Spring Security
  1. Spring Security
  2. SEC-1836

NPE when authorizing using JspAuthorizeTag

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.0.RC3
    • Fix Version/s: 3.1.0
    • Component/s: None
    • Labels:
      None
    • Environment:
      View technology: FreeMarker with JSP tag library support

      Description

      When using Spring security setup as enclosed in attachment, since I started to use attribute 'method' in intercept-url tags, I run into trouble when using JSP <authorize> tag WITH url attribute filled but WITHOUT method attribute filled (like <security:authorize url="someUrl">).
      In that case, URL patterns with HTTP method set (as showed in my applicationContext-security.xml attachment) are compared against DummyRequest without HTTP method filled (created for the <authorize> tag), which causes NPE.

      Sorry, I'm in a time pressure now so I can't explain is more deeply but I believe this stacktrace fragment (which comens from authorization for <security:authorize url="/image-bundles/"> tag) explains it all:

      Caused by: java.lang.NullPointerException: Name is null
      at java.lang.Enum.valueOf(Enum.java:195)
      at org.springframework.http.HttpMethod.valueOf(HttpMethod.java:1)
      at org.springframework.security.web.util.AntPathRequestMatcher.matches(AntPathRequestMatcher.java:83)
      at org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource.getAttributes(DefaultFilterInvocationSecurityMetadataSource.java:86)
      at org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator.isAllowed(DefaultWebInvocationPrivilegeEvaluator.java:90)
      at org.springframework.security.taglibs.authz.AbstractAuthorizeTag.authorizeUsingUrlCheck(AbstractAuthorizeTag.java:207)
      at org.springframework.security.taglibs.authz.AbstractAuthorizeTag.authorize(AbstractAuthorizeTag.java:107)
      at org.springframework.security.taglibs.authz.JspAuthorizeTag.doStartTag(JspAuthorizeTag.java:54)
      at freemarker.ext.jsp.TagTransformModel$TagWriter.onStart(TagTransformModel.java:360)
      at freemarker.core.Environment.visit(Environment.java:296)
      at freemarker.core.UnifiedCall.accept(UnifiedCall.java:130)
      at freemarker.core.Environment.visit(Environment.java:210)
      at freemarker.core.MixedContent.accept(MixedContent.java:92)
      at freemarker.core.Environment.visit(Environment.java:210)
      at freemarker.core.Environment.process(Environment.java:190)
      at freemarker.template.Template.process(Template.java:237)
      at freemarker.ext.servlet.FreemarkerServlet.process(FreemarkerServlet.java:452)
      at freemarker.ext.servlet.FreemarkerServlet.doGet(FreemarkerServlet.java:391)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:684)
      at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:593)
      at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:530)
      at org.apache.tiles.servlet.context.ServletTilesRequestContext.include(ServletTilesRequestContext.java:260)
      at org.apache.tiles.context.TilesRequestContextWrapper.include(TilesRequestContextWrapper.java:97)
      at org.apache.tiles.freemarker.context.FreeMarkerTilesRequestContext.dispatch(FreeMarkerTilesRequestContext.java:66)
      at org.apache.tiles.renderer.impl.TemplateAttributeRenderer.write(TemplateAttributeRenderer.java:44)
      at org.apache.tiles.renderer.impl.AbstractBaseAttributeRenderer.render(AbstractBaseAttributeRenderer.java:106)
      at org.apache.tiles.renderer.impl.ChainedDelegateAttributeRenderer.write(ChainedDelegateAttributeRenderer.java:76)
      at org.apache.tiles.renderer.impl.AbstractBaseAttributeRenderer.render(AbstractBaseAttributeRenderer.java:106)
      at org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:670)
      at org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:336)
      at org.apache.tiles.template.InsertAttributeModel.renderAttribute(InsertAttributeModel.java:210)
      at org.apache.tiles.template.InsertAttributeModel.end(InsertAttributeModel.java:126)
      at org.apache.tiles.freemarker.template.InsertAttributeFMModel.execute(InsertAttributeFMModel.java:89)

        Activity

        Hide
        John Cook added a comment -

        Note: current workaround is simply to set also the method attribute of the authorize tag.

        BTW, one more comment to authorize tag - in my opinion, it should not output enclosing SECURED_UI_PREFIX/SECURED_UI_SUFFIX in case that var attribute is set.

        Show
        John Cook added a comment - Note: current workaround is simply to set also the method attribute of the authorize tag. BTW, one more comment to authorize tag - in my opinion, it should not output enclosing SECURED_UI_PREFIX/SECURED_UI_SUFFIX in case that var attribute is set.
        Hide
        Luke Taylor added a comment -

        I've modified the Authorize tag to default to using GET as the default HTTP method. This means a URL will be matched by a RequestMatcher that is not method-specific or by one that is configured to use GET. If another method-specific match is required then the method must be set in the tag.

        Show
        Luke Taylor added a comment - I've modified the Authorize tag to default to using GET as the default HTTP method. This means a URL will be matched by a RequestMatcher that is not method-specific or by one that is configured to use GET. If another method-specific match is required then the method must be set in the tag.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            John Cook
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: