Spring Security
  1. Spring Security
  2. SEC-980

AbstractFallBackMethodDefinitionSource and MethodSecurityInterceptor should only protect class if they are defined.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Invalid
    • Affects Version/s: 2.0.3
    • Fix Version/s: 3.0.0 M1
    • Component/s: Core
    • Labels:
      None

      Description

      assuming you implement abstract fall back method definition source to read from DB or flat file.

      If XmlParsingServiceImpl is define in the db but you don't have the class, it will cause error.

      <aop:config>
      <aop:pointcut id="csv.tools.serviceMethods" expression="execution(* csv.parser.service..(..))"/>
      <aop:advisor advice-ref="methodSecurityInterceptor" pointcut-ref="csv.tools.serviceMethods" order="2"/>
      </aop:config>

      rg.springframework.beans.factory.BeanCreationException: Error creating bean with name 'methodSecurityInterceptor' nested exception is java.lang.IllegalArgumentException: Cannot find class [XmlfileServiceImpl]
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1337)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:473)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
      at java.security.AccessController.doPrivileged(Native Method)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
      at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
      at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:221)
      at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
      at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
      at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164)
      at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:429)
      at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:729)
      at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:381)
      at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:255)
      at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:199)
      at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:45)
      at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3843)
      at org.apache.catalina.core.StandardContext.start(StandardContext.java:4342)
      at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
      at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
      at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
      at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:830)
      at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:719)
      at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490)
      at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149)
      at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
      at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
      at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
      at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
      at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
      at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
      at org.apache.catalina.core.StandardService.start(StandardService.java:516)
      at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
      at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
      at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
      Caused by: java.lang.IllegalArgumentException: Cannot find class [XmlfileServiceImpl]
      at org.springframework.util.ClassUtils.resolveClassName(ClassUtils.java:264)
      at org.springframework.security.intercept.method.MapBasedMethodDefinitionSource.addSecureMethod(MapBasedMethodDefinitionSource.java:139)
      at org.springframework.security.intercept.method.MapBasedMethodDefinitionSource.<init>(MapBasedMethodDefinitionSource.java:76)
      at DatabaseDefinitionMethodDefinitionServiceImpl.getMMDS(CustomMethodDefinitionServiceImpl.java:72)
      at DatabaseDefinitionMethodDefinitionServiceImpl.supports(CustomMethodDefinitionServiceImpl.java:86)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
      at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
      at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
      at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
      at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
      at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
      at $Proxy34.supports(Unknown Source)
      at org.springframework.security.intercept.AbstractSecurityInterceptor.afterPropertiesSet(AbstractSecurityInterceptor.java:174)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1368)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1334)
      ... 39 more
      Caused by: java.lang.ClassNotFoundException: XmlfileServiceImpl
      at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1387)
      at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1233)
      at org.springframework.util.ClassUtils.forName(ClassUtils.java:242)
      at org.springframework.util.ClassUtils.resolveClassName(ClassUtils.java:261)
      ... 57 more

        Activity

        Hide
        Luke Taylor added a comment -

        You seem to be referring to your own classes here (XmlParsingServiceImpl etc) and your own implementations. Please supply a test case which demonstrates the issue you are talking about and explain what you think the bug is.

        Show
        Luke Taylor added a comment - You seem to be referring to your own classes here (XmlParsingServiceImpl etc) and your own implementations. Please supply a test case which demonstrates the issue you are talking about and explain what you think the bug is.
        Hide
        Luke Taylor added a comment -

        Closing, as no further information supplied and there's no indication of a framework bug here.

        Show
        Luke Taylor added a comment - Closing, as no further information supplied and there's no indication of a framework bug here.

          People

          • Assignee:
            Unassigned
            Reporter:
            chun ping wang
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: