Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0, 3.0.1
    • Fix Version/s: 3.0.2
    • Component/s: Core
    • Labels:
      None
    • Environment:
      winxp, jdk 1.6.0,

      Description

      I created a PermissionEvaluator to use with the new security expressions. I wrote a unit test and I'm trying to test it. If I use the default configuration, it works and denies the access to the secured method, since it is the default behavior, this is the configuration (I'm omitting the authenticationmanager part) :

      <sec:global-method-security pre-post-annotations="enabled">

      But if I change the configuration in order to add my PermissionEvaluator, I get a NullPointerException while Spring initializes, this is my new config:

      <sec:global-method-security pre-post-annotations="enabled">
      <sec:expression-handler ref="expressionHandler"/>
      </sec:global-method-security>
      <bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
      <property name="permissionEvaluator" ref="myPermissionEvaluator"/>
      </bean>

      Attached you'll see the stack-trace.

      thanks

        Activity

        Hide
        Luke Taylor added a comment -

        Please supply a test case which reproduces the problem.

        Show
        Luke Taylor added a comment - Please supply a test case which reproduces the problem.
        Hide
        Ignacio Merani added a comment -

        Attached you'll see the testcase and the security configuration. I think the exception is fired while the context is loaded, nothing of the testcase code is executed.

        thanks

        Show
        Ignacio Merani added a comment - Attached you'll see the testcase and the security configuration. I think the exception is fired while the context is loaded, nothing of the testcase code is executed. thanks
        Hide
        Luke Taylor added a comment -

        Thanks. I mean something that I can use to reproduce the problem - i.e. a working example. I don't see any way that just using a custom PermissionEvaluator will cause the issuse you're reporting, so it must be a result of something else in your configuration (you have serveral app context files in that test case).

        Show
        Luke Taylor added a comment - Thanks. I mean something that I can use to reproduce the problem - i.e. a working example. I don't see any way that just using a custom PermissionEvaluator will cause the issuse you're reporting, so it must be a result of something else in your configuration (you have serveral app context files in that test case).
        Hide
        Ignacio Merani added a comment -

        Since my project has many dependencies, I created the simplest project I can think of and the problem still reproduces. Please check it out, is a maven2 project, only one context configuration. If you remove the expressionHandler part, it works.

        thanks

        Show
        Ignacio Merani added a comment - Since my project has many dependencies, I created the simplest project I can think of and the problem still reproduces. Please check it out, is a maven2 project, only one context configuration. If you remove the expressionHandler part, it works. thanks
        Hide
        Luke Taylor added a comment -

        Thanks. It seems to be some kind of BeanFactory issue with a circular reference arising when the autoproxy creator checks to see if it can advise the PermissionEvaluator instance. This prevents the DelegatingMethodSecurityMetadataSource bean from being initialized properly before it is called by the advice to provide attributes for the (potentially) advised methods. This means it hasn't had its delegate list injected when getAttributes() is called and hence the NPE.

        That said, I've no idea why the same thing works in other cases. Marking the PermissionEvaluator and MethodExpressionHandler interfaces as infrastructure beans should solve the problem though, which I'll do for 3.0.2.

        Show
        Luke Taylor added a comment - Thanks. It seems to be some kind of BeanFactory issue with a circular reference arising when the autoproxy creator checks to see if it can advise the PermissionEvaluator instance. This prevents the DelegatingMethodSecurityMetadataSource bean from being initialized properly before it is called by the advice to provide attributes for the (potentially) advised methods. This means it hasn't had its delegate list injected when getAttributes() is called and hence the NPE. That said, I've no idea why the same thing works in other cases. Marking the PermissionEvaluator and MethodExpressionHandler interfaces as infrastructure beans should solve the problem though, which I'll do for 3.0.2.
        Hide
        sanjay dalal added a comment -

        I was using 3.0.1 when I got the exact same NPE while trying to use PermissionEvaluator for ACL. I migrated to 3.0.2 and I am getting the following.

        Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.methodSecurityMetadataSourceAdvisor': 2 constructor arguments specified but no matching constructor found in bean 'org.springframework.security.methodSecurityMetadataSourceAdvisor' (hint: specify index/type/name arguments for simple parameters to avoid type ambiguities)
        at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:171)

        attaching applicationContext-security.xml

        Show
        sanjay dalal added a comment - I was using 3.0.1 when I got the exact same NPE while trying to use PermissionEvaluator for ACL. I migrated to 3.0.2 and I am getting the following. Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.methodSecurityMetadataSourceAdvisor': 2 constructor arguments specified but no matching constructor found in bean 'org.springframework.security.methodSecurityMetadataSourceAdvisor' (hint: specify index/type/name arguments for simple parameters to avoid type ambiguities) at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:171) attaching applicationContext-security.xml
        Hide
        sanjay dalal added a comment -

        also attached log cs_spring.log.tar.gz with complete stack trace. thanks in advance.

        note that configuration for everything except the expressionHandler (and its children) is tested and works. in other words, the whole authentication configuration works.

        Show
        sanjay dalal added a comment - also attached log cs_spring.log.tar.gz with complete stack trace. thanks in advance. note that configuration for everything except the expressionHandler (and its children) is tested and works. in other words, the whole authentication configuration works.
        Hide
        Thomas Struntz added a comment -

        i have this exact same issue with Spring Security 3.1.3 so it does not seem to be fixed!

        Show
        Thomas Struntz added a comment - i have this exact same issue with Spring Security 3.1.3 so it does not seem to be fixed!

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Ignacio Merani
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: