Failed to evaluate expression with spring security
Solution 1
You need hasRole('ROLE_USER')
in the intercept-url element.
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
See the docs for the other expressions, that you can use.
Solution 2
If you don't need CRF to be enabled, then you can disable it in webSecurityConfig.xml file like below:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login.html" access="hasRole('ANONYMOUS')" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<!-- This form is a default form that used to login
<http-basic/>
-->
<form-login login-page="/login.html"/>
<csrf disabled="true"/>
</http>
If CSRF is enabled, you have to include a _csrf.token in the page you want to login or logout.The below code needs to be added to the form:
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" />
Solution 3
Spring security blocks POST requests.
To enable it you can either:
- Add after all you forms requests :
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" class="form-control" />
(For example:
<form id="computerForm" action="addComputer" method="POST">
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" class="form-control" />
)
-
Or if you use anotation, you can allow POST directly in your code by adding the csrf().disable on your WebSecurityConfigurerAdapter (I havent found the xml equivalent yet) :
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')") .and().formLogin() .csrf().disable() ;}
napstablook
Updated on June 06, 2022Comments
-
napstablook about 2 years
I have a Spring rest service, and I'm trying to add security to it. I followed this tutorial, but when I try to access the service directly I get the following error:
There was an unexpected error (type=Internal Server Error, status=500). Failed to evaluate expression 'ROLE_USER'
Here's my security configuration:
webSecurityConfig.xml
<http entry-point-ref="restAuthenticationEntryPoint"> <intercept-url pattern="/**" access="ROLE_USER"/> <form-login authentication-success-handler-ref="mySuccessHandler" authentication-failure-handler-ref="myFailureHandler" /> <logout /> </http> <beans:bean id="mySuccessHandler" class="com.eficid.cloud.security.rest.AuthenticationSuccessHandler"/> <beans:bean id="myFailureHandler" class= "org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"/> <authentication-manager> <authentication-provider> <user-service> <user name="temp" password="temp" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager>
SpringSecurityConfig
:public class SpringSecurityConfig { public SpringSecurityConfig() { super(); } }
I'm also getting this error when trying to use curl to log in:
{ "timestamp":1460399841286, "status":403,"error":"Forbidden", "message":"Could not verify the provided CSRF token because your session was not found.", "path":"/spring-security-rest/login" }
Do I need to add the csrf token manually to the command? The service has a self-signed certificate, if that makes any difference.
-
Haseeb Wali about 8 yearsHai @Evgeni. When i do login along with 'X-CSRF-TOKEN' my login is successfully executed. But after that when i send some request i get 'Could not verify the provided CSRF token because your session was not found.' message. I have given proper patterns and access in my given code. Can you please suggest anything. Thanks in advance
-
Evgeni Dimitrov about 8 years@HaseebWali I suggest you ask another question and provide more details, like your configuration...