spring security异常记录:org.springframework.security.access.AccessDeniedException: Access is denied

已于 2022-02-11 21:27:37 修改
阅读量2w 收藏 5
点赞数 1
分类专栏: bug 文章标签: spring java 安全 bug
于 2022-02-11 15:32:23 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_56769991/article/details/122881160
版权

最近在做ssm项目的时候用到spring security时遇到了异常,如下所示:

15:06:28,144 DEBUG FilterSecurityInterceptor:348 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@52dd6d71: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
15:06:28,180 DEBUG AffirmativeBased:66 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@1f4acb36, returned: -1
15:06:28,185 DEBUG ExceptionTranslationFilter:181 - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

网上查阅了很多资料,出现这种异常主要有以下几种原因:

情况一

用户已经登录成功,但是该用户的权限不能够操作受限制的页面
我看了我的配置文件,发现出现的错误并不是该原因:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:dubbo="http://code.alibabatech.com/schema/dubbo"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
						http://www.springframework.org/schema/beans/spring-beans.xsd
						http://www.springframework.org/schema/mvc
						http://www.springframework.org/schema/mvc/spring-mvc.xsd
						http://code.alibabatech.com/schema/dubbo
						http://code.alibabatech.com/schema/dubbo/dubbo.xsd
						http://www.springframework.org/schema/context
						http://www.springframework.org/schema/context/spring-context.xsd
                     http://www.springframework.org/schema/security
                     http://www.springframework.org/schema/security/spring-security.xsd">

<!--    定义放行的页面-->
    <security:http security="none" pattern="/login.html"></security:http>
    <security:http security="none" pattern="/css/**"></security:http>
    <security:http security="none" pattern="/img/**"></security:http>
    <security:http security="none" pattern="/js/**"></security:http>
    <security:http security="none" pattern="/plugins/**"></security:http>

<!--    定义保护的页面,只要认证通过就放行,具体的权限使用注解的方式去拦截-->
    <security:http auto-config="true" use-expressions="true">
        <security:intercept-url pattern="/pages/**" access="isAuthenticated()"></security:intercept-url>

        <security:headers>
            <!--设置在页面可以通过iframe访问受保护的页面,默认为不允许访问-->
            <security:frame-options policy="SAMEORIGIN"></security:frame-options>
        </security:headers>

<!--        自定义登陆页面-->
        <security:form-login
            login-page="/login.html"
            username-parameter="username"
            password-parameter="password"
            login-processing-url="/login.do"
            default-target-url="/pages/main.html"
            authentication-failure-url="/login.html"
        ></security:form-login>
        <security:csrf disabled="true"></security:csrf>


<!--        退出登录-->
        <security:logout
                logout-url="/logout.do"
                logout-success-url="/login.html"
                invalidate-session="true"></security:logout>
    </security:http>

<!--    授权关系管理-->
    <security:authentication-manager>
        <security:authentication-provider user-service-ref="springSecurityUserService">
            <security:password-encoder ref="passwordEncoder"></security:password-encoder>
        </security:authentication-provider>
    </security:authentication-manager>

    <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"></bean>

    <security:global-method-security pre-post-annotations="enabled"></security:global-method-security>

</beans>

其中

<security:intercept-url pattern="/pages/**" access="isAuthenticated()"></security:intercept-url>

表示只要是登录成功的都可以访问pages下的页面,但是我登录了却还是报错

情况二:

网上的观点:
在这里插入图片描述

情况三:

我的分析:

org.springframework.security.access.AccessDeniedException: Access is denied
	at

这个异常在spring security中通常都是指登录的用户没有权限访问请求的资源。但是我看了配置文件是正常配置了访问权限的。之后我又看了打印的日志信息:
在这里插入图片描述

我的异常出现之前都会有这个日志,我的猜想是无论我登录了怎样的用户,被授予的权限都是ROLE_ANONYMOUS (表示匿名用户)
所以导致我无权访问被保护的页面。

解决方案

已解决

我的错误:禁用了网站的cookie
在这里插入图片描述

允许cookie即可
在这里插入图片描述

参考文章:
Spring Security出现问题:Access is denied 及我的解决方案

User Granted Authorities are always : ROLE_ANONYMOUS?

登录不跳转RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS

sword to coding
关注
  • 1
    点赞
  • 5
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
拒绝访问异常处理(AccessDeniedException)_spring security例子
09-23
拒绝访问异常处理(AccessDeniedException)_spring security例子 博客:blog.csdn.net/dsundsun
【解决】分析SpringSecurity访问请求权限不足AccessDeniedException问题
sunao1106的博客
08-13 6114
> 该方法中首先调用了`this.obtainSecurityMetadataSource().getAttributes(object)`方法,通过当前请求路径获取到**访问该请求所需要的权限**(object是上一步调用传过来的参数,封装了我们请求路径的一些信息)。.........
Spring Security出现问题:Access is denied 及我的解决方案
热门推荐
txd2016_5_11的博客
01-24 6万+
近日使用spring security,xml文件如下: ...... <!-- 页面拦截规则 --> <http pattern="/shoplogin.html" security="none"></http> <http pattern="/loginerror.html" security="none"></http> ...
使用SpringSecurity出现程序包org.springframework.security......不存在的问题--已解决
最新发布
qq_51366518的博客
05-06 365
1:如下图:把画圈的地方勾选上,将编译托给maven来解决,使得Maven包生效,不过该方法在接下来的使用中可能会报The POM for ..............:jar:0.0.1-SNAPSHOT is missing, no dependency information available的问题。2:打开项目终端,在该终端下运行mvn idea:idea。准确的来说是在有问题的项目下运行mvn idea:idea。
解决org.springframework.security.access.AccessDeniedException: Access is denied at org.springframewor
qq_52227892的博客
09-15 3026
anonymous() 用于明确指定只允许未经身份验证的用户访问,如果用户进行了身份验证反而不能访问,这种配置一般用于登录、注册页面,用户未登录时候可以访问,登录之后不能访问,而 .permitAll()用于明确指定允许所有用户(包括已登录的用户)访问。
org.springframework.security.access.AccessDeniedException: Access is denied
qq_39354140的博客
02-22 1151
使用SpringSecurity时,已经允许登录接口匿名访问: 还是报错: 原因 在过滤器中使用 SecurityContextHolder 对所有请求都进行了授权,而 .anonymous() 只允许未授权的请求访问 在过滤器中将授权业务放在token验证后,token为空的直接放行,不进行授权
关于org.springframework.security.access.AccessDeniedException: Access is denied问题
San_Chi的博客
08-07 2万+
启动程序,一直登陆不进去 点击登陆按钮却一直在登陆页面,后台报错org.springframework.security.access.AccessDeniedException: Access is denied 具体错误信息如下: org.springframework.security.access.AccessDeniedException: Access is denied at or...
spring security刚打开页面报org.springframework.security.access.AccessDeniedException: Access is denied
jhbjhbk的博客
02-20 2526
spring securityAccess is denied异常处理      访问时刚打开也面报错,但可以登录,下面是我遇到这个情况的解决 org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.se...
关于org.springframework.security.AccessDeniedException: Access is denied
Alex Zhou
05-06 2003
在做系统权限管理时使用了springsecurity,出现了如下问题,当一个未授权的用户访问一个被保护的方法时,抛出org.springframework.security.AccessDeniedException: Access is denied。未转到指定的拒绝访问页面,但是当该用户访问被保护的页面时,却能成功转向指定的拒绝访问页面。异常如下:   org.springframewor...
org.springframework.security.access.AccessDeniedException: 不允许访问
louis_lee7812的专栏
10-22 7620
org.springframework.security.access.AccessDeniedException: 不允许访问。原因是:@PreAuthorize 注解的异常,抛出AccessDeniedException异常,不会被accessDeniedHandler捕获,而是会被全局异常捕获。
spring-security.rar
08-30
<groupId>org.springframework.boot <artifactId>spring-boot-starter-security ``` 一旦依赖添加完成,Spring Security 将自动启用,并提供默认的安全配置。然而,在实际项目中,我们通常需要根据业务需求进行...
Spring Security 3.x 完整入门教程 源代码
03-10
6. **异常处理**:当安全检查失败时,Spring Security会抛出相应的异常,如`AccessDeniedException`表示用户没有足够的权限,`AuthenticationException`表示认证失败。你可以自定义异常处理逻辑,提供友好的错误页面...
Spring Security如何使用URL地址进行权限控制
08-25
import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.authentication....
Spring-Security2.0.zip
08-29
7. **异常处理**:当访问控制失败时,Spring Security 会抛出特定的异常,如`AccessDeniedException`或`AuthenticationException`。这些异常可以被捕获并自定义处理。 8. **集成Spring MVC**:在Web应用中,Spring ...
【已解决】org.springframework.security.access.AccessDeniedException: Access is denied
weixin_46539792的博客
04-17 1万+
错误:org.springframework.security.access.AccessDeniedException: Access is denied 在学习黑马培训班权限管理系统项目学习到day04的知识点查询用户时,发现正常登录没问题,但是点击导航栏的菜单提示403错误,权限不足,错误提示如下: 控制台错误提示如下: org.springframework.security.acces...
org.springframework.security.access.AccessDeniedException: Access is denied异常
qq_33014331的博客
06-02 987
在搭建spring oauth2.0 授权码模式demo时,使用code获取token时,一直提示这个错误,后来发现是因为配置问题: [DEBUG] ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point <org.springframework.security.access.AccessDeniedException: Access is
SpringSecurity问题分析之AccessDeniedException: Access is denied 源码分析
weixin_43180484的博客
04-10 1万+
问题描述 org.springframework.security.access.AccessDeniedException: Access is denied 2021-04-10 16:17:01.950 DEBUG [authorization-server,8c5f48650de0f659,83580d93d6acb342,false] 7328 — [nio-8000-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking matc
org.springframework.security.access.AccessDeniedException: Access is denied报错
qq_44932835的博客
08-26 2258
org.springframework.security.access.AccessDeniedException: Access is denied报错
public interface UserDetails extends Serializable { /** * Returns the authorities granted to the user. Cannot return <code>null</code>. * @return the authorities, sorted by natural key (never <code>null</code>) */ Collection<? extends GrantedAuthority> getAuthorities(); /** * Returns the password used to authenticate the user. * @return the password */ String getPassword(); /** * Returns the username used to authenticate the user. Cannot return * <code>null</code>. * @return the username (never <code>null</code>) */ String getUsername(); /** * Indicates whether the user's account has expired. An expired account cannot be * authenticated. * @return <code>true</code> if the user's account is valid (ie non-expired), * <code>false</code> if no longer valid (ie expired) */ boolean isAccountNonExpired(); /** * Indicates whether the user is locked or unlocked. A locked user cannot be * authenticated. * @return <code>true</code> if the user is not locked, <code>false</code> otherwise */ boolean isAccountNonLocked(); /** * Indicates whether the user's credentials (password) has expired. Expired * credentials prevent authentication. * @return <code>true</code> if the user's credentials are valid (ie non-expired), * <code>false</code> if no longer valid (ie expired) */ boolean isCredentialsNonExpired(); /** * Indicates whether the user is enabled or disabled. A disabled user cannot be * authenticated. * @return <code>true</code> if the user is enabled, <code>false</code> otherwise */ boolean isEnabled(); }
05-18
这是一个 Java 接口,名为 UserDetails,用于表示用户的详细信息。它包含了以下方法: 1. getAuthorities() 返回授予用户的权限集合。 2. getPassword() 返回用户用于身份验证的密码。 3. getUsername() 返回用户用于身份验证的用户名。 4. isAccountNonExpired() 指示用户的帐户是否已过期。 5. isAccountNonLocked() 指示用户是否已被锁定。 6. isCredentialsNonExpired() 指示用户的凭据(密码)是否已过期。 7. isEnabled() 指示用户是否已启用。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值