AccessDecisionManager does not support secure object class…

This post will be short and sweet, but for those of you using Spring Security and come across this exception, hopefully this post will be of some help to you. Here is the exception:

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainList': Cannot resolve reference to bean '_filterSecurityInterceptor' while setting bean property 'filters' with key [3]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterSecurityInterceptor': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: AccessDecisionManager does not support secure object class: class org.springframework.security.intercept.web.FilterInvocation 
        at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:275) 
        at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:104) 
        at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedList(BeanDefinitionValueResolver.java:287) 
        at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:126)

I received this exception today when I began to add some http/web level security into my application which already had some pre-existing custom configuration for my own AuthenticationManager, AccessDecisionManager (w/ custom voters) and AuthenticationProvider. When I added the following configuration to my Spring configuration the above exception was thrown on the next Maven test run:


... custom auth provider, auth manager, voters above....

<!-- my custom accessDecisionManager config -->
<bean id="accessDecisionManager" 
	class="org.springframework.security.vote.AffirmativeBased">
	<property name="decisionVoters">
		<list>
			<ref bean="myCustomAccessVoter"/>
		</list>
	</property>
</bean>

<!-- the NEW entry I added which triggered the exception -->
<security:http access-decision-manager-ref="accessDecisionManager">
    	<security:intercept-url pattern="/**" access="ROLE_USER" />
    	<security:form-login/>
</security:http>

The reason for the above exception is because my AffirmativeBased AccessDecisionManager did not have any decisionVoters who responded with “true” when passed a “FilterInvocation” object to their supports(Class clazz) method.

If you have a custom AccessDecisionVoter like I did above, you need to begin returning true in calls to support(Class clazz) when passed instances of “FilterInvocation” objects, while still only returning true for only the ConfigAttributes you care about when support(ConfigAttribute attr) is called on your voter. Secondly you should add an RoleVoter to your list of decisionVoters for your AccessDecisionManager configuration.

There is more to it than just the quick fix listed above, however that is for you to implement in your application. I just wanted to post this to give people a pointer in the right direction as to what is causing this exception. Hope it helped!

Advertisements

4 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s