Spring Security
  1. Spring Security
  2. SEC-1662

NPE when when defining two <http> elements during registerFilterChainProxy

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.0.M2
    • Fix Version/s: 3.1.0.RC1
    • Component/s: Core
    • Labels:
      None
    • Environment:
      Windows 7 64bit, Sun Java 1.6.0_21 64bit, Tomcat 6.0.20

      Description

      I am defining two <http> elements which apparently is permitted in Spring Security 3.1.0M2 per documentation

      <http auto-config="false" entry-point-ref="http403ForbiddenEntryPoint">
      <intercept-url pattern="/api/**" access="ROLE_USER"/>
      <custom-filter ref="apikeyAuthFilter" position="FORM_LOGIN_FILTER"/>
      </http>

      <http auto-config="false">
      <form-login/>
      <intercept-url pattern="/**" access="ROLE_USER"/>
      <logout invalidate-session="true"/>
      </http>

      During startup I get an NPE, partial stack trace below.

      Caused by: java.lang.NullPointerException
      at org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.registerFilterChainProxy(HttpSecurityBeanDefinitionParser.java:260)
      at org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.parse(HttpSecurityBeanDefinitionParser.java:89)
      at org.springframework.security.config.SecurityNamespaceHandler.parse(SecurityNamespaceHandler.java:88)
      at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1335)
      at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1325)
      at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:135)
      at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:93)
      at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:493)
      at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:390)
      ... 37 more

      Relevant code area

      for (BeanDefinition matcherBean : filterChainMap.keySet()) {
      if (existingFilterChainMap.containsKey(matcherBean)) {
      Map<Integer,ValueHolder> args = matcherBean.getConstructorArgumentValues().getIndexedArgumentValues();
      pc.getReaderContext().error("The filter chain map already contains this request matcher ["
      ---> + args.get(0).getValue() + ", " +args.get(1).getValue() + "]", source);

      args is size 0 in my case

      Serge

        Activity

        Hide
        Luke Taylor added a comment -

        Thanks for the report. The error occurs because at least one of the elements needs to define a pattern (otherwise both defined filter chains are supposed to be applied to "/*"). The code you've pointed to was erroneously assuming that the RequestMatcher instances have two arguments (as the path matching ones do), but for "/*" an optimized AnyRequestMatcher instance is used. Hence you get the invalid access to the argument list.

        I've added a check on the number of arguments when formatting the error message.

        Show
        Luke Taylor added a comment - Thanks for the report. The error occurs because at least one of the elements needs to define a pattern (otherwise both defined filter chains are supposed to be applied to "/* "). The code you've pointed to was erroneously assuming that the RequestMatcher instances have two arguments (as the path matching ones do), but for "/ *" an optimized AnyRequestMatcher instance is used. Hence you get the invalid access to the argument list. I've added a check on the number of arguments when formatting the error message.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Serge Sozonoff
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: