Spring-security: failed to evaluate expression '#oauth2.throwOnError(@rbasService.hasPerssion(request,authentication))

Created on 7 Dec 2017 · 3Comments · Source: spring-projects/spring-security

version

org.springframework.cloud
spring-cloud-starter-oauth2
1.2.0.RELEASE

resourceServerConfig

package com.yihu.base.security.config;

@Configuration
@EnableResourceServer 
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
    @Autowired
    protected AuthenticationSuccessHandler authenticationSuccessHandler;
    @Autowired
    protected AuthenticationFailureHandler authenticationFailureHandler;
    @Autowired
    private OAuth2AuthenticationManager authenticationManager;
    @Autowired
    private TokenStore redisTokenStore;
    @Autowired
    private SmsCodeAuthenticationSecurityConfig smsCodeAuthenticationSecurityConfig;
    @Autowired
    private AuthorizeConfigProviderManager authorizeConfigProviderManager;

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .formLogin()
                    .loginPage(SecurityProperties.formLoginPage)
                    .loginProcessingUrl(SecurityProperties.formLogin)
                    .successHandler(authenticationSuccessHandler)
                    .failureHandler(authenticationFailureHandler)
                .and()
                    .apply(smsCodeAuthenticationSecurityConfig) 
                .and()
                    .authenticationProvider()
                  .anyRequest().access("@rbasService.hasPerssion(request,authentication)");   // this error
                ;


       authorizeConfigProviderManager.config(http.authorizeRequests());
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.
                authenticationManager(authenticationManager).
                tokenStore(redisTokenStore);
    }

}

service

package com.yihu.jw.service;

@Primary
@Service("rbasService")
public class RbasService implements IRbasService {

    private AntPathMatcher antPathMatcher = new AntPathMatcher();

    @Override
    public Boolean hasPerssion(HttpServletRequest request, Authentication authentication) {
        Object principal = authentication.getPrincipal();
        boolean hasPerssion = false;
        if (principal instanceof UserDetails) {
            String username = ((UserDetails) principal).getUsername();

            Set<String> uris = new HashSet<>();
            for (String uri : uris) {
                if (antPathMatcher.match(uri, request.getRequestURI())) {
                    hasPerssion = true;
                    break;
                }
            }
        }
        return hasPerssion;
    }

}

start my app success but request fail

the exception

java.lang.IllegalArgumentException: Failed to evaluate expression '#oauth2.throwOnError(@rbasService.hasPerssion(request,authentication))'
......
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1057E: No bean resolver registered in the context to resolve access to bean 'rbasService'

@SpringBootApplication(exclude = OAuth2AutoConfiguration.class)
@ComponentScan(basePackages = {"com"})
@EnableAspectJAutoProxy(proxyTargetClass = true, exposeProxy = true)
public class DemoApplication {

    public static void main(String[] args) {
        SpringApplication.run(DemoApplication.class, args);
    }
}

I don't understand why the spring context do not found rbasService？

Source

qq494679975

Most helpful comment

@Configuration
@EnableResourceServer
public class MyResourceServerConfig extends ResourceServerConfigurerAdapter {

@Autowired
private OAuth2WebSecurityExpressionHandler expressionHandler;

@Bean
public OAuth2WebSecurityExpressionHandler oAuth2WebSecurityExpressionHandler(ApplicationContext applicationContext) {
    OAuth2WebSecurityExpressionHandler expressionHandler = new OAuth2WebSecurityExpressionHandler();
    expressionHandler.setApplicationContext(applicationContext);
    return expressionHandler;
}

@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
    resources.expressionHandler(expressionHandler);
}

}

EnableResourceServer 里面加上这个就好使了，不过还有个问题就是hasPerssion方法里面的
Object principal = authentication.getPrincipal();
获取的事登陆的账号，不是MyUserDetails

hnbc4277 on 7 Feb 2018

👍6

All 3 comments

@Configuration
@EnableResourceServer
public class MyResourceServerConfig extends ResourceServerConfigurerAdapter {

@Autowired
private OAuth2WebSecurityExpressionHandler expressionHandler;

@Bean
public OAuth2WebSecurityExpressionHandler oAuth2WebSecurityExpressionHandler(ApplicationContext applicationContext) {
    OAuth2WebSecurityExpressionHandler expressionHandler = new OAuth2WebSecurityExpressionHandler();
    expressionHandler.setApplicationContext(applicationContext);
    return expressionHandler;
}

@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
    resources.expressionHandler(expressionHandler);
}

}

hnbc4277 on 7 Feb 2018

👍6

Thanks for the report. Please report Spring Security OAuth issues to https://github.com/spring-projects/spring-security-oauth/issues

rwinch on 7 Feb 2018

在5.0.7版本需要把OAuth2WebSecurityExpressionHandle换成DefaultWebSecurityExpressionHandler，可以解决这个问题，在ResourceServerConfig中添加就可以了。
if your spirngsecurity is 5.0.7,could use DefaultWebSecurityExpressionHandler replace OAuth2WebSecurityExpressionHandle.