Spring Security
  1. Spring Security
  2. SEC-995

AbstractSecurityInterceptor exception message improvement

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0.3
    • Fix Version/s: 3.0.0 M1
    • Component/s: Core
    • Labels:
      None

      Description

      AbstractSecurityInterceptor contains the following throws clause:
      throw new IllegalArgumentException(
      "No public invocations are allowed via this AbstractSecurityInterceptor. "
      + "This indicates a configuration error because the "
      + "AbstractSecurityInterceptor.rejectPublicInvocations property is set to 'true'");

      Unfortunately, this exception doesn't include any contextual information, making it hard to find out the exact problem. For example, for the MethodSecurityInterceptor subclass it would be useful if this exception included the class and method name that were attempted to be called.

      In our specific situation, a single MethodSecurityInterceptor is re-used for multiple Spring beans and is set to reject public invocations (the interceptor gets added automatically to beans defined via some custom namespace). This means that for each bean that is defined through this custom namespace, authorizations must be explicitly added to the single MethodSecurityInterceptor configuration. If somebody forgets this, the exception mentioned above is thrown, but it is hard to find out exactly for which bean the authorizations are missing.

        Activity

        Hide
        Ruud Senden added a comment -

        As I just found out, even enabling debug logging doesn't help to find out the cause of this error; maybe at the very least MethodSecurityInterceptor should also do some debug logging about the current MethodInvocation.

        Show
        Ruud Senden added a comment - As I just found out, even enabling debug logging doesn't help to find out the cause of this error; maybe at the very least MethodSecurityInterceptor should also do some debug logging about the current MethodInvocation.
        Hide
        Luke Taylor added a comment -

        I've added the secured object information to the exception message, so the MethodInvocation (usually a Spring instance which should have a useful toString method) or FilterInvocation responsible should be logged.

        Show
        Luke Taylor added a comment - I've added the secured object information to the exception message, so the MethodInvocation (usually a Spring instance which should have a useful toString method) or FilterInvocation responsible should be logged.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Ruud Senden
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: