spring security异常记录:org.springframework.security.access.AccessDeniedException: Access is denied

原创 已于 2022-02-11 21:27:37 修改 · 2.1w 阅读 · 6 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#spring #java #安全 #bug

于 2022-02-11 15:32:23 首次发布
本文记录了一位开发者在使用Spring Security时遇到的Access Denied异常。问题出现在用户登录后仍无法访问受保护的页面,尽管配置文件中已设定登录用户可以访问。通过对日志的分析,发现无论登录何种用户,权限都被赋予了ROLE_ANONYMOUS。最终,开发者发现是由于禁用了网站的cookie导致此问题,启用cookie后问题得到解决。

最近在做ssm项目的时候用到spring security时遇到了异常,如下所示:

15:06:28,144 DEBUG FilterSecurityInterceptor:348 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@52dd6d71: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
15:06:28,180 DEBUG AffirmativeBased:66 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@1f4acb36, returned: -1
15:06:28,185 DEBUG ExceptionTranslationFilter:181 - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
	at org.apache.cat
最低0.47元/天 解锁文章
解决:org.springframework.security.access.AccessDeniedException: Access is denied
东天里的冬天
06-30 6万+
最近在使用SpringSecurity时涉及到从数据库中获取用户,结果一直报错,错误如下 Secure object: FilterInvocation: URL: /index.jsp; Attributes: [hasRole('ROLE_USER')] 2017-06-29 23:02:27 731 [DEBUG] Previously Authenticated: org.springf
SpringSecurity OAuth2.0-第3章: spring mvc集成spring security
健康平安的活着的专栏
07-31 4060
spring security spring security是一个封装比较完整安全的认证授权框架。是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架,在spring boot项目中加入spring security更是十分简单,使用Spring Security 减少了为企业系统安全控制编写大量重复代码的工作。 ...
Spring Security出现问题:Access is denied 及我的解决方案
热门推荐
txd2016_5_11的博客
01-24 6万+
近日使用spring security,xml文件如下: ...... <!-- 页面拦截规则 --> <http pattern="/shoplogin.html" security="none"></http> <http pattern="/loginerror.html" security="none"></http> ...
Spring Security出现问题:Access is denied
uouj3766的博客
03-24 5065
报错情况如下: 在登录的时候报错,如下: org.springframework.security.access.AccessDeniedException: Access is denied spring-security.xml代码: <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.spr...
org.springframework.security.access.AccessDeniedException 不允许访问
最新发布
2509_93970010的博客
11-03 393
检查我的WebSecurityConfigurerAdapter子类SecurityConfigWithoutUserDetail。org.springframework.security.access.AccessDeniedException: 不允许访问。* 捕捉AccessDeniedExceptionspring security抛出的无权限访问的异常信息。发现,我自定义的myAccessDeniedHandler类没有调用。测试spring security的权限校验功能时,
AccessDeniedException: spring security 认证中的一个小坑(bug集2)
pingzhuyan的博客
01-14 862
情况: 后端测试成功,前端对接测试的时候 出现这个问题 org.springframework.security.access.AccessDeniedException: 不允许访问 at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:73) at org.springframework.security.access.intercept.Abstract...
拒绝访问异常处理(AccessDeniedException)_spring security例子
09-23
拒绝访问异常处理(AccessDeniedException)_spring security例子 博客:blog.csdn.net/dsundsun
org.springframework.security.access.AccessDeniedException: 不允许访问
louis_lee7812的专栏
10-22 9404
org.springframework.security.access.AccessDeniedException: 不允许访问。原因是:@PreAuthorize 注解的异常,抛出AccessDeniedException异常,不会被accessDeniedHandler捕获,而是会被全局异常捕获。
有关spring security的错误之 AccessDeniedException: Access is denied
xiao__shun的博客
07-26 1万+
AccessDeniedException: Access is denied 没有访问权限 解决方法有以下几种 1,form表单对应spring security的配置文件一定一样 spring security的配置文件代替了controller层 2 spring security的配置文件一定可以找到service层 3 在数据库中设置的...
SpringSecurity问题分析之AccessDeniedException: Access is denied 源码分析
weixin_43180484的博客
04-10 2万+
问题描述 org.springframework.security.access.AccessDeniedException: Access is denied 2021-04-10 16:17:01.950 DEBUG [authorization-server,8c5f48650de0f659,83580d93d6acb342,false] 7328 — [nio-8000-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking matc
org.springframework.security.access.AccessDeniedException: Access is denied
09-23
org.springframework.security.access.AccessDeniedException: Access is deniedSpring Security框架中的一个异常。它表示当前用户没有足够的权限来访问某个资源或执行某个操作。这通常是由于用户的角色或权限...
流式接口访问报错org.springframework.security.access.AccessDeniedException: Access Denied
06-30
Spring Security 中,当用户尝试访问受保护的资源但没有足够的权限时,会抛出 `AccessDeniedException` 引发“Access Denied”错误。对于流式接口(如返回 `InputStream`、`ResponseEntity` 或直接写入 `...
解决org.springframework.security.access.AccessDeniedException: Access is denied at org.springframewor
qq_52227892的博客
09-15 4592
anonymous() 用于明确指定只允许未经身份验证的用户访问,如果用户进行了身份验证反而不能访问,这种配置一般用于登录、注册页面,用户未登录时候可以访问,登录之后不能访问,而 .permitAll()用于明确指定允许所有用户(包括已登录的用户)访问。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值