Failed to evaluate expression 'IS_AUTHENTICATED_ANONYMOUSLY' Spring 4

Question

I upgraded from Spring 3.2.3 + Hibernate 3.8.6 to Spring 4.1.6 + Hibernate 4.3
now have the following error.
This is my springSecurityContext.xml:

Be

Answer 1

You have 2 errors in your configuration: one regarding <http> element and one regarding ConcurrentSessionFilter.

1. The class ConcurrentSessionFilter changed from Spring 3 to Spring 4. The constructor taking no parameter, which was deprecated in Spring 3, was removed in Spring 4.

   This explains the error you are getting:

   Caused by: java.lang.NoSuchMethodException: org.springframework.security.web.session.ConcurrentSessionFilter.<init>()

   which means that you referenced the no-arg constructor <init> but that it did not exist.

   You need to change your configuration to use the two-args constructor instead:

   <beans:bean id="concurrencyFilter"
   class="org.springframework.security.web.session.ConcurrentSessionFilter">
       <beans:constructor-arg ref="sessionRegistry" />
       <beans:constructor-arg value="/session-expired.htm" />
   </beans:bean>
   

2. Regarding to the <http> element, you have specified use-expressions="true" but you are not using Spring EL expressions. Quoting the Spring documentation:

   To use expressions to secure individual URLs, you would first need to set the use-expressions attribute in the <http> element to true. Spring Security will then expect the access attributes of the <intercept-url> elements to contain Spring EL expressions.

   As such, you either need to set use-expressions to false explicitely (the default value is true) or change your access attributes to access="hasRole('...').