Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1519: Uninitialized auditLogger and aclAuthorizationStrategy fields in EhCacheBasedAclCache #1761

Closed
spring-issuemaster opened this Issue Jul 18, 2010 · 1 comment

Comments

Projects
None yet
1 participant

Gianni Ferrero (Migrated from SEC-1519) said:

The "auditLogger" and "aclAuthorizationStrategy" fields of EhCacheBasedAclCache class are initialized by the first "putInCache" method call:
...
if (this.aclAuthorizationStrategy == null) {
if (acl instanceof AclImpl) {
this.aclAuthorizationStrategy = (AclAuthorizationStrategy) FieldUtils.getProtectedFieldValue("aclAuthorizationStrategy", acl);
this.auditLogger = (AuditLogger) FieldUtils.getProtectedFieldValue("auditLogger", acl);
}
}
...

In a clustered EhCache environment, with cache configured for replication, the problem is that if you invoke "initializeTransientFields" (through getFromCache methods) on a node before any "putInCache", both fields are null so a NullPointerException is thrown similarly to SEC-1514.

I think the solution is very simple: remove the initialization of "auditLogger" and "aclAuthorizationStrategy" from the "putInCache" method and use constructor (or method) injection of both properties.

Luke Taylor said:

Thanks for the report. As you suggest, I've added an extra constructor which takes the strategy references in addition to the cache object.

I've marked the original one as deprecated for the time being..

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment