Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FilterInvocation should support getDispatcherType() #15042

Closed
chrylis opened this issue May 10, 2024 · 4 comments
Closed

FilterInvocation should support getDispatcherType() #15042

chrylis opened this issue May 10, 2024 · 4 comments
Assignees
@marcusdacoregio
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug

Comments

@chrylis
Copy link

chrylis commented May 10, 2024

Describe the bug
The core HttpSecurity builder supports dispatcherTypeMatchers, but FilterInvocation throws UnsupportedOperationException if they are invoked.

During an upgrade of an older Boot Servlet project, I ran into the problem where the Spring Boot /error mapping is no longer allowed by default, at least for 403 errors. I tried the suggested resolution of adding dispatcherTypeMatchers(ERROR).permitAll() to my SecurityFilterChain bean. This throws an exception in 5.7.11 (the default with the last Boot 2.7) and 5.8.12.

The problem appears to be that DefaultWebInvocationPrivilegeEvaluator uses a DummyRequest instead of the real request but does not implement core API methods; many/most other methods were supported as part of #8566.

To Reproduce

  1. Register dispatcherTypeMatchers(ERROR).permitAll() in a SecurityFilterChain.
  2. Make a request that triggers a 403 response as an unauthenticated user. (AnonymousAuthenticationToken)

Expected behavior
The matcher permits the error page to proceed.

Actual behavior

2024-05-10T18:43:15,654Z [http-nio-5000-exec-1] ERROR o.a.c.c.C.[Tomcat].[localhost] - Exception Processing ErrorPage[errorCode=0, location=/error]
java.lang.UnsupportedOperationException: public abstract javax.servlet.DispatcherType javax.servlet.ServletRequest.getDispatcherType() is not supported
	at org.springframework.security.web.FilterInvocation$UnsupportedOperationExceptionInvocationHandler.invoke(FilterInvocation.java:331)
	at com.sun.proxy.$Proxy84.getDispatcherType(Unknown Source)
	at javax.servlet.ServletRequestWrapper.getDispatcherType(ServletRequestWrapper.java:449)
	at org.springframework.security.web.util.matcher.DispatcherTypeRequestMatcher.matches(DispatcherTypeRequestMatcher.java:72)
	at org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource.getAttributes(DefaultFilterInvocationSecurityMetadataSource.java:84)
	at org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator.isAllowed(DefaultWebInvocationPrivilegeEvaluator.java:94)
	at org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator.isAllowed(DefaultWebInvocationPrivilegeEvaluator.java:69)
	at org.springframework.security.web.access.RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.isAllowed(RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java:76)
	at org.springframework.boot.web.servlet.filter.ErrorPageSecurityFilter.isAllowed(ErrorPageSecurityFilter.java:88)
	at org.springframework.boot.web.servlet.filter.ErrorPageSecurityFilter.doFilter(ErrorPageSecurityFilter.java:76)
	at org.springframework.boot.web.servlet.filter.ErrorPageSecurityFilter.doFilter(ErrorPageSecurityFilter.java:70)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:352)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:108)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:91)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:85)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
@chrylis chrylis added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels May 10, 2024
@tehhowch
Copy link

tehhowch commented May 14, 2024
edited

just ran into this myself!

Using 5.8.12 with latest Spring Boot 2.7

@marcusdacoregio marcusdacoregio self-assigned this May 15, 2024
@marcusdacoregio marcusdacoregio added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels May 15, 2024
@marcusdacoregio
Copy link
Contributor

Thanks for the report @chrylis, do you have a minimal, reproducible sample that we can try it out? I'd like to see how exactly the WebInvocationPrivilegeEvaluator is invoked since it does not have access to the whole HttpServletRequest.

@marcusdacoregio marcusdacoregio added the status: waiting-for-feedback We need additional information before we can continue label May 15, 2024
@spring-projects-issues
Copy link

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

@spring-projects-issues spring-projects-issues added the status: feedback-reminder We've sent a reminder that we need additional information before we can continue label May 22, 2024
@spring-projects-issues
Copy link

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

@spring-projects-issues spring-projects-issues closed this as not planned Won't fix, can't repro, duplicate, stale May 29, 2024
@spring-projects-issues spring-projects-issues removed status: waiting-for-feedback We need additional information before we can continue status: feedback-reminder We've sent a reminder that we need additional information before we can continue labels May 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chrylis @marcusdacoregio @spring-projects-issues @tehhowch