Announcement Announcement Module
Collapse
No announcement yet.
WebExpressionVoter Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • WebExpressionVoter

    Hi -

    I have the following configuration for accessDecisionManager
    <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.Af firmativeBased">
    <beansroperty name="decisionVoters">
    <beans:list>
    <beans:bean class="org.springframework.security.access.vote.Ro leVoter"/>
    <beans:bean class="org.springframework.security.access.vote.Au thenticatedVoter"/>
    <beans:bean class="org.springframework.security.web.access.exp ression.WebExpressionVoter"/>
    </beans:list>
    </beansroperty>
    </beans:bean>

    After adding WebExpressionVoter I am getting the following error -
    java.lang.IllegalArgumentException: AccessDecisionManager does not support secure object class: interface org.aopalliance.intercept.MethodInvocation
    at org.springframework.util.Assert.isTrue(Assert.java :65)

    What is the correct way to add WebExpressionVoter to accessDecisionManager?

    Thanks in advance

  • #2
    Typically if you want expressions you only need to specify http@use-expression=true which will set this up for you automatically. Are you trying to configure web or method security? The AccessDecisionManager you have configured looks like it should be configured against the http@access-decision-manager-ref but it appears you have configured it against the global-method-security@access-decision-manager-ref. See the Namepace Appendix for details.

    PS: Please use the code tags when posting configuration, stacktraces, code, etc as this makes it easier to read

    Comment


    • #3
      Thanks for the reply.
      Using http@use-expression=true works perfectly.
      However, I am not using the http namespace since there is no control over the filters.
      Hence using the following
      Code:
      <beans:bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
            <security:filter-chain-map path-type="ant">
      <security:filter-chain pattern="/testurl/**" filters="Filter1, Filter2, Filter3" />
      .....
      </beans:bean>
      
      <beans:bean id="filterSecurityInterceptor"
              class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
              <beans:property name="authenticationManager" ref="authenticationManager"/>
        		<beans:property name="accessDecisionManager" ref="accessDecisionManager"/>
      	  <beans:property name="securityMetadataSource">
      	    <security:filter-security-metadata-source lowercase-comparisons="true" use-expressions="true">
      		  <security:intercept-url pattern="/testURL.do/**" access="permitAll" />
      	    </security:filter-security-metadata-source>
      	  </beans:property>
      	</beans:bean>
      
       <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
      	    <beans:property name="decisionVoters">
      	        <beans:list>
      	            <beans:bean class="org.springframework.security.access.vote.RoleVoter"/>
      	            <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
      	            <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
      	        </beans:list>
      	    </beans:property>
      	</beans:bean>


      <global-method-security> had reference to accessDecisionManager, after removing that reference the error is resolved.

      Does the <http> namespace provide the option to define multiple filters and maintain the order of invocation?

      Thanks again

      Comment


      • #4
        You don't have as much control over the Filters with the namespace. However, you can insert custom Filters using the custom-filter element.

        Comment

        Working...
        X