SEC-1519: Uninitialized auditLogger and aclAuthorizationStrategy fields in EhCacheBasedAclCache #1761

spring-issuemaster opened this Issue Jul 18, 2010 · 1 comment

1 participant


Gianni Ferrero (Migrated from SEC-1519) said:

The "auditLogger" and "aclAuthorizationStrategy" fields of EhCacheBasedAclCache class are initialized by the first "putInCache" method call:
if (this.aclAuthorizationStrategy == null) {
if (acl instanceof AclImpl) {
this.aclAuthorizationStrategy = (AclAuthorizationStrategy) FieldUtils.getProtectedFieldValue("aclAuthorizationStrategy", acl);
this.auditLogger = (AuditLogger) FieldUtils.getProtectedFieldValue("auditLogger", acl);

In a clustered EhCache environment, with cache configured for replication, the problem is that if you invoke "initializeTransientFields" (through getFromCache methods) on a node before any "putInCache", both fields are null so a NullPointerException is thrown similarly to SEC-1514.

I think the solution is very simple: remove the initialization of "auditLogger" and "aclAuthorizationStrategy" from the "putInCache" method and use constructor (or method) injection of both properties.


Luke Taylor said:

Thanks for the report. As you suggest, I've added an extra constructor which takes the strategy references in addition to the cache object.

I've marked the original one as deprecated for the time being..

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment