Spring Security
  1. Spring Security
  2. SEC-1886

UnsupportedOperationException is thrown by DefaultFilterChainValidator if voter invokes an unsupported method

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Duplicate
    • Affects Version/s: 3.1.0
    • Fix Version/s: 3.1.1
    • Component/s: Web
    • Labels:
      None

      Description

      The DefaultFilterChainValidator prevents the application context from starting up if a custom AccessDecisionVoter attempts to access an unsupported method of the DummyRequest, for example the #getRemoteAddr(). There is no way to turn off this validation when using <http> config.

      Stack Trace
      Caused by: java.lang.UnsupportedOperationException
      	at org.springframework.security.web.DummyRequest.getRemoteAddr(FilterInvocation.java:358)
      	at com.foo.security.vote.IPRestrictionAccessVoter.vote(IPRestrictionAccessVoter.java:80)
      	at com.foo.security.vote.IPRestrictionAccessVoter.vote(IPRestrictionAccessVoter.java:37)
      	at org.springframework.security.access.vote.UnanimousBased.decide(UnanimousBased.java:77)
      	at org.springframework.security.config.http.DefaultFilterChainValidator.checkLoginPageIsntProtected(DefaultFilterChainValidator.java:170)
      	at org.springframework.security.config.http.DefaultFilterChainValidator.validate(DefaultFilterChainValidator.java:35)
      	at org.springframework.security.web.FilterChainProxy.afterPropertiesSet(FilterChainProxy.java:148)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1514)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452)
      	... 155 more
      

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment - - edited

          We should trap unexpected exceptions in this code and skip the login page check if one is thrown, as it shouldn't cause an app failure.

          Show
          Luke Taylor added a comment - - edited We should trap unexpected exceptions in this code and skip the login page check if one is thrown, as it shouldn't cause an app failure.
          Hide
          Rob Winch added a comment - - edited

          This is a duplicate of SEC-1878

          Show
          Rob Winch added a comment - - edited This is a duplicate of SEC-1878

            People

            • Assignee:
              Rob Winch
              Reporter:
              Kyle Cronin
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: