This post will be short and sweet, but for those of you using Spring Security and come across this exception, hopefully this post will be of some help to you. Here is the exception:
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainList': Cannot resolve reference to bean '_filterSecurityInterceptor' while setting bean property 'filters' with key ; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterSecurityInterceptor': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: AccessDecisionManager does not support secure object class: class org.springframework.security.intercept.web.FilterInvocation at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:275) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:104) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedList(BeanDefinitionValueResolver.java:287) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:126)
I received this exception today when I began to add some http/web level security into my application which already had some pre-existing custom configuration for my own AuthenticationManager, AccessDecisionManager (w/ custom voters) and AuthenticationProvider. When I added the following configuration to my Spring configuration the above exception was thrown on the next Maven test run:
... custom auth provider, auth manager, voters above.... <!-- my custom accessDecisionManager config --> <bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased"> <property name="decisionVoters"> <list> <ref bean="myCustomAccessVoter"/> </list> </property> </bean> <!-- the NEW entry I added which triggered the exception --> <security:http access-decision-manager-ref="accessDecisionManager"> <security:intercept-url pattern="/**" access="ROLE_USER" /> <security:form-login/> </security:http>
The reason for the above exception is because my AffirmativeBased AccessDecisionManager did not have any decisionVoters who responded with “true” when passed a “FilterInvocation” object to their
supports(Class clazz) method.
If you have a custom AccessDecisionVoter like I did above, you need to begin returning
true in calls to support(Class clazz) when passed instances of “FilterInvocation” objects, while still only returning true for only the ConfigAttributes you care about when
support(ConfigAttribute attr) is called on your voter. Secondly you should add an
RoleVoter to your list of
decisionVoters for your AccessDecisionManager configuration.
There is more to it than just the quick fix listed above, however that is for you to implement in your application. I just wanted to post this to give people a pointer in the right direction as to what is causing this exception. Hope it helped!