base-package="com.est.asg" />
<context:component-scan base-package="com.est.utils" />

<cache:annotation-driven key-generator="enhancedDefaultKeyGenerator" />
<beans:bean id="enhanced DefaultKeyGenerator" class="com.est.cache.interceptor.EnhancedDefaultKeyGenerator" />
<beans:bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheCacheManager" p:cacheManager-ref="ehcache" />
<beans:bean id="ehcache" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" p:configLocation="classpath:ehcache.xml" p:shared="true" />

<beans:bean id="jspViewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver"> 
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView" /> 
<property name="prefix" value="WEB-INF/pages/" />
<property name="suffix" value=".jsp" /> 
</beans:bean>


<resources mapping="/resources/*** location="/resources/" />

<!-- DB --> 
<beans:bean id="estjdbcTemplate" class="org.springframework.jdbc.core.JdbcTemplate"> 
<property name="dataSource" ref="dataSource" />
</beans:bean>

<beans:bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean"> 
<property name="jndiName">
<value>jdbc/ds</value>
</property>
</beans:bean>

<beans:bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager" scope="singleton"> 
<property name="dataSource" ref="dataSource" />
</beans:bean>

<tx:annotation-driven transaction-manager="transactionManager" />

<beans:bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver"> 
<property name="maxUploadSize" value="100000000" />
</beans:bean>

<task:executor id="Executor" pool-size="1" /> 
<task:scheduler id="Scheduler" pool-size="1" /> 
<task:annotation-driven executor="Executor" scheduler="Scheduler" />
</beans>

spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security" 
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security 
http://www.springframework.org/schema/security/spring-security.xsd">

<http pattern="/resource/**" security="none" />
<http entry-point-ref="loginUrlAuthenticationEntryPoint" use-expressions="true"> 
<intercept-url pattern="/web/**" access="permitAll" />
<intercept-url pattern="/j_spring security_check" access="isAnonymous()" /> 
<intercept-url pattern="/web/j_spring security_check" access="isAnonymous()" /> <intercept-url pattern="/**" access="hasAnyRole('USER_ADMINISTRATION', 'IT_SUPPORT')" />
<logout success-handler-ref="CustomLogoutHandler" invalidate-session="true" delete-cookies="JSESSIONID" />
<access-denied-handler error-page="/web/Default.html" /> 

<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" /> 
<custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter"/> 
<custom-filter position="LAST" ref="appFilter" />
<session-management session-authentication strategy-ref="sas" invalid-session-url="/web/Auth.html" /> 
</http>

    <authentication-manager alias="authenticationManager"> 
    <authentication-provider ref="CustomAuthenticationProvider"/>
    </authentication-manager>

    <beans:bean id="springSecurityFilterChain" class="org.springframework.web.filter.DelegatingFilterProxy"/>
    <beans:bean id="CustomLogoutHandler" class="com.test.authentication.CustomLogoutHandler"/>
    <beans:bean id="CustomAuthentication Provider" class="com.test.authentication.CustomAuthenticationProvider"/>
    <beans:bean id="customAuthenticationSuccessHandler" class="com.test.authentication.CustomAuthenticationSuccessHandler"/> 
    <beans:bean id="appFilter" class="com.test.asg.filter.ApplicationFilter"/>
    <beans:bean id="customAuthenticationFailureHandler" class="com.test.authentication.CustomAuthenticationFailureHandler"/>

    <beans:bean id="redirectSessionInformationExpiredStrategy" class="org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy">
       <beans:constructor-arg name="invalidSessionUrl" value="/web/Default.html" />
    </beans:bean>

    <beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> 
    <beans:constructor-arg name="sessionInformationExpiredStrategy" ref="redirectSessionInformationExpiredStrategy" />
    </beans:bean>

    <beans:bean id="myAuthFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <beans:property name="sessionAuthenticationStrategy" ref="sas" /> 
    <beans:property name="authenticationManager" ref="authentication Manager" />
    <beans:property name="authenticationFailureHandler" ref="customAuthenticationFailureHandler"/> 
    <beans:property name="authenticationSuccessHandler" ref="customAuthenticationSuccessHandler"/>
    <beans:property name="usernameParameter" value="username"/>
    <beans:property name="passwordParameter" value="password"/>
    </beans:bean>

<beans:bean id="sas" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
<beans:constructor-arg>
    <beans:list>
        
        <beans:bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
        <beans:constructor-arg ref="sessionRegistry"/>
        <beans:property name="maximumSessions" value="1" /> 
        <beans:property name="exceptionIfMaximumExceeded" value="false" />
        </beans:bean> 
        
        <beans:bean class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"> 
        </beans:bean>
        
        <beans:bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
        <beans:constructor-arg ref="sessionRegistry"/>
        </beans:beans>
    </beans:list>
</beans:constructor-arg>
</beans:beans>

    <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />

    <beans:bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> 
    <beans:constructor-arg name="loginFormUrl" value="/web/Default.html" />
    </beans:bean>
</beans:beans>

错误跟踪

Affermative:66 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@610aebcf, returned: -1
XmlWebApplicationContext:379 - Publishing event in Root WebApplicationContext: org.springframework.security.web.access.event.AuthorizationFailureEvent[source=FilterInvocation: URL: /1]
ExceptionTranslationFilter:178 - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.web.access.AccessDeniedException: Access is Denied
at org.springframework.security.web.access.vote.AffirmativeBased.decide(AffermativeBased.java:84)
at org.springframework.security.web.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) 
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) 
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) 
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) 
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(Session ManagementFilter.java:137)
at org.springframework.security.web.FilterChainProxySVirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) 
at org.springframework.security.web.FilterChainProxySVirtualFilterChain.doFilter(FilterChainProxy.java:334) 
at org.springframework.security.web.servletapi.SecurityContextHolderwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) 
at org.springframework.security.web.FilterChainProxySVirtualFilterChain.doFilter(FilterChainProxy.java:334) 
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) 
at org.springframework.security.web.authentication.AbstractAuthentication ProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200) 
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) 
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
at com.mavis.led.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) 
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:155)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) 
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) 
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) 
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) 
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) 
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) 
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) 
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) 
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) 
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346) 
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374) 
at org.apache.coyote.AbstractProcessorlight.process(AbstractProcessorLight.java:65) 
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:887) 
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1684) 
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) 
at java.util.concurrent.ThreadPoolExecutor.runworker(Unknown Source)
at java.util.concurrent. ThreadPoolExecutorSWorker.run(Unknown Source) 
at org.apache.tomcat.util.threads.TaskThreadSWrappingRunnable.run(TaskThread.java:61) 
at java.lang.Thread.run(Unknown Source)

我正在使用 Spring-mvc 5.x 版和 Tomcat 9.x 版。我已经从 spring-mvc 3.2 更新了我的代码,在编译时我收到 Access denied 异常消息。我在此处附加了 dispatcher-servlet 和 spring-security 设置以供参考。请帮忙。

【问题讨论】:

请使用CustomAuthenticationProvider 代码和Authentication 实现更新问题。 【参考方案1】:

修改我的代码后这个问题解决了

【讨论】:

以上是关于org.springframework.security.web.access.AccessDeniedException:访问被拒绝的主要内容,如果未能解决你的问题,请参考以下文章