Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-1521: NullPointerException in SecurityContextPersistenceFilter with null SecurityContextRepository #1762

Closed
spring-issuemaster opened this issue Jul 22, 2010 · 3 comments

Comments

@spring-issuemaster
Copy link

@spring-issuemaster spring-issuemaster commented Jul 22, 2010

Jarrod Carlson (Migrated from SEC-1521) said:

According to documentation in section 8.3.1, the SecurityContextPersistenceFilter should support a null SecurityContextRepository, which would prevent a SecurityContext from ever being persisted.

However, configuring a null SecurityContextRepository results in a NullPointerException. Either the documentation is incorrect or misleading, or the SecurityContextPersistenceFilter should perform null checks on the field.

<bean id="securityContextPersistenceFilter"
    class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
    <property name="securityContextRepository">
        <null />
    </property>
</bean>

SEVERE: Servlet.service() for servlet classes/com.turner.playon.event threw exception
java.lang.NullPointerException
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:74)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
at java.lang.Thread.run(Thread.java:637)

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Jul 22, 2010

Luke Taylor said:

It's actually referring to a "null implementation" (as in http://en.wikipedia.org/wiki/Null_Object_pattern), rather than the value "null". We should probably add a check on initialization though with an eror message.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Jul 23, 2010

Luke Taylor said:

I've added a null check on the injected SecurityContextRepository and clarified the docs, including a reference to the available NullSecurityContextRepository implementation which is already provided.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.