问题
Is there a reason why calling the security authentication property principal.displayName in a decorator would cause a problem?
I'm setting it as a variable in a sitemesh decorator:
<c:set var="displayName">
<sec:authentication property="principal.displayName" />
</c:set>
But it generates this exception:
java.lang.RuntimeException: javax.servlet.ServletException: javax.servlet.jsp.JspException: Invalid property 'principal.displayName' o
f bean class [org.springframework.security.authentication.AnonymousAuthenticationToken]: Bean property 'principal.displayName' is not
readable or has an invalid getter method: Does the return type of the getter match the parameter type of the setter?
at com.opensymphony.sitemesh.webapp.decorator.BaseWebAppDecorator.render(BaseWebAppDecorator.java:39)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:84)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
at com.google.apphosting.utils.jetty.DevAppEngineWebAppContext.handle(DevAppEngineWebAppContext.java:70)
at org.mortbay.jetty.servlet.Dispatcher.forward(Dispatcher.java:327)
at org.mortbay.jetty.servlet.Dispatcher.forward(Dispatcher.java:126)
at org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:195)
at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:159)
at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:141)
at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:90)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:417)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
回答1:
Your request's Authentication object at that point is an instance of the AnonymousAuthenticationToken class, and that class does not have a property called displayName.
Clearly, SpringSecurity believes that the user is not logged. You probably need to
change the access rules so that that JSP can only be viewed when the user is logged in, or
change the JSP so to something like the following (assuming that you are using Spring 3.0.x and you've enabled web security expressions).
<c:set var="displayName">
<sec:authorize access="isAuthenticated()">
<sec:authentication property="principal.displayName" />
</sec:authorize>
</c:set>
References:
- Expression-based Access Control
- JSP Tag Libraries
回答2:
Followed by the Answer of Stephen C and the References given by him
I successfully wrote my code As
<sec:authorize access="hasAnyRole('ROLE_DEFINED_1','ROLE_DEFINED_2')">
<sec:authentication property="principal.displayName" />
</sec:authorize>
Where, ROLE_DEFINED_1 and ROLE_DEFINED_2 are Roles defined in your application.
来源:https://stackoverflow.com/questions/3487162/why-does-calling-the-security-authentication-property-principal-displayname-in