Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-1886

UnsupportedOperationException is thrown by DefaultFilterChainValidator if voter invokes an unsupported method

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 3.1.0
    • Fix Version/s: 3.1.1
    • Component/s: Web
    • Labels:
      None

      Description

      The DefaultFilterChainValidator prevents the application context from starting up if a custom AccessDecisionVoter attempts to access an unsupported method of the DummyRequest, for example the #getRemoteAddr(). There is no way to turn off this validation when using <http> config.

      Stack Trace

      Caused by: java.lang.UnsupportedOperationException
      	at org.springframework.security.web.DummyRequest.getRemoteAddr(FilterInvocation.java:358)
      	at com.foo.security.vote.IPRestrictionAccessVoter.vote(IPRestrictionAccessVoter.java:80)
      	at com.foo.security.vote.IPRestrictionAccessVoter.vote(IPRestrictionAccessVoter.java:37)
      	at org.springframework.security.access.vote.UnanimousBased.decide(UnanimousBased.java:77)
      	at org.springframework.security.config.http.DefaultFilterChainValidator.checkLoginPageIsntProtected(DefaultFilterChainValidator.java:170)
      	at org.springframework.security.config.http.DefaultFilterChainValidator.validate(DefaultFilterChainValidator.java:35)
      	at org.springframework.security.web.FilterChainProxy.afterPropertiesSet(FilterChainProxy.java:148)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1514)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452)
      	... 155 more

        Issue Links

          Activity

          Hide
          luke Luke Taylor added a comment - - edited

          We should trap unexpected exceptions in this code and skip the login page check if one is thrown, as it shouldn't cause an app failure.

          Show
          luke Luke Taylor added a comment - - edited We should trap unexpected exceptions in this code and skip the login page check if one is thrown, as it shouldn't cause an app failure.
          Hide
          rwinch Rob Winch added a comment - - edited

          This is a duplicate of SEC-1878

          Show
          rwinch Rob Winch added a comment - - edited This is a duplicate of SEC-1878

            People

            • Assignee:
              rwinch Rob Winch
              Reporter:
              kyle.cronin Kyle Cronin
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: