spring boot+spring security认证authorities反序列化失败的错误,SimpleGrantedAuthority`cannot deserialize Object

已于 2024-08-19 11:33:28 修改
阅读量209 收藏 5
点赞数 4
分类专栏: springsecurity springboot mybatis-plus 文章标签: spring spring boot 后端
于 2024-08-19 00:59:06 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_43562801/article/details/141308201
版权

报错信息


org.springframework.data.redis.serializer.SerializationException: Could not read JSON: Cannot construct instance of `org.springframework.security.core.authority.SimpleGrantedAuthority` 
(although at least one Creator exists): cannot deserialize from Object value (no delegate- or property-based Creator)
 at [Source: (byte[])"{"@class":"com.xgj.application.domain.LoginUser","user":{"@class":"com.xgj.application.entity.User","id":2,"userName":"user1","nickName":"One",
"password":"$2a$10$zu9.95bseAFDpVGfjTv/XejhEGJhXdA8EV9mZaGpfHX6THQGYOPNy","status":"0","email":"user1@example.com","phoneNumber":"12345678901","sex":"1","avatar":"avatar_url1","userType":"1","createBy":null,"createTime":["java.util.Date",1723900660000],"updateBy":null,"updateTime":["java.util.Date",1723900660000],"delFlag":0},
"permissions":["java.util.Arr"
[truncated 595 bytes]; line: 1, column: 670] (through reference chain: com.xgj.application.domain.LoginUser["authorities"]->java.util.ArrayList[0]); nested exception is

实体类中所有的有返回值的方法都会将返回的值序列化,但是反序列化时是根据set方法来实现的,所以当实体类中有非get,set方法的方法有返回值时,反序列化时就会出错。
例如

public class User implements UserDetails {
    
    public String userid;
    public String Uusername;
    public String Ppassword;
    public String role;
    public String getUusername() {
        return Uusername;
    }

    public String getRole() {
        return role;
    }

    public void setRole(String role) {
        this.role = role;
    }

    public void setUusername(String uusername) {
        Uusername = uusername;
    }

    public String getPpassword() {
        return Ppassword;
    }

    public void setPpassword(String ppassword) {
        Ppassword = ppassword;
    }
    public String getUserid() {
        return userid;
    }

    public void setUserid(String userid) {
        this.userid = userid;
    }


    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return null;
    }

    @Override
    public String getPassword() {
        return Ppassword;
    }

    @Override
    public String getUsername() {
        return Uusername;
    }

    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    public boolean isEnabled() {
        return true;
    }
}

在实体类user中只有userid,Uusername, Ppassword,role这四个属性都有get,set方法,但是其他方法有返回值,所以在序列化时,其他方法返回的值也会被序列化存在缓存中,此时不会出错,但是从缓存中反序列化时就因为有些值没有set方法,所以会出错。

解决方法一:
实体类中只放get,set方法或返回值为空的方法。

解决方法二:
但有时会碰到必须要有有返回值的其他方法,例如在整合security时自定义登录认证和权限认证时需要继承UserDetail,就必须有其他方法,这时候可以RedisTemplate的设置里加
om.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);具体如在下方
 

package com.xgj.application.config;

import com.fasterxml.jackson.annotation.JsonAutoDetect;
import com.fasterxml.jackson.annotation.JsonTypeInfo;
import com.fasterxml.jackson.annotation.PropertyAccessor;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.jsontype.impl.LaissezFaireSubTypeValidator;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.redis.connection.RedisConnectionFactory;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.data.redis.serializer.Jackson2JsonRedisSerializer;
import org.springframework.data.redis.serializer.StringRedisSerializer;

@Configuration
public class RedisConfig {

    @Bean
    public RedisTemplate<String, Object> redisTemplate(RedisConnectionFactory connectionFactory) {

        RedisTemplate<String, Object> template = new RedisTemplate<String, Object>();
        template.setConnectionFactory(connectionFactory);
        //序列化配置
        Jackson2JsonRedisSerializer jackson2JsonRedisSerializer = new Jackson2JsonRedisSerializer(Object.class);
        ObjectMapper om = new ObjectMapper();
        om.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.ANY);
        om.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
        //om.activateDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL);  过期方法,采用下面代替
        om.activateDefaultTyping(LaissezFaireSubTypeValidator.instance, ObjectMapper.DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY);
        jackson2JsonRedisSerializer.setObjectMapper(om);
        //String序列化
        StringRedisSerializer stringRedisSerializer = new StringRedisSerializer();
        // key采用String的序列化方式
        template.setKeySerializer(stringRedisSerializer);
        // hash的key也采用String的序列化方式
        template.setHashKeySerializer(stringRedisSerializer);
        // value序列化方式采用jackson
        template.setValueSerializer(jackson2JsonRedisSerializer);
        // hash的value序列化方式采用jackson
        template.setHashValueSerializer(jackson2JsonRedisSerializer);
        template.afterPropertiesSet();
        return template;
    }

}

解决方法三:就是在有返回值的非get,set方法中加@JsonIgnore 

package com.xgj.application.domain;

import cn.hutool.core.collection.CollectionUtil;
import com.baomidou.mybatisplus.annotation.TableField;
import com.fasterxml.jackson.annotation.JsonIgnore;
import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import com.xgj.application.entity.User;
import lombok.Data;
import lombok.NoArgsConstructor;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

/**
 * @Auther: xgj
 * @Desc:
 * @Create: 2024/8/17
 * @Verson: 1.0
 */
@Data
@NoArgsConstructor
public class LoginUser implements UserDetails {


    private User user;
    
    private List<String> permissions;
    // 用户的权限列表,通常是GrantedAuthority的集合
    private Collection<? extends GrantedAuthority> authorities;

    // 实现UserDetails接口所需的方法
    @Override
    @JsonIgnore
    public Collection<? extends GrantedAuthority> getAuthorities() {
        if (CollectionUtil.isNotEmpty(authorities)) {
            return authorities;
        }
        List<SimpleGrantedAuthority> grantedAuthorities = new ArrayList<>();
        for (String permission : permissions) {
            SimpleGrantedAuthority simpleGrantedAuthority = new SimpleGrantedAuthority(permission);
            grantedAuthorities.add(simpleGrantedAuthority);
        }
        authorities = grantedAuthorities;
        return authorities;
    }

 

    public LoginUser(User user, List<String> permissions) {
        this.user = user;
        this.permissions = permissions;
    }


  
    @Override
    public String getPassword() {
        return user.getPassword();
    }

    
    @Override
    public String getUsername() {
        return user.getUserName();
    }

    @JsonIgnore
    @Override
    public boolean isAccountNonExpired() {
        return true; // 假设status >= 0表示账户未过期
    }

    @JsonIgnore
    @Override
    public boolean isAccountNonLocked() {
        return true; // 假设账户总是未锁定的
    }

    @JsonIgnore
    @Override
    public boolean isCredentialsNonExpired() {
        return true; // 假设凭证总是未过期的
    }

    @JsonIgnore
    @Override
    public boolean isEnabled() {
        return true; // 假设status == 0表示账户启用
    }
}

附上加了@JsonIgnore注解后,Redis中存的值没有那些isEnabled,isAccountNonLocked等值。Redis存的值如下

{"@class":"com.xgj.application.domain.LoginUser","user":{"@class":"com.xgj.application.entity.User","id":2,"userName":"user1",
"nickName":"One","password":"$2a$10$zu9.95bseAFDpVGfjTv/XejhEGJhXdA8EV9mZaGpfHX6THQGYOPNy","status":"0","email":"user1@example.com","phoneNumber":"12345678901","sex":"1",
"avatar":"avatar_url1","userType":"1","createBy":null,"createTime":["java.util.Date",1723900660000],"updateBy":null,"updateTime":["java.util.Date",1723900660000],"delFlag":0},"permissions":["java.util.ArrayList",["ROLE_test","ROLE_admin","ROLE_supadmin"]]}

tips: 权限信息(authorities)不会存到缓存Redis中获取值后permissions时会set到authorities中去。从Redis获取到的值如下

(user=User(id=2, userName=user1, nickName=One, password=$2a$10$zu9.95bseAFDpVGfjTv/XejhEGJhXdA8EV9mZaGpfHX6THQGYOPNy, status=0, email=user1@example.com, phoneNumber=12345678901, sex=1, avatar=avatar_url1, userType=1, createBy=null, createTime=Sat Aug 17 21:17:40 CST 2024, updateBy=null, updateTime=Sat Aug 17 21:17:40 CST 2024, delFlag=0), permissions=[ROLE_test, ROLE_admin, ROLE_supadmin], authorities=[ROLE_test, ROLE_admin, ROLE_supadmin])

Spring Boot低版本可以试一下加如下注解。

        参考了很多博客总结出来的,感谢所有分享技术博客的朋友们。

weixin_43562801
关注
  • 4
    点赞
  • 5
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
company-structure-spring-security-oauth2-authorities:示例Spring Boot + Spring Security + OAuth2项目用于演示
05-26
示例Spring Boot + Hibernate + Spring Security + OAuth2项目用于演示。 入门 先决条件: Java 8 玛文 H2 / PostgreSQL 可以在两个配置文件之一中运行应用程序: 22 Postgres 取决于选择进行测试的数据库引擎...
记录一下spring boot+spring security认证authorities反序列化失败错误
m0_47576928的博客
07-30 4000
控制台报错如下: 2021-07-30 14:54:14.423 ERROR 2348 --- [nio-9002-exec-2] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.spr
Cannot construct instance of org.springframework.security.core.GrantedAuthority错误解决
机智的爆爆哥
02-03 5085
错误描述 com.fasterxml.jackson.databind.exc.InvalidDefinitionException: Cannot construct instance of org.springframework.security.core.GrantedAuthority (no Creators, like default constructor, exist): abstract types either need to be mapped to concrete types, h
SpringSecurity回顾
Criven的博客
06-12 128
目录8. 众筹项目加入 SpringSecurity 环境8.1 加入依赖8.2 Filter8.3 配置类8.4 自动扫描的包 8. 众筹项目加入 SpringSecurity 环境 8.1 加入依赖 <!-- SpringSecurity 对 Web 应用进行权限管理 --> <dependency> <groupId>org.springframework.security</groupId>
springMVC post 参数报错:Cannot construct instance of `xxx` (no Creators, like defaultconstruct, exist)
qq_30583675的博客
02-26 1万+
原因: 没有默认的构造函数 解决: 默认的类添加构造函数 public class DBSystem { public DBSystem() { } }
Cannot construct instance of `org.springframework.security.core.authority.SimpleGrantedAuthority`
weixin_34402408的博客
03-12 4285
2019独角兽企业重金招聘Python工程师标准>>> ...
Spring Boot中使用 Spring Security 构建权限系统的示例代码
08-29
Spring Boot中使用Spring Security构建权限系统的示例代码 在本篇文章中,我们将主要介绍如何使用Spring Security框架在Spring Boot项目中构建权限系统。权限控制是非常常见的功能,在各种后台管理系统中权限控制更...
Spring Boot中整合Spring Security并自定义验证代码实例
08-30
Spring Boot应用中整合Spring Security是为了提供安全控制,保护应用程序免受未经授权的访问。下面将详细解释如何在Spring Boot中实现这一过程,并自定义验证逻辑。 首先,我们需要在`pom.xml`中引入Spring ...
Spring Security基于数据库实现认证过程解析
08-18
Spring Security基于数据库实现认证过程解析 Spring Security是一个功能强大且灵活的安全框架,提供了基于数据库的认证机制。本文将通过示例代码详细介绍Spring Security基于数据库实现认证过程的详细解析。 一、...
spring-boot-security.zip
08-01
Spring Boot Security支持国际化,通过配置`messages.properties`文件,提供不同语言环境下的错误提示。 ### RESTful API安全 对于RESTful API,可使用JWT(JSON Web Token)进行身份验证和授权,这需要额外的配置...
SpringSecurity中授权时fastjson序列化问题
最新发布
qq_63918780的博客
06-23 1106
学习Spring Security遇到的鉴权问题
No constructor found in org.springframework.security.core.userdetails.User matching
肉man
10-15 1397
异常: No constructor found in org.springframework.security.core.userdetails.User 原因: 返回的userList的pojo类导入了User(spring-security类型的,而非自定义的) HTTP Status 500 – Internal Server Error Type Exception Report M...
spring boot security的简单学习demo
菜鸟阿达
09-27 3627
项目的目录结构如图 bootstrap.min.css自己上网上找到下载吧pom.xml<!-- Spring Boot 启动父依赖 核心模块,包括自动配置支持、日志和YAML--> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-par
SpringBoot 提示: Cannot construct instance of `*` (no Creators, like default construct, exist)
zhouzhiwengang的专栏
01-13 1万+
SpringBoot 提示:Cannot construct instance ofcom.digipower.sercurity.entity.JwtUserDetails(no Creators, like default construct, exist): cannot deserialize from Object value (no delegate- or property-based Creator) at [Source: (org.apache.catalina.connector...
Spring Security身份认证UserDetailsService
热门推荐
小尘
04-30 5万+
zhiqian我们采用了配置文件的方式从数据库中读取用户进行登录。虽然该方式的灵活性相较于静态账号密码的方式灵活了许多,但是将数据库的结构暴露在明显的位置上,绝对不是一个明智的做法。本文通过Java代码实现UserDetailsService接口来实现身份认证。     1.1 UserDetailsService在身份认证中的作用     Spring S
org.springframework.security.core.userdetails.UserDetails
Meditation_Crazy
11-27 8625
前言 集成spring security,项目启动,提示找不到UserDetails。 解决办法 所有引入了UserDetails实现类的代码,都要引入spring security的依赖。
http.csrf().disable(). authorizeRequests() .antMatchers("/miniapp/login", "/PC/login").permitAll() .antMatchers("/swagger-ui.html", "/swagger-resources/**", "/v2/api-docs", "/webjars/**").permitAll() .anyRequest().authenticated() .and() .httpBasic(); public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser("admin").password("{noop}admin").roles("ADMIN") .and() .withUser("user").password("{noop}user").roles("USER"); } public UserDetails loadUserByUsername(String phone) throws UsernameNotFoundException { User user = userInfoService.selectUserByPhone(phone); if (null == user) { throw new UsernameNotFoundException("User not found with phone: " + phone); } return new org.springframework.security.core.userdetails.User(user.getPhoneNumber(), user.getPassword(), getAuthority(user.getRole())); } private List<GrantedAuthority> getAuthority(Integer role) { String roles = "user"; switch (role){ case 0: roles = "admin"; break; case 1: roles = "user"; break; case 2: roles = "staff"; break; } return Arrays.asList(new SimpleGrantedAuthority(roles)); } ,/PC/login返回token后,访问@ApiOperation(value = "PC端用户修改密码") @PutMapping("/ChangePassword") public JsonData ChangePassword(@RequestBody UserInfo userInfo) 该接口,前端vue要如何访问?
06-08
您可以在前端使用axios库来发送请求,示例代码如下: ```javascript // 假设服务端地址为 http://localhost:8080 // 先请求登录接口获取token axios.post('http://localhost:8080/PC/login', { // 填写登录信息 }).then(response => { // 登录成功后在响应中获取token const token = response.data.token; // 发送修改密码请求,需要在请求头中携带token axios.put('http://localhost:8080/ChangePassword', { // 填写修改密码信息 }, { headers: { 'Authorization': 'Bearer ' + token } }).then(response => { // 处理修改密码请求响应 }).catch(error => { // 处理请求异常 }); }).catch(error => { // 处理登录请求异常 }); ``` 在请求修改密码接口时,需要在请求头中携带token,Authorization字段的值为 "Bearer " + token。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值