Ignacio Merani (Migrated from SEC-1392) said:
I created a PermissionEvaluator to use with the new security expressions. I wrote a unit test and I'm trying to test it. If I use the default configuration, it works and denies the access to the secured method, since it is the default behavior, this is the configuration (I'm omitting the authenticationmanager part) :
But if I change the configuration in order to add my PermissionEvaluator, I get a NullPointerException while Spring initializes, this is my new config:
<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="myPermissionEvaluator"/>
Attached you'll see the stack-trace.
Luke Taylor said:
Please supply a test case which reproduces the problem.
Ignacio Merani said:
Attached you'll see the testcase and the security configuration. I think the exception is fired while the context is loaded, nothing of the testcase code is executed.
Thanks. I mean something that I can use to reproduce the problem - i.e. a working example. I don't see any way that just using a custom PermissionEvaluator will cause the issuse you're reporting, so it must be a result of something else in your configuration (you have serveral app context files in that test case).
Since my project has many dependencies, I created the simplest project I can think of and the problem still reproduces. Please check it out, is a maven2 project, only one context configuration. If you remove the expressionHandler part, it works.
Thanks. It seems to be some kind of BeanFactory issue with a circular reference arising when the autoproxy creator checks to see if it can advise the PermissionEvaluator instance. This prevents the DelegatingMethodSecurityMetadataSource bean from being initialized properly before it is called by the advice to provide attributes for the (potentially) advised methods. This means it hasn't had its delegate list injected when getAttributes() is called and hence the NPE.
That said, I've no idea why the same thing works in other cases. Marking the PermissionEvaluator and MethodExpressionHandler interfaces as infrastructure beans should solve the problem though, which I'll do for 3.0.2.
sanjay dalal said:
I was using 3.0.1 when I got the exact same NPE while trying to use PermissionEvaluator for ACL. I migrated to 3.0.2 and I am getting the following.
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.methodSecurityMetadataSourceAdvisor': 2 constructor arguments specified but no matching constructor found in bean 'org.springframework.security.methodSecurityMetadataSourceAdvisor' (hint: specify index/type/name arguments for simple parameters to avoid type ambiguities)
also attached log cs_spring.log.tar.gz with complete stack trace. thanks in advance.
note that configuration for everything except the expressionHandler (and its children) is tested and works. in other words, the whole authentication configuration works.
Thomas Struntz said:
i have this exact same issue with Spring Security 3.1.3 so it does not seem to be fixed!