SEC-1521: NullPointerException in SecurityContextPersistenceFilter with null SecurityContextRepository #1762

Closed
spring-issuemaster opened this Issue Jul 22, 2010 · 3 comments

1 participant

@spring-issuemaster

Jarrod Carlson (Migrated from SEC-1521) said:

According to documentation in section 8.3.1, the SecurityContextPersistenceFilter should support a null SecurityContextRepository, which would prevent a SecurityContext from ever being persisted.

However, configuring a null SecurityContextRepository results in a NullPointerException. Either the documentation is incorrect or misleading, or the SecurityContextPersistenceFilter should perform null checks on the field.

<bean id="securityContextPersistenceFilter"
    class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
    <property name="securityContextRepository">
        <null />
    </property>
</bean>

SEVERE: Servlet.service() for servlet classes/com.turner.playon.event threw exception
java.lang.NullPointerException
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:74)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
at java.lang.Thread.run(Thread.java:637)

@spring-issuemaster

Luke Taylor said:

It's actually referring to a "null implementation" (as in http://en.wikipedia.org/wiki/Null_Object_pattern), rather than the value "null". We should probably add a check on initialization though with an eror message.

@spring-issuemaster

Luke Taylor said:

I've added a null check on the injected SecurityContextRepository and clarified the docs, including a reference to the available NullSecurityContextRepository implementation which is already provided.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment