Spring Security
  1. Spring Security
  2. SEC-1878

DefaultFilterChainValidator throws UnsupportedOperationException

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.1.1
    • Component/s: Namespace
    • Labels:
      None

      Description

      If the expression used in the access attribute of the intercept-url element references a request element not supported by the new [1] org.springframework.security.web.FilterInvocation$DummyRequest class AND a custom-filter is defined, then the filterChainProxy bean will fail to be created [2]. This is a regression from 3.0.6.RELEASE.

      For example:
      <security:custom-filter ref="myAuthFilter" position="FIRST" />
      <security:intercept-url pattern="/**" access="request.parameterMap['test'] == null ? permitAll : permitAll" />
      will fail with the stack trace below[2].

      There is an easy (hacky) workaround...just check the for request.contextPath = '/cp' (assuming you don't really have a /cp path!)...this works because contextPath is supported by the DummyRequest.
      <security:intercept-url pattern="/**" access="request.contextPath == '/cp' ? denyAll : request.parameterMap['test'] == null ? permitAll : permitAll" />

      I have attached simple maven project that will exercise this bug. To reproduce, download, unzip the intercpet-url-access-bug.zip attachment, and run mvn jetty:run.

      [1] https://fisheye.springsource.org/browse/spring-security/web/src/main/java/org/springframework/security/web/FilterInvocation.java?r2=93438defffe5c339026469afa09dad60b2928a4f&r1=052537c8b04182595e92abd1e1949b0ff7e731b4

      [2]
      SEVERE: Context initialization failed
      org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChainProxy': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Failed to evaluate expression 'request.parameterMap['test'] == null ? permitAll : permitAll'
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1455)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
      at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)
      at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)
      at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)
      at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
      at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:585)
      at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:913)
      at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:464)
      at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:282)
      at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:204)
      at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47)
      at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4206)
      at org.apache.catalina.core.StandardContext.start(StandardContext.java:4705)
      at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1057)
      at org.apache.catalina.core.StandardHost.start(StandardHost.java:840)
      at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1057)
      at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463)
      at org.apache.catalina.core.StandardService.start(StandardService.java:525)
      at org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
      at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:592)
      at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
      at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
      Caused by: java.lang.IllegalArgumentException: Failed to evaluate expression 'request.parameterMap['test'] == null ? permitAll : permitAll'
      at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:13)
      at org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:34)
      at org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:18)
      at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:62)
      at org.springframework.security.config.http.DefaultFilterChainValidator.checkLoginPageIsntProtected(DefaultFilterChainValidator.java:170)
      at org.springframework.security.config.http.DefaultFilterChainValidator.validate(DefaultFilterChainValidator.java:35)
      at org.springframework.security.web.FilterChainProxy.afterPropertiesSet(FilterChainProxy.java:148)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1514)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452)
      ... 27 more
      Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1021E:(pos 8): A problem occurred whilst attempting to access the property 'parameterMap': 'Unable to access property 'parameterMap' through getter'
      at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:201)
      at org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:72)
      at org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:57)
      at org.springframework.expression.spel.ast.OpEQ.getValueInternal(OpEQ.java:37)
      at org.springframework.expression.spel.ast.OpEQ.getValueInternal(OpEQ.java:1)
      at org.springframework.expression.spel.ast.SpelNodeImpl.getValue(SpelNodeImpl.java:135)
      at org.springframework.expression.spel.ast.Ternary.getValueInternal(Ternary.java:47)
      at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:102)
      at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:97)
      at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:11)
      ... 35 more
      Caused by: org.springframework.expression.AccessException: Unable to access property 'parameterMap' through getter
      at org.springframework.expression.spel.support.ReflectivePropertyAccessor$OptimalPropertyAccessor.read(ReflectivePropertyAccessor.java:499)
      at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:196)
      ... 44 more
      Caused by: java.lang.reflect.InvocationTargetException
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:592)
      at org.springframework.expression.spel.support.ReflectivePropertyAccessor$OptimalPropertyAccessor.read(ReflectivePropertyAccessor.java:495)
      ... 45 more
      Caused by: java.lang.UnsupportedOperationException
      at org.springframework.security.web.DummyRequest.getParameterMap(FilterInvocation.java:334)
      ... 50 more

        Issue Links

          Activity

          Hide
          Rob Winch added a comment -

          Thanks for the bug submission. This issue is now fixed in master.

          Show
          Rob Winch added a comment - Thanks for the bug submission. This issue is now fixed in master.

            People

            • Assignee:
              Rob Winch
              Reporter:
              Jake Landis
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: