Spring Security Expressions

[suriin]

Hi ,

I am using Spring 3.0 ,when i use the following Web Secuity expression


<security:intercept-url pattern="/**" access="hasRole('ROLE_ADMIN') and hasIpAddress('192.168.1.2')"/>


when i logged in to application without giving ip('192.168.1.2')

http://localhost:8080/eOffice/HomePage


please let me know whether i need to add some additional namespace or configuration in web.xml or applicationContext.xml

i am getting the following error
java.lang.IllegalArgumentException: Failed to evaluate expression 'hasRole('ROLE_ADMIN') and hasIpAddress('192.168.1.2')'
org.springframework.security.access.expression.Exp ressionUtils.evaluateAsBoolean(ExpressionUtils.jav a:13)
org.springframework.security.web.access.expression .WebExpressionVoter.vote(WebExpressionVoter.java:3 5)
org.springframework.security.access.vote.Affirmati veBased.decide(AffirmativeBased.java:50)
org.springframework.security.access.intercept.Abst ractSecurityInterceptor.beforeInvocation(AbstractS ecurityInterceptor.java:204)
org.springframework.security.web.access.intercept. FilterSecurityInterceptor.invoke(FilterSecurityInt erceptor.java:107)

org.springframework.security.web.authentication.An onymousAuthenticationFilter.doFilter(AnonymousAuth enticationFilter.java:79)
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
root cause

org.springframework.expression.spel.SpelEvaluation Exception: EL1029Epos 26): A problem occurred when trying to execute method 'hasIpAddress' on object of type 'org.springframework.security.web.access.expressio n.WebSecurityExpressionRoot': 'Problem invoking method: public boolean org.springframework.security.web.access.expression .WebSecurityExpressionRoot.hasIpAddress(java.lang. String)'
org.springframework.expression.spel.ast.MethodRefe rence.getValueInternal(MethodReference.java:93)
org.springframework.expression.spel.ast.OpAnd.getV alueInternal(OpAnd.java:60)
org.springframework.expression.spel.ast.SpelNodeIm pl.getValue(SpelNodeImpl.java:93)
org.springframework.expression.spel.standard.SpelE xpression.getValue(SpelExpression.java:98)
org.springframework.security.access.expression.Exp ressionUtils.evaluateAsBoolean(ExpressionUtils.jav a:11)
org.springframework.security.web.access.expression .WebExpressionVoter.vote(WebExpressionVoter.java:3 5)
org.springframework.security.access.vote.Affirmati veBased.decide(AffirmativeBased.java:50)
org.springframework.security.access.intercept.Abst ractSecurityInterceptor.beforeInvocation(AbstractS ecurityInterceptor.java:204)
org.springframework.security.web.access.intercept. FilterSecurityInterceptor.invoke(FilterSecurityInt erceptor.java:107)
org.springframework.security.web.access.intercept. FilterSecurityInterceptor.doFilter(FilterSecurityI nterceptor.java:84)
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
org.springframework.security.web.access.ExceptionT ranslationFilter.doFilter(ExceptionTranslationFilt er.java:98)
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:167)
root cause

org.springframework.expression.AccessException: Problem invoking method: public boolean org.springframework.security.web.access.expression .WebSecurityExpressionRoot.hasIpAddress(java.lang. String)
org.springframework.expression.spel.support.Reflec tiveMethodExecutor.execute(ReflectiveMethodExecuto r.java:60)
org.springframework.expression.spel.ast.MethodRefe rence.getValueInter
java.lang.IllegalArgumentException: IP Address in expression must be the same type as version returned by request
org.springframework.security.web.access.expression .WebSecurityExpressionRoot.hasIpAddress(WebSecurit yExpressionRoot.java:50)
sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
sun.reflect.NativeMethodAccessorImpl.invoke(Unknow n Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(Un known Source)
java.lang.reflect.Method.invoke(Unknown Source)
org.springframework.expression.spel.support.Reflec tiveMethodExecutor.execute(ReflectiveMethodExecuto r.java:58)
org.springframework.expression.spel.ast.MethodRefe rence.getValueInternal(MethodReference.java:90)
org.springframework.expression.spel.ast.OpAnd.getV alueInternal(OpAnd.java:60)
org.springframework.expression.spel.ast.SpelNodeIm pl.getValue(SpelNodeImpl.java:93)
org.springframework.expression.spel.standard.SpelE xpression.getValue(SpelExpression.java:98)
org.springframework.security.access.expression.Exp ressionUtils.evaluateAsBoolean(ExpressionUtils.jav a:11)
org.springframework.security.web.access.expression .WebExpressionVoter.vote(WebExpressionVoter.java:3 5)
org.springframework.security.access.vote.Affirmati veBased.decide(AffirmativeBased.java:50)
org.springframework.security.access.intercept.Abst ractSecurityInterceptor.beforeInvocation(AbstractS ecurityInterceptor.java:204)
org.springframework.security.web.access.intercept. FilterSecurityInterceptor.invoke(FilterSecurityInt erceptor.java:107)
org.springframework.security.web.access.intercept. FilterSecurityInterceptor.doFilter(FilterSecurityI nterceptor.java:84)
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
org.springframework.security.web.access.ExceptionT ranslationFilter.doFilter(ExceptionTranslationFilt er.java:98)
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
org.springframework.security.web.session.SessionMa nagementFilter.doFilter(SessionManagementFilter.ja va:95)
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
org.springframework.security.web.authentication.An onymousAuthenticationFilter.doFilter(AnonymousAuth enticationFilter.java:79)
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
org.springframework.security.web.servletapi.Securi tyContextHolderAwareRequestFilter.doFilter(Securit yContextHolderAwareRequestFilter.java:55)
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
org.springframework.security.web.savedrequest.Requ estCacheAwareFilter.doFilter(RequestCacheAwareFilt er.java:36)
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
org.springframework.security.web.authentication.http://www.BasicAuthenticationFilter...ilter.java:178)
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter.doFilter(Abst ractAuthenticationProcessingFilter.java:188)
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
org.springframework.security.web.authentication.lo gout.LogoutFilter.doFilter(LogoutFilter.java:106)
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:80)
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
org.springframework.security.web.session.Concurren tSessionFilter.doFilter(ConcurrentSessionFilter.ja va:108)
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:150)
org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:237)
org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:167)

Please help me to sort out this problem.

Regards,

Suresh

[Marten Deinum]

Please use [ code][/code ] tags when posting code/xml/stacktraces that way it remains readable !!!

If you check the documentation they use a bit of a different expression

Code:

<intercept-url pattern="/admin*" 
        access="hasRole('admin') and hasIpAddress('192.168.1.0/24')"/>

It also includes a bitmask (the /24) although judging from the code it shouldn't matter.

The expression evaluation fails on the following code

Code:

        if (!requiredAddress.getClass().equals(remoteAddress.getClass())) {
            throw new IllegalArgumentException("IP Address in expression must be the same type as " +
                    "version returned by request");
        }

So it appears that they are using either different types of ip addresses or that you have a classloading issue although that is quite hard with the java.net classes as they are part of the jre.

For more information you might want to attach the sources and do some debugging and see what goes on and why it fails.

[pmularien]

Just a guess - make sure you have matching versions of the spring sec and spring core JARs? I agree with Marten, seems like a classloader or similar issue to me.

[wwheeler]

This thread's pretty old, but I ran into this issue as well and wanted to offer another possible explanation. It could be an IPv6 issue: your hasIpAddress pattern is IPv4 (Inet4Address) but the request has an IPv6 (Inet6Address) IP. My knowledge of IPv6 is pretty shaky, but when I changed the pattern to an IPv6 address, the error message went away, so I think I'm on the right track.

E.g., use hasIpAddress('::1') for the IPv6 loopback address.