gpt4 book ai didi

java - Spring安全@PreAuthorize NullPointerException。为什么?

转载 作者:行者123 更新时间:2023-12-01 17:46:50 25 4
gpt4 key购买 nike

我正在尝试在 Controller 中实现对用户角色的检查,因此当用户调用特定的网址时,他可以访问该页面(或不能)。

因此,我将 @PreAuthorize("hasPermission...) 放入我的 Controller 方法之一中,并创建了我的自定义 * PermissionEvaluator*。它采用两个字符串作为参数(实体名称 - String,权限名称 - String),稍后我将从用户的角色对象中获取它。出于测试目的,它始终返回 true。

问题:在放置 @PreAuthorize 时,我总是遇到 NullPointerException。你能解释一下我做错了什么吗?

Controller

@RequestMapping(value = "goal/new", method = RequestMethod.GET)
@PreAuthorize("hasPermission('GOAL', 'WRITE')")
public String add (Model model, RedirectAttributes redirect) {
User user = AuthUtils.getCurrentUser();
Goal goal = new Goal();
Set<Unit> units = unitService.getUnitsByRole(user.getRoles());
model.addAttribute("goal", goal);
model.addAttribute("units", units);
return WEB_FORM_URL;
}

权限评估器

@Component
public class CustomPermissionEvaluator implements PermissionEvaluator {
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
System.out.println("Permission eveluator: called");
boolean permissionGranted = true;
return permissionGranted;
}

@Override
public boolean hasPermission(Authentication authentication, Serializable serializable, String targetType,
Object permission) {
return false;
}
}

全局方法安全配置

@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, jsr250Enabled = true, proxyTargetClass = true)
public class CustomMethodSecurityConfig extends GlobalMethodSecurityConfiguration {

@Autowired
CustomPermissionEvaluator permissionEvaluator;

@Bean
public MethodSecurityExpressionHandler methodSecurityExpressionHandler() {
DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
handler.setPermissionEvaluator(permissionEvaluator);
return handler;
}
}

错误堆栈

java.lang.NullPointerException: null
at org.springframework.security.access.expression.SecurityExpressionRoot.hasPermission(SecurityExpressionRoot.java:177) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_201]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_201]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_201]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_201]
at org.springframework.expression.spel.support.ReflectiveMethodExecutor.execute(ReflectiveMethodExecutor.java:130) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]
at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:138) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]
at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:94) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]
at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:114) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]
at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:300) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]
at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:26) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice.before(ExpressionBasedPreInvocationAdvice.java:59) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]

最佳答案

我不是 100% 确定,但您能否更改 CustomMethodSecurityConfig 中的方法签名以实际覆盖 GlobalMethodSecurityConfiguration 中的正确方法。

所以

 @Override
protected MethodSecurityExpressionHandler createExpressionHandler() {

而不是

  @Bean
public MethodSecurityExpressionHandler methodSecurityExpressionHandler() {

关于java - Spring安全@PreAuthorize NullPointerException。为什么?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60853576/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com