Showing results for 
Search instead for 
Did you mean: 

Oauth Request is failing on Hybris 6.3 migrated from 5.7

0 Kudos

Hi Experts ,

I have done migration from 5.7 to hybris 6.3. I am able to run normal web-service as well resolved CSRF token issue login from storefront but trying make rest service run for mobile api .

I followed same step which has been mentioned

As followed by document,I am not using v2 web-services so I changed in common security-spring.xml

and disabled csrf token.

 <http xmlns="" entry-point-ref="oauthAuthenticationEntryPoint"
             authentication-manager-ref="clientAuthenticationManager" create-session="stateless" pattern="/oauth/token">
             <security:csrf disabled="true"/>
             <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
             <!-- for PRODUCTION requires-channel="https" -->
             <anonymous enabled="false" />
             <http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
             <!-- include this only if you need to authenticate clients via request 
                 parameters -->
             <custom-filter before="BASIC_AUTH_FILTER" ref="clientCredentialsTokenEndpointFilter" />
             <access-denied-handler ref="oauthAccessDeniedHandler" />
         <http  disable-url-rewriting="true"
             <security:csrf disabled="true"/>
             <access-denied-handler error-page="/login"/>
             <intercept-url pattern="/oauth/**" access="ROLE_CUSTOMERGROUP" />
             <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
             <form-login authentication-failure-url="/login.jsp?authentication_error=true" default-target-url="/index.jsp"
                 login-page="/login.jsp" login-processing-url="/" />
             <logout logout-success-url="/index.jsp" logout-url="/" />
             <anonymous />


after this ,I have created oauth clients via back-office as per documentation :

Now ,when I try to hit the rest service with URL:


then I am receiving response:

{ "errors": [ { "message": Failed to evaluate expression 'IS_AUTHENTICATED_FULLY', "type": IllegalArgumentError } ] }

with backend exception :

 enter code,]]]]'!; nested exception is java.lang.Illega
 lArgumentException: Failed to evaluate expression 'IS_AUTHENTICATED_FULLY'] with root cause
 org.springframework.expression.spel.SpelEvaluationException: EL1008E:(pos 0): Property or field 'IS_AUTHENTICATED_FULLY' cannot be found on object of type '
 ession.WebSecurityExpressionRoot' - maybe not public?
         at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(
         at org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(
         at org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(
         at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(
         at org.springframework.expression.spel.standard.SpelExpression.getValue(

Accepted Solutions (0)

Answers (2)

Answers (2)

0 Kudos

The problem is that in Spring Security 4.x XML configuration uses expressions by default and IS_AUTHENTICATED_FULLY is not the expression syntax. Either disable expressions using <http use-expressions="false"> or replace"IS_AUTHENTICATED_FULLY" with "fullyAuthenticated".

Former Member
0 Kudos

Hi Experts,

Facing the same issue. Did anyone come with any solution to this?

Active Participant