@PreAuthorize 不起作用 - 是不是存在无法解析的循环引用?
Posted
技术标签:
【中文标题】@PreAuthorize 不起作用 - 是不是存在无法解析的循环引用?【英文标题】:@PreAuthorize not working - Is there an unresolvable circular reference?@PreAuthorize 不起作用 - 是否存在无法解析的循环引用? 【发布时间】:2015-10-24 14:53:40 【问题描述】:我正在尝试使用 @PreAuthorize 注释的 spring 安全性(用户角色授权)示例,遇到以下错误。
Caused by: org.springframework.beans.BeanInstantiationException:
Failed to instantiate [org.aopalliance.intercept.MethodInterceptor]:
Factory method 'methodSecurityInterceptor' threw exception; nested exception is org.springframework.beans.factory.BeanCurrentlyInCreationException: Error creating bean with name 'methodSecurityInterceptor': Requested bean is currently in creation: Is there an unresolvable circular reference?
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:189)
at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:588)
... 91 more
Caused by: org.springframework.beans.factory.BeanCurrentlyInCreationException: Error creating bean with name 'methodSecurityInterceptor': Requested bean is currently in creation: I
s there an unresolvable circular reference?
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.beforeSingletonCreation(DefaultSingletonBeanRegistry.java:347)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:299)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor.getAdvice(MethodSecurityMetadataSourceAdvisor.java:107)
at org.springframework.aop.aspectj.AspectJProxyUtils.isAspectJAdvice(AspectJProxyUtils.java:67)
at org.springframework.aop.aspectj.AspectJProxyUtils.makeAdvisorChainAspectJCapableIfNecessary(AspectJProxyUtils.java:49)
我的 WebSecurityConfigurerAdapter 扩展类是:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableGlobalMethodSecurity(prePostEnabled = true)
public static class FormLoginWebSecurityConfigurerAdapter extends
WebSecurityConfigurerAdapter
@Override
protected void configure(HttpSecurity http) throws Exception
http.authorizeRequests().anyRequest().authenticated().and()
.formLogin().loginPage("/login").defaultSuccessUrl("/home")
.permitAll().and().logout().permitAll()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login?logout").permitAll()
.and().httpBasic()
.and().exceptionHandling()
.accessDeniedPage("/access?error");
以及UserController中的方法级授权检查:
@Controller
@EnableAutoConfiguration
public class UserController
@PreAuthorize("hasAnyAuthority('111')")
@RequestMapping(value = "/users")
public String userManagement(Model model)
.
return something;
我在登录时获得用户权限(列表),其中包含 111
谁能帮我解决我面临的错误?
【问题讨论】:
【参考方案1】:最近我遇到了类似的问题。
在我的项目中有@PreAuthorize
注释
以及处理审计逻辑的方面。
就我而言,这足以:
1.通过以下方式更新安全配置
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(mode = ASPECTJ, prePostEnabled = true, securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter`
2.在pom.xml
中添加依赖
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-aspects</artifactId>
<version>4.1.0.RELEASE</version>
</dependency>
希望有人会觉得这很有帮助。
【讨论】:
【参考方案2】:不要对 WebSecurityConfigurerAdapter 使用静态修饰符。
尝试以下 sn-p:
@Configuration
@EnableWebSecurity
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableGlobalMethodSecurity(securedEnabled = true, proxyTargetClass = true, prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter
// do your stuff here
@EnableAutoConfiguration 注释不应围绕您的控制器,而应围绕您的应用程序。
【讨论】:
以上是关于@PreAuthorize 不起作用 - 是不是存在无法解析的循环引用?的主要内容,如果未能解决你的问题,请参考以下文章
Spring security 4 @PreAuthorize("hasRole()") 不起作用
Spring Security:hasAuthority、hasRole 和 PreAuthorize 不起作用
使用 mongodb PostAuthorize 和 PreAuthorize 的 Spring Boot 安全性不起作用