Spring Security
  1. Spring Security
  2. SEC-1521

NullPointerException in SecurityContextPersistenceFilter with null SecurityContextRepository

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.2
    • Fix Version/s: 3.1.0.M1
    • Component/s: Web
    • Labels:
      None

      Description

      According to documentation in section 8.3.1, the SecurityContextPersistenceFilter should support a null SecurityContextRepository, which would prevent a SecurityContext from ever being persisted.

      However, configuring a null SecurityContextRepository results in a NullPointerException. Either the documentation is incorrect or misleading, or the SecurityContextPersistenceFilter should perform null checks on the field.

      <bean id="securityContextPersistenceFilter"
      class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
      <property name="securityContextRepository">
      <null />
      </property>
      </bean>

      SEVERE: Servlet.service() for servlet classes/com.turner.playon.event threw exception
      java.lang.NullPointerException
      at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:74)
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
      at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
      at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
      at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
      at java.lang.Thread.run(Thread.java:637)

        Activity

        Show
        Jarrod Carlson added a comment - The relevant documentation: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/core-web-filters.html#security-context-repository
        Hide
        Luke Taylor added a comment - - edited

        It's actually referring to a "null implementation" (as in http://en.wikipedia.org/wiki/Null_Object_pattern), rather than the value "null". We should probably add a check on initialization though with an eror message.

        Show
        Luke Taylor added a comment - - edited It's actually referring to a "null implementation" (as in http://en.wikipedia.org/wiki/Null_Object_pattern ), rather than the value "null". We should probably add a check on initialization though with an eror message.
        Hide
        Luke Taylor added a comment -

        I've added a null check on the injected SecurityContextRepository and clarified the docs, including a reference to the available NullSecurityContextRepository implementation which is already provided.

        Show
        Luke Taylor added a comment - I've added a null check on the injected SecurityContextRepository and clarified the docs, including a reference to the available NullSecurityContextRepository implementation which is already provided.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Jarrod Carlson
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: