Spring Security @PreAuthorize 问题

最近在做一个spring security的项目,遇到了一个@PreAuthorize 问题。
在interface里面我用@PreAuthorize标记了一些method,

public interface PoiActionInterface {

@PreAuthorize("hasRole('ROLE_ADMIN')")
public String editPoi();

@PreAuthorize("hasAnyRole('ROLE_ADMIN', 'ROLE_USER')")
public String listPois();

@PreAuthorize("hasRole('ROLE_ADMIN')")
public String generatePoi() throws IOException, TemplateException;

@PreAuthorize("hasRole('ROLE_ADMIN')")
public String deletePoi();

@PreAuthorize("hasRole('ROLE_USER')")
public String trc();

}

在web server启动之后，如果权限不对，会提示exception message: access denied.
但是如果权限对了时候，会出现一些奇怪的问题，

public class POIAction extends ActionSupport implements PoiActionInterface {

private static final long serialVersionUID = "$Id: POIAction.java 42163 2011-08-16 18:39:30Z shany@telenav.com $".hashCode();

@Autowired
private TrcHibernateService trcHibernateService;

@Autowired
private MailService mailService;

@Autowired
private TemplateService templateService;

private UserGeneratedPoi userPoi;
private UserGeneratedPoiDetail userPoiDetail;
private String timeStart;
private String timeEnd;
private Integer action;
private String poiid;

private List<UserGeneratedPoi> userPois;

private static String userFirstName;

public void setUserFirstName(String userFirstName) {
    POIAction.userFirstName = userFirstName;
}

public String getUserFirstName() {
    return userFirstName;
}

public void setUserPoi(UserGeneratedPoi userPoi) {
    this.userPoi = userPoi;
}

public UserGeneratedPoi getUserPoi() {
    return userPoi;
}

public String getPoiid() {
    return poiid;
}

public void setPoiid(String poiid) {
    this.poiid = poiid;
}

public void setTimeStart(String timeStart) {
    this.timeStart = timeStart;
}

public String getTimeStart() {
    return timeStart;
}

public void setTimeEnd(String timeEnd) {
    this.timeEnd = timeEnd;
}

public String getTimeEnd() {
    return timeEnd;
}

public void setUserPoiDetail(UserGeneratedPoiDetail userPoiDetail) {
    this.userPoiDetail = userPoiDetail;
}

public UserGeneratedPoiDetail getUserPoiDetail() {
    return userPoiDetail;
}

public void setAction(Integer action) {
    this.action = action;
}

public Integer getAction() {
    return action;
}

public void setUserPois(List<UserGeneratedPoi> userPois) {
    this.userPois = userPois;
}

public List<UserGeneratedPoi> getUserPois() {
    return userPois;
}

public void getFirstName() {
    Object obj = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
    POIAction.userFirstName = ((TrcUserDetail) obj).getFirstName();
}

@SkipValidation
@Action(value = "trc", results = { @Result(name = "success", location = "page.addpoi", type = "tiles") })
public String trc() {
    return SUCCESS;
}

@SkipValidation
@Action(value = "editpoi", results = { @Result(name = "success", location = "page.editpoi", type = "tiles") })
public String editPoi() {
    this.userPoi = trcHibernateService.getById(UserGeneratedPoi.class, Integer.valueOf(poiid));
    this.userPoiDetail = trcHibernateService.getById(UserGeneratedPoiDetail.class, Integer.valueOf(poiid));
    if (userPoiDetail.getBusinessHour() != null && userPoiDetail.getBusinessHour().split(" ").length > 0) {
        setTimeStart(userPoiDetail.getBusinessHour().split(" ")[0]);
        setTimeEnd(userPoiDetail.getBusinessHour().split(" ")[1]);
    }
    return SUCCESS;
}

@SkipValidation
@Action(value = "deletepoi", results = { @Result(name = "success", location = "page.listpois", type = "tiles") })
public String deletePoi() {
    this.userPoi = trcHibernateService.getById(UserGeneratedPoi.class, Integer.valueOf(poiid));
    this.userPoiDetail = trcHibernateService.getById(UserGeneratedPoiDetail.class, Integer.valueOf(poiid));
    trcHibernateService.delete(this.userPoiDetail);
    trcHibernateService.delete(this.userPoi);
    this.userPois = trcHibernateService.getAll(UserGeneratedPoi.class);
    return SUCCESS;
}

@SkipValidation
@Action(value = "listpois", results = { @Result(name = "success", location = "page.listpois", type = "tiles") })
public String listPois() {
    getFirstName();
    this.userPois = trcHibernateService.getAll(UserGeneratedPoi.class);
    return SUCCESS;
}

@Validations(requiredStrings = {
        @RequiredStringValidator(type = ValidatorType.FIELD, fieldName = "userPoi.brandName", message = "You must enter a brand name for POIs."),
        @RequiredStringValidator(type = ValidatorType.FIELD, fieldName = "userPoi.street1", message = "You must enter a street address for POIs."),
        @RequiredStringValidator(type = ValidatorType.FIELD, fieldName = "userPoi.city", message = "You must enter a city name for POIs."),
        @RequiredStringValidator(type = ValidatorType.FIELD, fieldName = "userPoi.state", message = "You must enter a state name for POIs."),
        @RequiredStringValidator(type = ValidatorType.FIELD, fieldName = "userPoi.zip", message = "You must enter a zip code for POIs.") }, stringLengthFields = { @StringLengthFieldValidator(type = ValidatorType.FIELD, trim = true, minLength = "1", maxLength = "20", fieldName = "userPoi.street1", message = "Street 1 only can have at most 20 characters") })
@Action(value = "generatepoi", results = { @Result(name = "success", location = "page.message", type = "tiles"),
        @Result(name = "input", location = "page.addpoi", type = "tiles") })
public String generatePoi() throws IOException, TemplateException {
    SecurityContext context = SecurityContextHolder.getContext();
    Authentication authentication = context.getAuthentication();
    User user = new User();
    user.setName(authentication.getName());
    user = trcHibernateService.getAll(User.class, user).get(0);
    userPoi.setUserByUserId(user);
    if (userPoi.getId() == null) {
        trcHibernateService.save(userPoi);
    } else {
        try {
            trcHibernateService.merge(userPoi);
            setAction(Integer.valueOf(1));
        } catch (DataIntegrityViolationException dve) {
            addFieldError("userPoi.id", getText("dupicate poi id"));
            return INPUT;
        }
    }

    userPoiDetail.setId(userPoi.getId());
    userPoiDetail.setBusinessHour(getTimeStart() + " " + getTimeEnd() + " ");
    if (trcHibernateService.getById(UserGeneratedPoiDetail.class, userPoi.getId()) == null) {
        userPoiDetail.setUserGeneratedPoi(userPoi);
        trcHibernateService.save(userPoiDetail);
    } else {
        try {
            trcHibernateService.merge(userPoiDetail);
        } catch (DataIntegrityViolationException dve) {
            addFieldError("userPoiDetail.poiId", getText("dupicate poi detail id"));
            return INPUT;
        }
    }

    if (action == null) {
        addActionMessage(getText("addpoi.successful", null, ""));
        mailService.sendMail("shany@telenav.com", "POI Added", templateService.getNewPoiNotificationText(userPoi.getId().toString()));
    } else {
        addActionMessage(getText("editpoi.successful", null, ""));
    }
    return SUCCESS;
}

}
所有@autowired的object全部都是null, 所以在做action的时候会有Nullpointexception出现。

Exception Stack:
java.lang.NullPointerException at com.telenav.trc.action.common.POIAction.listPois(POIAction.java:172) at com.telenav.trc.action.common.POIAction$$FastClassByCGLIB$$83c14b0a.invoke() at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) at org.springframework.aop.framework.Cglib2AopProxy$CglibMethodInvocation.invokeJoinpoint(Cglib2AopProxy.java:688) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:67) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:621) at com.telenav.trc.action.common.POIAction$$EnhancerByCGLIB$$40826733.listPois() at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:452) at com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(DefaultActionInvocation.java:291) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:254) at com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:176) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:61) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:133) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:207) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:207) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:190) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:75) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:94) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:243) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(ModelDrivenInterceptor.java:100) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.intercept(ScopedModelDrivenInterceptor.java:141) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at org.apache.struts2.interceptor.debugging.DebuggingInterceptor.intercept(DebuggingInterceptor.java:270) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:145) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:171) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at com.opensymphony.xwork2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:176) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:164) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:190) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:187) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248) at org.apache.struts2.impl.StrutsActionProxy.execute(StrutsActionProxy.java:52) at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:498) at org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:77) at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:91) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:368) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:119) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:109) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:261) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:581) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:662)

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

3条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
AngelAndAngel 2011-08-26 09:10
关注
说明是注入的问题
像这样注入的
[code="java"] @Autowired
private TrcHibernateService trcHibernateService; [/code]

都要加上set get方法

本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

查看更多回答(2条)

报告相同问题？

关注问题

Spring Security @PreAuthorize 问题 spring
2011-08-26 02:55

回答 3 已采纳说明是注入的问题像这样注入的 [code="java"] @Autowired private TrcHibernateService trcHibernateService;
Spring Security使用@PreAuthorize("hasRole('ROLE_ADMIN')"报错后端安全架构
2022-01-25 11:48

回答 1 已采纳报错信息翻译过来是：在security上下文中没有找到一个认证对象。导致出现这个问题的原因有很多，你可以先排查一下你的配置文件，有没有写类似于不拦截所有静态文件的代码，如果写了不拦截所有静态文件的代码
spring boot +spring security 无法登录问题 java spring boot 后端
2022-05-01 23:45

回答 1 已采纳啥也没做，自己clean再跑吧
SpringSecurity的注解@PreAuthorize的失效问题
2024-01-10 16:28

TuringWu的博客原因：调用roles方法时源码...问题：测试响应式框架时，测试框架对于权限与角色的拦截问题，对于/delete的访问报错访问拒绝，但是数据里面配置了权限。解决：可以自己封装数据库里面的数据，将权限与角色信息分开处理。
spring security在微服务gateway部署问题 java spring 后端
2021-08-14 14:27

回答 1 已采纳独立的鉴权服务，现在的权限业务一般都要求动态鉴权，直接使用security不太灵活，认证到是可以不过也必要耦合到网关里，独立出去更好些
spring security报栈溢出错误，如何解决？(语言-java) java spring spring boot
2022-02-17 15:04

回答 3 已采纳你的问题出现在这一步，这些都是多余的，光该这个的话，把这些删了就行。 @Override protected void configure(AuthenticationManagerB
SpringSecurity permitAll方式放行资源无效 java spring boot 后端
2022-05-06 20:14

回答 3 已采纳 configure(HttpSecurity http)中配置放行，那还是会走spring security拦截链的， configure(WebSecurity web)中去配置放行，那才是真的放行
基于SpringSecurity的@PreAuthorize实现自定义权限校验方法
2022-08-15 16:07

掉发的小王的博客二、SpringSecurity的@PreAuthorize @PreAuthorize("hasAuthority('system:dept:list')") @GetMapping("/hello") public String hello (){ return "hello"; } 我们进去源码方法中看看具体实现，我们进行模仿！ // ...
spring security 如何获取 controller中的路由参数 java spring spring boot
2022-04-22 21:25

回答 2 已采纳自己实现PermissionEvaluator，想要啥给啥
关于Spring Security问题 java spring boot web安全
2022-08-16 09:58

回答 1 已采纳 implements UserDetailsService @Override public UserDetails loadUserByUsername(String username) th
使用新版本springsecurity遇到的问题 java spring 后端
2023-01-05 21:17

回答 2 已采纳望采纳！！点击回答右侧采纳即可采纳！！！在新版的Spring Security中，你可以通过实现AuthenticationProvider接口或继承DaoAuthenticationProvider
Spring-Security@PreAuthorize(“hasAuthority(‘‘)“)源码分析
2023-12-28 16:33

OkidoGreen的博客 Spring-Security@PreAuthorize(“hasAuthority(’’)”)源码分析@PreAuthorize(“hasAuthority(‘xxx’)”)用来鉴别当前登录用户所拥有的角色是否有xxx权限访问该接口。SpringBoot Security Oauth2角色及权限鉴权...
Springsecurity的tomcat下载问题 java
2022-03-11 14:43

回答 2 已采纳没有引用 tomcat 相关依赖，如果题主是用的 springboot ，需要先引用 spring-boot-starter-web，记得刷新 maven 依赖 <depende
Spring Security @PreAuthorize 拦截无效
2022-03-01 11:10

随风心境的博客 antMatchers("/demo/user-list").access...security:global-method-security pre-post-annotations=“enabled” proxy-target-class=“true” /> 换成Annotation方式以后，则需要使用*** @EnableGlobalMethodSecur
详细分析SpringSecurity中的@PreAuthorize注解
2024-01-27 07:00

码农研究僧的博客在Java中，`@PreAuthorize` 是Spring Security框架中的一个注解，用于在方法调用之前对用户的权限进行验证。允许在方法级别定义访问控制规则，确保只有满足指定条件的用户才能调用该方法这个注解通常与Spring的...
没有解决我的问题, 去提问

悬赏问题

¥30 这是哪个作者做的宝宝起名网站
¥60 版本过低apk如何修改可以兼容新的安卓系统
¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
¥50 有数据，怎么建立模型求影响全要素生产率的因素
¥50 有数据，怎么用matlab求全要素生产率
¥15 TI的insta-spin例程
¥15 完成下列问题完成下列问题
¥15 C#算法问题, 不知道怎么处理这个数据的转换
¥15 YoloV5 第三方库的版本对照问题
¥15 请完成下列相关问题！

Spring Security @PreAuthorize 问题

3条回答 默认 最新

悬赏问题

3条回答默认最新