I am new for spring security. I've seen many posts on how to inject values via annotation from external property file. I've tried many ways, but I always end up with java.lang.IllegalArgumentException: Could not resolve placeholder 'val.id' exception.
Can you provide me some tips how to handle this exception please?
My java class is the following one:
#Controller
public class Employee {
#Value("${val.id}")
public String valId;
public String getValId() {
return valId;
}
public void setValId(String valId) {
this.valId = valId;
}
My property file is called val.properties which is located under WEB-INF, and its content is
val.id=xyz
I put the following in my main context bean.
<context:property-placeholder location="/WEB-INF/*.properties" />
<bean id="valProp" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"
p:location="/WEB-INF/val.properties"/>
A continuous question:
The injecting values from properties file to annotated beans works fine as I accepted the answer above. However, I cannot able to inject it to #PreAuthorize(...) annotation by following the same procedure.
Assume I want to secure a method called 'update'. This method is allowed if and only if valId is equal to empId. values of valId and empId are initialized in the val.properties file.
my java bean is:
public class Employee {
public String valId;
public String empId;
public String getValId() {
return valId;
}
public void setValId(String valId) {
this.valId = valId;
}
public String getEmpId() {
return empId;
}
public void setEmpId(String empId) {
this.empId = empId;
}
}
my property file contains:
val.id=nn
emp.id=nn
I have the place holder configuration in my main context file:
<context:property-placeholder location="/WEB-INF/*.properties" />
<bean id="valProp" class="org.springframework.beans.factory.config.PropertiesFactoryBean"
p:location="/WEB-INF/val.properties"/>
My PreAuthorize annotation (method security) is:
#PreAuthorize("(#{valProp['val.id']} == #{valProp['emp.id']})")
public boolean update(){
//if accessable
return true;
}
But the expression #{valProp['val.id']} == #{valProp['emp.id']} is not evaluated.
Did I do any mistake to inject values? It was worked when I annotate member variables, but it doesn't work here. Any idea please? Thanks in advance.
try to consider the following
1). change your annotation to:
#Value("#{valProp['val.id']}")
2). Replace PropertyPlaceholderConfigurer by PropertiesFactoryBean.
Hope this will resolve the exception.
The reason why the exception is thrown is, because the property placeholder by default throws an exception when a values cannot be resolved.
Furthermore you have two property placeholders, via which probably not all values can be resolved.
You can change this behaviour via setting the ignore-unresolvable property:
<context:property-placeholder location="/WEB-INF/*.properties" ignore-unresolvable="true" />
<bean id="valProp" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"
p:location="/WEB-INF/val.properties" p:ignoreUnresolvablePlaceholders="true" />
Note however that b< turning off this feature typos in a property file will not be detected.
Related
I would like to make the execution of an event handler dependent on whether or not a property is set to true in a properties file.
#EventListener(ContextRefreshedEvent.class, condition = "${service.enabled}")
public void onStartup() { }
However, this does not seem to work. I am getting the following error on startup:
org.springframework.expression.spel.SpelParseException: EL1043E:(pos 1): Unexpected token. Expected 'identifier' but was 'lcurly({)'
Is it possible to use a property from a properties file as a condition here?
The issue is condition argument is expecting a SPEL.
This works try it out.
In your bean where you have this #EventListener, add these lines
public boolean isServiceEnabled() {
return serviceEnabled;
}
#Value("${service.enabled}")
public boolean serviceEnabled;
change your declaration of evnt listener like this
#EventListener(classes = ContextRefreshedEvent.class, condition = "#yourbeanname.isServiceEnabled()")
public void onStartup() { }
change yourbeanname with the correct bean name .
I had the same annoying experience (with Spring Boot 2.4.2 on Java11).
In my case I had the boolean property in a #ConfigurationProperties class anyways in the same java file and still struggled a bit. First the #ConfigurationProperties need to be annotated as #Component to actually be a valid Bean and can be used in SpEL.
And I had to use the same long attributeName for the ConfigurationProperties in the Service itself and the EventListener Annotation for the Bean resolution to work fine. I needed some the ConfigurationProperties values also in another place of the Service, that's why they needed to be (Constructor) Autowired as well...
So this worked for me:
#ConfigurationProperties("my.custom.path")
#Component //Important to make this a proper Spring Bean
#Data //Lombok magic for getters/setters etc.
class MyCustomConfigurationProperties {
boolean refreshAfterStartup = true;
}
#Service
#RequiredArgsConstructor //Lombok for the constructor
#EnableConfigurationProperties(MyCustomConfigurationProperties.class)
#EnableScheduling
public class MyCustomService {
private final MyCustomConfigurationProperties myCustomConfigurationProperties;
#EventListener(value = ApplicationReadyEvent.class, condition = "#myCustomConfigurationProperties.refreshAfterStartup")
public void refresh() {
//the actual code I want to execute on startup conditionally
}
}
I'm setting up a Spring Boot (v1.2.6) web project and using Spring Security (v3.2.8). I've found the #PreAuthorize annotation so handy, but I don't know if there's a way to read Boot's properties from the SpEL in the annotation. I'm trying to do it this way:
#PreAuthorize("mysecurity.permit")
With the property declared in application.yml:
mysecurity:
permit: true
But I'm getting
Failed to evaluate expression 'mysecurity.permit'
I've made an attempt with #mysecurity.permit and ${mysecurity.permit} too, with the same result. It seems possible to declare a method in a service and access it in #service.isMySecurityPermited() way, however I would be pleased to know if I'm able to access the property directly.
The values used in an annotation must be constants. They are evaluated at compile time, and while they may be retained for use at runtime they aren't re-evaluated. So you can use an expression that's evaluated by SpEL, or you can write a helper method that is referenced within the annotation value.
If you look at the OnExpressionCondition implementation, you will notice that it gets the value passed to the annotation, which in the case linked in your comment would be something like #ConditionalOnExpression("${server.host==localhost} or ${server.port==8080} ") The annotation simply gets the text value, it has no idea what the text represents, it just knows it's a string. It's in the processing of the annotation value within OnExpressionCondition that the String value takes meaning. They take the String value and pass it to a BeanExpressionResolver for resolution.
So, in your PreAuthorize solution, which based on http://forum.spring.io/forum/spring-projects/security/100708-spel-and-spring-security-3-accessing-bean-reference-in-preauthorize also passes it to an expression processor, you should be able to use spring's expression language to reference any bean property.
I'm not in a situation to test it currently, but from that thread it seems like you could do something like
#Component
public class MyBean {
#Value("${mysecurity.permit}")
private Boolean permit;
public boolean isPermitted() { return permit; }
#PreAuthorize( "#myBean.isPermitted()" )
public blah myMethod() {
// do stuff
}
}
This maybe a generic way to evaluate expressions which i want to share with you:
#Component("AuthorizationComponent")
public final class AuthorizationComponent {
private final static Logger logger = Logger.getLogger(AuthenticationUtils.class.getName());
private static SpelExpressionParser parser;
static {
parser = new SpelExpressionParser();
}
#Autowired
private Environment environment;
public boolean evaluateExpression(final String propertyKey) {
return checkExpression(environment.getProperty(propertyKey));
}
public static boolean checkExpression(String securityExpression) {
logger.info("Checking security expression [" + securityExpression + "]...");
SecurityContext securityContext = SecurityContextHolder.getContext();
Authentication authentication = securityContext.getAuthentication();
Expression exp = parser.parseExpression(securityExpression);
SecurityExpressionRoot context = new CustomMethodSecurityExpressionRoot(authentication);
boolean result = exp.getValue(context, Boolean.class);
logger.info("Check result: " + result);
return result;
}
}
And in yaml config file you can configure the path and authorization expression, something like that:
preAuthorize:
whatever:
post: hasRole('MY_ROLE') OR hasAuthority('MY_AUTHORITY')
Then you could use it like that over your method:
#PreAuthorize("#AuthorizationComponent.evaluateExpression('preAuthorize.whatevert.post')")
#RequestMapping(value = "", method = RequestMethod.POST)
public ResponseEntity<Void> addQuestion(#Valid #RequestBody BodyRestDTO bodyRestDTO){
//Code implementation
return new ResponseEntity<Void>(HttpStatus.CREATED);
}
This should work:
#Value("${mysecurity.permit}")
private Boolean permit;
Then use:
#PreAuthorize(permit)
But you need to properly set configuration file, to allow Spring access it. Read here:
https://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-external-config.html
UPDATE:
Did you configure bean for a property placeholder?
For example:
<bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<list>
<value>classpath:com/foo/app.properties</value>
</list>
</property>
</bean>
I have a project structure as follows
[1]: http://i.stack.imgur.com/T1jvh.png
I have a class and interface defined in create-user
UserGeneratorInterface
package com.credit.userGenerator;
public interface UserGeneratorInterface {
public String userIdGenerator();
}
RandomUserGenerator.java
public class RandomUserGenerator implements UserGeneratorInterface {
public static enum Mode {
ALPHA, ALPHANUMERIC, NUMERIC
}
public static String generateRandomString(int length, Mode mode) throws Exception {
code logic
}
public String userIdGenerator(){
code logic
}
}
I have defined application context in da-web and wan to get service of RandomUserGenerator.java
public class ApplicationSignManager implements IApplicationSignInterface {
public UserGeneratorInterface iUserGeneratorInterface;
public UserGeneratorInterface getiUserGeneratorInterface() {
return iUserGeneratorInterface;
}
public void setiUserGeneratorInterface(
UserGeneratorInterface iUserGeneratorInterface) {
this.iUserGeneratorInterface = iUserGeneratorInterface;
}
}
AppContext.xml
<bean id="userGenerator" class="com.credit.userGenerator.RandomUserGenerator" ></bean>
<bean id="appSign" class="com.*****.service.ApplicationSignManager">
<description>List of Dao in ApplicationLogin Manager</description>
<property name="userGeneratorInterface" ref="userGenerator"/>
</bean>
But I am getting the following exception
Bean property 'iUserGeneratorInterface' is not writable or has an invalid setter method. Does the parameter type of the setter match the return type of the getter?
As noticed in the comments, use setIUserGeneratorInterface() and getIUserGeneratorInterface() with capital 'I'.
Use 'property name="iUserGeneratorInterface" ref="userGenerator"' - note the leading 'i'.
Note that it is always advisable to use well-established practices when naming your classes and fields. In your case naming 'UserGeneratorInterface' simply 'UserGenerator' and naming the field 'iUserGeneratorInterface' simply 'userGenerator' would make more sense. Note also that you have declared this field public (although this has nothing to do with the errors).
Your bean id="userGenerator"
Use this "userGenerator" like (public UserGeneratorInterface userGenerator;) as same as the variable name.
And create getter, setter for this variable
then try
I have spring web application. I have defined the controller bean which takes the bean of service as property. Also service bean takes the Dao. Dao is tested and working fine. Now the problem with service. Actually i'd make sure about the setters there !
so what is the problem ?
Controller Bean :
<bean id="listTypeController" class="me.web.servlet.controller.ListTypeController">
<property name="typeService" ref="typeService" />
</bean>
Service Bean :
<bean id="typeService"class="me.general.service.impl.TypeServiceImpl">
<property name="genericDao" ref="genericDao" />
<property name="typeDao" ref="typeDao" />
</bean>
Service class:
public class TypeServiceImpl implements TypeService {
private TypeDao typeDao;
private GenericDao genericDao;
public TypeDao getTypeDao() {
return typeDao;
}
public GenericDao getGenericDao() {
return genericDao;
}
public void setTypeDao(TypeDao typeDao) {
this.typeDao = typeDao;
}
public void setGenericDao(GenericDao genericDao) {
this.genericDao = genericDao;
}
}
List Controller:
public class ListTypeController {
public static final String SEARCH_TYPE_FORM_ATTRIBUTE_NAME = "SearchTypeForm";
private TypeService typeService;
#ModelAttributeSEARCH_TYPE_FORM_ATTRIBUTE_NAME)
public SearchTypeForm createForm() {
SearchTypeForm form = new SearchTypeForm();
form.setPageSize(SystemConfiguration.getCurrentConfiguration().getDefaultPageSize());
form.setActive(Boolean.TRUE);
return form;
}
#RequestMapping("/administration/types")
public String listTypes(#ModelAttribute(SEARCH_TYPE_FORM_ATTRIBUTE_NAME) SearchTypeForm form,
Model model) {
Page<Type> all = typeService.findTypes(form);
model.addAttribute("all", all);
return "/master/general/List";
}
public void setTypeServic(TypeService typeService) {
this.typeService = typeService;
}
}
The Error :
Invalid property 'typeService' of bean class
[me.web.servlet.controller.ListTypeController]:
Bean property 'typeService' is not writable or has an invalid setter method.
Does the parameter type of the setter match the return type of the getter?
ListTypeController doesn't have a property of the appropriate type to receive the typeService bean, or else the setter for that property is malformed. Note that if you have some proxying going on and your ListTypeController specifies the type as TypeServiceImpl, then it may be because you should be referring to the bean by its interface type, TypeService. A proxy of your typeService would be a TypeService, but not a TypeServiceImpl.
Update: Based on your new code: setTypeServic should be setTypeService, or else your property name is actually typeServic.
In my case i named my propery as: isMyProperty and is in prefix caused an issue. I had to change the name to myProperty.
In my case it was because I had correct setter and getter but each with different type.
My setter took String and parsed it to target enum type and my getter returned directly the enum.
For some reason Spring (v3) got confused.
I want to escape my Spring propeties file in order to get in my bean property: ${ROOTPATH}/relativePath
I have a simple Spring config file that contains:
<context:property-placeholder location="classpath:myprops.properties" />
<bean id="myBean" class="spring.MyBean">
<property name="myProperty" value="${myproperty}" />
</bean>
The myprops.properties contains:
myproperty=\${ROOTPATH}/relativePath
The above setup returns: Could not resolve placeholder 'ROOTPATH'. I tried a lot of possible syntaxes but was not able to find the right one.
Instead of ${myproperty} use #{'$'}{myproperty}. Simply replace $ with #{'$'}.
Seems so far, that is no way to escape the ${}, however you can try below configuration to solve the problem
dollar=$
myproperty=${dollar}{myproperty}
Result for myproperty will be ${myproperty} after evaluation.
Here is a Spring ticket which asks for escaping support (still unresolved at the time of writing).
The workaround of using
$=$
myproperty=${$}{ROOTPATH}/relativePath
does provide a solution, but looks quite dirty.
Using SPEL expressions like #{'$'} did not work for me with Spring Boot 1.5.7.
Although it works, escaping the placeholder is super-ugly.
I achieved this my overriding PropertySourcesPlaceholderConfigurer.doProcessProperties and using a custom StringValueResolver
public static class CustomPropertySourcesPlaceholderConfigurer extends PropertySourcesPlaceholderConfigurer {
#Override
protected void doProcessProperties(ConfigurableListableBeanFactory beanFactoryToProcess, StringValueResolver valueResolver) {
StringValueResolver customValueResolver = strVal -> {
if(strVal.startsWith("${something.")) {
PropertySourcesPropertyResolver customPropertySourcesPropertyResolver = new PropertySourcesPropertyResolver(this.getAppliedPropertySources());
String resolvedText = customPropertySourcesPropertyResolver.resolvePlaceholders(strVal);
//remove the below check if you are okay with the property not being present (i.e remove if the property is optional)
if(resolvedText.equals(strVal)) {
throw new RuntimeException("placeholder " + strVal + " not found");
}
return resolvedText;
}
else {
//default behaviour
return valueResolver.resolveStringValue(strVal);
}
};
super.doProcessProperties(beanFactoryToProcess, customValueResolver);
}
}
plugging it into the app
#Configuration
public class PlaceHolderResolverConfig
{
#Bean
public static PropertySourcesPlaceholderConfigurer placeHolderConfigurer() {
PropertySourcesPlaceholderConfigurer placeHolderConfigurer = new CustomPropertySourcesPlaceholderConfigurer();
placeHolderConfigurer.setLocation(new ClassPathResource("application.properties"));
return placeHolderConfigurer;
}
}
In the above example, for all properties starting with something.* nested placeholders wont be resolved..
remove the if(strVal.startsWith("${something.")) check if you want the behaviour for all properties