Spring-security-oauth: Failed to evaluate expression 'IS_AUTHENTICATED_FULLY'

Created on 13 Nov 2015  路  6Comments  路  Source: spring-projects/spring-security-oauth

I was trying to do spring-security-oauth in XML way
the version is
spring-security 4.03
oauth 2.08

the http element code is

<http pattern="/oauth/token" create-session="stateless"
    authentication-manager-ref="oauth2AuthenticationManager"
    entry-point-ref="oauth2AuthenticationEntryPoint">
    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
    <anonymous enabled="false" />
    <http-basic entry-point-ref="oauth2AuthenticationEntryPoint" />
    <custom-filter ref="clientCredentialsTokenEndpointFilter"
        before="BASIC_AUTH_FILTER" />
    <access-denied-handler ref="oauth2AccessDeniedHandler" />
</http>

But when i try wo get the token. the console print Failed to evaluate expression 'IS_AUTHENTICATED_FULLY'.

stackoverflow

Most helpful comment

The problem is that in Spring Security 4.x XML configuration uses expressions by default and IS_AUTHENTICATED_FULLY is not the expression syntax. Either disable expressions using <http use-expressions="false"> or replace IS_AUTHENTICATED_FULLY withfullyAuthenticated`.

All 6 comments

I can't see anything wrong with the XML, but it's not really even a question about Spring OAuth. Did you try asking (re spring-security) in Stack Overflow? I suspect you will have to provide more information, or a complete sample project maybe, to make it clear what you are doing.

@kklam4697 Did you found a solution? I have same issue....

The problem is that in Spring Security 4.x XML configuration uses expressions by default and IS_AUTHENTICATED_FULLY is not the expression syntax. Either disable expressions using <http use-expressions="false"> or replace IS_AUTHENTICATED_FULLY withfullyAuthenticated`.

Thanks, It works for me as well.

We have same problem. But replacing IS_AUTHENTICATED_FULLY with fullyAuthenticated will not work with me. And also, I tried disabling the expressions using http use-expressions="false", but doesn't work.. Please help me. Thank you very much.

Here is my spring-security.xml
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.1.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.1.xsd">

<!-- This is default url to get a token from OAuth -->
<sec:http pattern="/oauth/token" create-session="stateless"
    authentication-manager-ref="clientAuthenticationManager">
    <sec:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
    <sec:anonymous enabled="false" />
    <sec:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
    <!-- include this only if you need to authenticate clients via request 
        parameters -->
    <sec:custom-filter ref="clientCredentialsTokenEndpointFilter"
        after="BASIC_AUTH_FILTER" />
    <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>

<!-- This is where we tells spring security what URL should be protected 
    and what roles have access to them -->
<sec:http pattern="/api/**" create-session="never"
    entry-point-ref="oauthAuthenticationEntryPoint"
    access-decision-manager-ref="accessDecisionManager"
    xmlns="http://www.springframework.org/schema/security">
    <sec:anonymous enabled="false" />
    <sec:intercept-url pattern="/api/**" access="ROLE_USER" />
    <sec:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>

<!-- enable use-expressions -->
<http   auto-config="true" use-expressions="true" >
    <intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />
    <intercept-url pattern="/mainpage" access="hasRole('ROLE_USER')" />

    <!-- access denied page -->
    <access-denied-handler error-page="/403" />
    <form-login 
        login-page="/login" 
        default-target-url="/mainpage" 
        authentication-failure-url="/login?error" 
        username-parameter="username"
        password-parameter="password" />
    <logout logout-success-url="/login?logout"  />
    <!-- enable csrf protection -->
    <csrf/>
</http>

<beans:bean id="oauthAuthenticationEntryPoint"
    class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <beans:property name="realmName" value="test" />
</beans:bean>

<beans:bean id="clientAuthenticationEntryPoint"
    class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <beans:property name="realmName" value="test/client" />
    <beans:property name="typeName" value="Basic" />
</beans:bean>

<beans:bean id="oauthAccessDeniedHandler"
    class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

<beans:bean id="clientCredentialsTokenEndpointFilter"
    class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
    <beans:property name="authenticationManager" ref="clientAuthenticationManager" />
</beans:bean>

<!--<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
    xmlns="http://www.springframework.org/schema/beans">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
            <bean class="org.springframework.security.access.vote.RoleVoter" />
            <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
        </list>
    </constructor-arg>
</bean>-->
<beans:bean id="accessDecisionManager"
        class="org.springframework.security.access.vote.AffirmativeBased">
        <beans:constructor-arg>
            <beans:list>
                <beans:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
                <beans:bean class="org.springframework.security.access.vote.RoleVoter" />
                 <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
                <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter" />
                <!--<beans:bean class="org.springframework.security.web.access.expression.WebSecurityExpressionRoot" />-->
            </beans:list>
        </beans:constructor-arg>
</beans:bean>

<sec:authentication-manager id="clientAuthenticationManager"
    xmlns="http://www.springframework.org/schema/security">
    <authentication-provider user-service-ref="clientDetailsUserService" />
</sec:authentication-manager>   

<!-- Select users and user_roles from database -->
<!--<sec:authentication-manager id="authenticationManager"
                        xmlns="http://www.springframework.org/schema/security">
    <sec:authentication-provider>
        <sec:jdbc-user-service data-source-ref="dataSource"
            users-by-username-query=
                "select username,password, enabled from users where username=?"
            authorities-by-username-query=
                "select username, role from user_roles where username =?  " />
    </sec:authentication-provider>
</sec:authentication-manager>-->
<sec:authentication-manager id="authenticationManager"
    xmlns="http://www.springframework.org/schema/security">
    <sec:authentication-provider>
        <sec:user-service>
            <sec:user name="beingjavaguys" password="spring@java" authorities="ROLE_USER" />
        </sec:user-service>
    </sec:authentication-provider>
</sec:authentication-manager>

<beans:bean id="clientDetailsUserService"
    class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <beans:constructor-arg ref="clientDetails" />
</beans:bean>

<!-- This defined token store, we have used inmemory tokenstore for now 
    but this can be changed to a user defined one -->
<beans:bean id="tokenStore"
    class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />

<!-- This is where we defined token based configurations, token validity 
    and other things -->
<beans:bean id="tokenServices"
    class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
    <beans:property name="tokenStore" ref="tokenStore" />
    <beans:property name="supportRefreshToken" value="true" />
    <beans:property name="accessTokenValiditySeconds" value="120" />
    <beans:property name="clientDetailsService" ref="clientDetails" />
</beans:bean>

<!--<beans:bean id="userApprovalHandler"
    class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler">
    <beans:property name="clientDetailsService" ref="clientDetails" />
    <beans:property name="tokenStore" ref="tokenStore"></beans:property>
</beans:bean>-->
<beans:bean id="userApprovalHandler" 
    class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler">
    <beans:property name="requestFactory" ref="oAuth2RequestFactory" />
    <beans:property name="tokenStore" ref="tokenStore"/>
</beans:bean>

<beans:bean id="oAuth2RequestFactory"
    class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
    <beans:constructor-arg ref="clientDetails" />
</beans:bean>

<oauth:authorization-server
    client-details-service-ref="clientDetails" token-services-ref="tokenServices"
    user-approval-handler-ref="userApprovalHandler">
    <oauth:authorization-code />
    <oauth:implicit />
    <oauth:refresh-token />
    <oauth:client-credentials />
    <oauth:password />
</oauth:authorization-server>

<oauth:resource-server id="resourceServerFilter"
    resource-id="test" token-services-ref="tokenServices" />

<oauth:client-details-service id="clientDetails">
    <!-- client -->
    <oauth:client client-id="restapp"
        authorized-grant-types="authorization_code,client_credentials"
        authorities="ROLE_USER" scope="read,write,trust" secret="secret" />

    <oauth:client client-id="restapp"
        authorized-grant-types="password,authorization_code,refresh_token,implicit"
        secret="restapp" authorities="ROLE_USER" />

</oauth:client-details-service>

<sec:global-method-security
    pre-post-annotations="enabled" proxy-target-class="true">
    <!--you could also wire in the expression handler up at the layer of the 
        http filters. See https://jira.springsource.org/browse/SEC-1452 -->
    <sec:expression-handler ref="oauthExpressionHandler" />
</sec:global-method-security>

<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />

/beans:beans

hi, have a look class "org.springframework.security.access.expression.SecurityExpressionRoot",there you will find answer, including that you should using isFullyAuthenticated() instead.

Was this page helpful?
0 / 5 - 0 ratings