Spring Security4.1.2およびSpring4.3.2にアップグレードすると、403 Access DeniedErrorコードが表示されます。
Spring-Security.xmlファイル
...
<spring:bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
</spring:bean>
<spring:bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter"/>
<spring:bean id="webExpressionVoter" class="org.springframework.security.web.access.expression.WebExpressionVoter" />
<spring:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<spring:constructor-arg>
<spring:list>
<spring:ref bean="roleVoter"/>
<spring:ref bean="authenticatedVoter"/>
<spring:ref bean="webExpressionVoter"/>
</spring:list>
</spring:constructor-arg>
</spring:bean>
<security:http access-decision-manager-ref="accessDecisionManager" auto-config='true' use-expressions="true">
<security:intercept-url pattern="/login.jsp" access="hasRole('ROLE_ANONYMOUS')" />
<security:intercept-url pattern="/j_spring_security_check" access="hasRole('ROLE_ANONYMOUS')" />
<security:intercept-url pattern="/index*" access="hasRole('ROLE_USER')"/>
<security:form-login login-page="/login.jsp"
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/accessDenied.jsp" />
<security:logout invalidate-session="true" delete-cookies="JSESSIONID"/>
<security:csrf disabled="true"/>
</security:http>
...
認証にSpringSecurityAuthenticationProviderクラスを使用しています。クラスのauthenticate(Authentication authentication)メソッドは正常に実行され、新しいUsernamePasswordAuthenticationToken(user、pwd、authorities)を返します。
エラースタックトレース:
2016-09-02 14:59:21,461 DEBUG [http-/127.0.0.1:8080-1] [org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:66)] - Voter: org.springframework.security.access.vote.RoleVoter@52989292, returned: 0
2016-09-02 14:59:21,461 DEBUG [http-/127.0.0.1:8080-1] [org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:66)] - Voter: org.springframework.security.access.vote.AuthenticatedVoter@203cc7cd, returned: 0
2016-09-02 14:59:21,461 DEBUG [http-/127.0.0.1:8080-1] [org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:66)] - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@5e01cc46, returned: -1
2016-09-02 14:59:21,462 DEBUG [http-/127.0.0.1:8080-1] [org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:362)] - Publishing event in Root WebApplicationContext: org.springframework.security.access.event.AuthorizationFailureEvent[source=FilterInvocation: URL: /index.html]
2016-09-02 14:59:21,462 DEBUG [http-/127.0.0.1:8080-1] [org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:186)] - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:115)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
エラースタックトレースから、WebExpressionVoterは-1を返します。
SpringセキュリティファイルでhasRoleをhasAuthorityに置き換えた後に解決されます。
この記事はインターネットから収集されたものであり、転載の際にはソースを示してください。
侵害の場合は、連絡してください[email protected]
コメントを追加