Develop Reference

How to solve IllegalArgumentException in Spring security

I'm using spring security. When I browse to http://localhost:8080/rest/user/json/quypham, I get the following error:
[WARNING] /rest/user/json/quypham java.lang.IllegalArgumentException:
Failed to evaluate expression 'ROLE_ADMIN'
at org.springframework.security.access.expression.ExpressionUtils.evalua
teAsBoolean(ExpressionUtils.java:15)
at org.springframework.security.web.access.expression.WebExpressionVoter
.vote(WebExpressionVoter.java:36)
at org.springframework.security.web.access.expression.WebExpressionVoter
.vote(WebExpressionVoter.java:18)
at org.springframework.security.access.vote.AffirmativeBased.decide(Affi
rmativeBased.java:62)
at org.springframework.security.access.intercept.AbstractSecurityInterce
ptor.beforeInvocation(AbstractSecurityInterceptor.java:232)
at org.springframework.security.web.access.intercept.FilterSecurityInter
Caused by:
org.springframework.expression.spel.SpelEvaluationException: EL1008E:
(pos 0): Property or field 'ROLE_ADMIN' cannot be found on object of
type 'org.s
pringframework.security.web.access.expression.WebSecurityExpressionRoot'
- maybe not public?
at org.springframework.expression.spel.ast.PropertyOrFieldReference.read
Property(PropertyOrFieldReference.java:215)
at org.springframework.expression.spel.ast.PropertyOrFieldReference.getV
alueInternal(PropertyOrFieldReference.java:85)
at org.springframework.expression.spel.ast.PropertyOrFieldReference.getV
alueInternal(PropertyOrFieldReference.java:78)
at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(Sp
elNodeImpl.java:114)
at org.springframework.expression.spel.standard.SpelExpression.getValue(
SpelExpression.java:105)
at org.springframework.security.access.expression.ExpressionUtils.evalua
I think I have something wrong in my userservice-servlet.xml file:
<security:http>
<security:http-basic/>
<security:intercept-url pattern="/rest/**" access="ROLE_ADMIN"/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:user-service>
<security:user name="datpham" password="Dat12345" authorities="ROLE_ADMIN"/>
<security:user name="hoaipham" password="Hoai12345" authorities="ROLE_USER"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
Here is UserRestServiceController.java:
#Controller
public class UserRestServiceController {
#Autowired
public UserDao userDao;
#Autowired
public View jsonTemplate;
#RequestMapping(value="/rest/user/json/{username}",
produces = MediaType.APPLICATION_JSON_VALUE,method = RequestMethod.GET)
public #ResponseBody User loadUser(#PathVariable("username") String name){
return userDao.loadUser(name);
}

By default, expression-based access-control is enabled. That means you should change access value to an expression:
<security:intercept-url pattern="/rest/**" access="hasRole('ADMIN')"/>
As an option, you can disable expressions:
<security:http use-expressions="false">

For all roles you have to use 'hasRole'.
In your case access="hasRole('ADMIN')" to be used when <http use-expressions="false">

Web App won't start after upgrading from 3.0.2 to 3.1.2

I have a working 3.0.2 applicationContext-security.xml that uses a custom authenticator
<global-method-security pre-post-annotations="disabled">
</global-method-security>
<http use-expressions="true">
<intercept-url pattern="/diagnostics/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/genesis" default-target-url="/diagnostics/start-diagnostics"
authentication-failure-url="/genesis?authfailed=true"
authentication-success-handler-ref="customTargetUrlResolver"/>
<access-denied-handler error-page="/genesis?notauthorized=true"/>
<logout logout-success-url="/genesis"/>
<session-management session-authentication-error-url="/genesis">
<concurrency-control max-sessions="1" expired-url="/genesis?sessionExpired=true"/>
</session-management>
</http>
<authentication-manager>
<authentication-provider ref="genesisAuthenticator">
<jdbc-user-service data-source-ref="dataSource"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="genesisAuthenticator" class="com.blackbox.x.web.security.Authenticator"/>
<beans:bean id="customTargetUrlResolver" class="com.blackbox.x.web.security.StartPageRouter"/>
</beans:beans>
After upgrading to 3.1.2 my application will not start and I get the error message
"Configuration problem: authentication-provider element cannot have child elements when used with 'ref' attribute". I'm assuming that the problem lies with the
<jdbc-user-service data-source-ref="dataSource"/>
element where data-source-ref points to a definition in my application-context.xml file.
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver"/>
<property name="url" value="jdbc:mysql://localhost:3306/genesis"/>
<property name="username" value="dbuser"/>
<property name="password" value="********"/>
What do I need to do to get this working. Dropping back to 3.0.2 is not really an option.

If you use a custom AuthenticationProvider implementation you'll have to configure it in XML in "traditional" Spring way, because <security:authentication-provider ref="yourImpl"> just points to bean which can authenticate whatever in whatever way, and don't really have to use UserDetailsService at all. In your example you tried to use jdbc-user-service which is just shortcut for creating JdbcDaoImpl bean.
So what you have to do is to assure that all genesisAuthenticator dependencies are resolved by yourself not Spring Security. That is you should either add #Autowired setUserDetailsService(UserDetailsService userDetailsService) method to your bean or configure it in XML like this (using id attribute):
<beans:bean id="genesisAuthenticator"
class="com.blackbox.x.web.security.Authenticator">
<property name="userDetailsService" ref="jdbcUserService"/>
</beans:bean>
<jdbc-user-service id="jdbcUserService" data-source-ref="dataSource" />

Unable to Configure Spring Security With X.509 Certificate and Anonymous User

I am attempting to authenticate via X.509 smart card to my application. For the moment, my application doesn't have any users defined, so I'm trying to use anonymous authentication. I'll switch it to hasRole() once I create users.
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="myUserService" />
</security:authentication-manager>
<!-- TODO: Enable this once I am ready to start annotating the service interfaces -->
<security:global-method-security pre-post-annotations="enabled" />
<security:http use-expressions="true" authentication-manager-ref="authenticationManager" access-denied-page="/index2.xhtml" >
<security:anonymous enabled="true" />
<security:x509 subject-principal-regex="CN=(.*?)," user-service-ref="myUserService" />
<security:intercept-url pattern="/**" access="isAnonymous()" requires-channel="https" />
<!-- TODO: configure invalid-session-url, delete sessionid -->
<security:session-management>
<security:concurrency-control max-sessions="2" error-if-maximum-exceeded="true"/>
</security:session-management>
</security:http>
<bean id="roleVoter"
class="org.springframework.security.access.vote.RoleHierarchyVoter">
<constructor-arg ref="roleHierarchy" />
</bean>
<bean id="roleHierarchy"
class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<property name="hierarchy">
<value>
ROLE_USER > ROLE_AUTHENTICATED
ROLE_AUTHENTICATED > ROLE_UNAUTHENTICATED
ROLE_UNAUTHENTICATED > ROLE_ANONYMOUS
</value>
</property>
</bean>
It seems to be caught in the infinite loop issue, which I thought I was avoiding using isAnonymous().
I'm probably making a dumb error, so if someone can point out said stupidity, I'd be grateful.

The issue was a problem with configuring FacesServlet in web.xml. The FacesServlet was mapped to one path, which seemed to be incompatible with the intercept-url defined for Spring Security.
We've since jettisoned JSF (and good riddance).

Spring-security is not picking up my authentication manager

I am screwed with the spring security configuration issue
Here is my configuration
<security:global-method-security pre-post-annotations="enabled" />
<security:http auto-config="true">
<security:intercept-url pattern="/dologin" access="ROLE_USER,ROLE_ANONYMOUS" />
<security:form-login login-processing-url="/security_check" login-page="/onlogin" always-use-default-target="false" authentication-failure-url="/onlogin" default-target-url="/home" />
<security:logout invalidate-session="true" logout-url="/logout" logout-success-url="/onlogout" />
<security:remember-me />
<security:http-basic/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="daoAuthenticationProvider"/>
</security:authentication-manager>
<bean id="anonymousAuthenticationProvider"
class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
<property name="key" value="badgerbadgerbadger" />
</bean>
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService" />
</bean>
My problem is that when a request comes for authentication; I find there are only two providers registered.
org.springframework.security.authentication.AnonymousAuthenticationProvider#8fe4ad
org.springframework.security.authentication.RememberMeAuthenticationProvider#1db9cb9
What might me going wrong? Please describe?

I believe you need to identify your custom provider to spring security by using the security:custom-authentication-provider tag.
For example:
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<security:custom-authentication-provider />
<property name="userDetailsService" ref="userDetailsService" />
</bean>
You may need that on your anonymousAuthenticationProvider bean also.

Try the following:
<security:authentication-manager>
<security:authentication-provider user-service-ref="userDetailsService"/>
</security:authentication-manager>

in your daoAuthenticationProvider you have a reference to userDetailsService, but I don't see such bean in your configuration.
check pervious error messages, I would expect to see a reference to missed bean there.

Use/define 'id' while defining security authentication manager.
For Example:
<security:authentication-manager id="authenticationManager" alias="authenticationManager">
<security:authentication-provider ref="daoAuthenticationProvider"/>
</security:authentication-manager>

Spring Security 3 specify multiple intercept-url access roles

I am trying to setup Spring 3 security using JDBC auth. Everything is working fine apart from when I try to specify multiple access roles to an intercept-url. Eg I want anyone with the roles ROLE_USER and ROLE_ADMIN to be able to access all pages, I use the follwoing line in my spring config file -
<security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN" />
However this throws the following error -
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [ ROLE_ADMIN]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1401)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:512)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:450)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:289)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:286)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:188)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:558)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:852)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:422)
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:261)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:192)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3843)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4342)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Caused by: java.lang.IllegalArgumentException: Unsupported configuration attributes: [ ROLE_ADMIN]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.afterPropertiesSet(AbstractSecurityInterceptor.java:154)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1460)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1398)
... 27 more
If specify that only one of the roles can access any url then it is fine (fine for either role). Changing the order in which i specify the roles makes no difference either. It is as though something has changed in Spring Security 3 that now cannot handle mulitple access roles being specified.
I have successfully got this working previously with Spring Security 2, and am using virtually the same configuration. Any ideas?
My security config file is listed below -
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:http auto-config="true" access-denied-page="/denied.jsp" >
<security:form-login
default-target-url="/app/home"
always-use-default-target="true" />
<security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN" />
<security:logout invalidate-session="true" logout-url="/logout" logout-success-url="" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource"
users-by-username-query='select "username", "password", "enabled"
from users where "username" = ?'
authorities-by-username-query='select "username", "authority" from user_roles where "username" = ?' />
</security:authentication-provider>
</security:authentication-manager>
</beans>

I had the same issue but used expressions to get around this issue:
You should embed
use-expressions="true"
in your existing config. So:
<security:http auto-config="true" access-denied-page="/denied.jsp" >
becomes
<security:http auto-config="true" access-denied-page="/denied.jsp" use-expressions="true">
And then:
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />

I am not sure about this problem, actually I am using it currently in my project and don't see an issue. try removing the space after the "," I mean try using ROLE_USER,ROLE_ADMIN

I had the same problem when was trying to migrate from Spring 3.x to 4.x. Finally I found that parameter "use-expressions" of "http" tag became "true" by default in Spring 4.x instead of false (as it was in old versions).
P.S. This question is very old for now, but I found this in Google. So somebody else can find it too and this info might be useful then.

I had the same problem and found the answer here.
Use that line to grant access to user with both roles: <security:intercept-url pattern="/**" access="hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')" />
If you want to grant access to user with one of the listed roles, use: <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')" />
Also, you need to add ability to use SpEL in your security *.xml, add use-expressions="true" to <http> tag.

I decided to downgrade to Spring Security 2.0.5 without changing anything else to check whether this was a bug in 3, and lo-and-behold it was!
I think I also found a related open bug here - https://jira.springsource.org/browse/SEC-1342
Solution - use 2.0.5 if want to use this feature.