Spring Security
  1. Spring Security
  2. SEC-1699

DefaultFilterChainValidator's check if login page isn't protected is broken

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.1.0.RC1
    • Fix Version/s: 3.1.0.RC2
    • Component/s: Web
    • Labels:
      None
    • Environment:
      Spring 3.1 M1

      Description

      DefaultFilterChainValidator near the end of checkLoginPageIsntProtected method issues a call to

      fsi.getAccessDecisionManager().decide(token, new Object(), attributes);
      

      which throws exception

      java.lang.ClassCastException: java.lang.Object cannot be cast to org.springframework.security.web.FilterInvocation
      

      AccessDecisionManager is org.springframework.security.access.vote.AffirmativeBased and when it asks
      org.springframework.security.web.access.expression.WebExpressionVoter to vote passing Object instead of FilterInvocation, ClassCastException is thrown.

      Probably either AffirmativeBased AccessDecisionManager should first check if voter(s) support Object.class before giving them chance to vote, or DefaultFilterChainValidator should pass in FilterInvocation when checking in web environment.

        Activity

        Hide
        Luke Taylor added a comment -

        Thanks for the report. I've changed the code to pass the FilterInvocation object, since one was already created earlier in the method.

        Show
        Luke Taylor added a comment - Thanks for the report. I've changed the code to pass the FilterInvocation object, since one was already created earlier in the method.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Stevo Slavić
          • Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: