Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1392: Cannot use custom PermissionEvaluator #1635

spring-issuemaster opened this Issue Jan 28, 2010 · 8 comments


None yet
1 participant

Ignacio Merani (Migrated from SEC-1392) said:

I created a PermissionEvaluator to use with the new security expressions. I wrote a unit test and I'm trying to test it. If I use the default configuration, it works and denies the access to the secured method, since it is the default behavior, this is the configuration (I'm omitting the authenticationmanager part) :

<sec:global-method-security pre-post-annotations="enabled">

But if I change the configuration in order to add my PermissionEvaluator, I get a NullPointerException while Spring initializes, this is my new config:

<sec:global-method-security pre-post-annotations="enabled">
    <sec:expression-handler ref="expressionHandler"/>
<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
    <property name="permissionEvaluator" ref="myPermissionEvaluator"/>

Attached you'll see the stack-trace.


Luke Taylor said:

Please supply a test case which reproduces the problem.

Ignacio Merani said:

Attached you'll see the testcase and the security configuration. I think the exception is fired while the context is loaded, nothing of the testcase code is executed.


Luke Taylor said:

Thanks. I mean something that I can use to reproduce the problem - i.e. a working example. I don't see any way that just using a custom PermissionEvaluator will cause the issuse you're reporting, so it must be a result of something else in your configuration (you have serveral app context files in that test case).

Ignacio Merani said:

Since my project has many dependencies, I created the simplest project I can think of and the problem still reproduces. Please check it out, is a maven2 project, only one context configuration. If you remove the expressionHandler part, it works.


Luke Taylor said:

Thanks. It seems to be some kind of BeanFactory issue with a circular reference arising when the autoproxy creator checks to see if it can advise the PermissionEvaluator instance. This prevents the DelegatingMethodSecurityMetadataSource bean from being initialized properly before it is called by the advice to provide attributes for the (potentially) advised methods. This means it hasn't had its delegate list injected when getAttributes() is called and hence the NPE.

That said, I've no idea why the same thing works in other cases. Marking the PermissionEvaluator and MethodExpressionHandler interfaces as infrastructure beans should solve the problem though, which I'll do for 3.0.2.

sanjay dalal said:

I was using 3.0.1 when I got the exact same NPE while trying to use PermissionEvaluator for ACL. I migrated to 3.0.2 and I am getting the following.

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.methodSecurityMetadataSourceAdvisor': 2 constructor arguments specified but no matching constructor found in bean 'org.springframework.security.methodSecurityMetadataSourceAdvisor' (hint: specify index/type/name arguments for simple parameters to avoid type ambiguities)
at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:171)

attaching applicationContext-security.xml

sanjay dalal said:

also attached log cs_spring.log.tar.gz with complete stack trace. thanks in advance.

note that configuration for everything except the expressionHandler (and its children) is tested and works. in other words, the whole authentication configuration works.

Thomas Struntz said:

i have this exact same issue with Spring Security 3.1.3 so it does not seem to be fixed!

@spring-issuemaster spring-issuemaster added this to the 3.0.2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment