SEC-1662: NPE when when defining two <http> elements during registerFilterChainProxy #1900

Closed
spring-issuemaster opened this Issue Jan 26, 2011 · 1 comment

1 participant

@spring-issuemaster

Serge Sozonoff (Migrated from SEC-1662) said:

I am defining two elements which apparently is permitted in Spring Security 3.1.0M2 per documentation

<http auto-config="false" entry-point-ref="http403ForbiddenEntryPoint">
    <intercept-url pattern="/api/**" access="ROLE_USER"/>
    <custom-filter ref="apikeyAuthFilter" position="FORM_LOGIN_FILTER"/>
</http>

<http auto-config="false">
    <form-login/>
    <intercept-url pattern="/**" access="ROLE_USER"/>
    <logout invalidate-session="true"/>
</http>

During startup I get an NPE, partial stack trace below.

Caused by: java.lang.NullPointerException
at org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.registerFilterChainProxy(HttpSecurityBeanDefinitionParser.java:260)
at org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.parse(HttpSecurityBeanDefinitionParser.java:89)
at org.springframework.security.config.SecurityNamespaceHandler.parse(SecurityNamespaceHandler.java:88)
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1335)
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1325)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:135)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:93)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:493)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:390)
... 37 more

Relevant code area

        for (BeanDefinition matcherBean : filterChainMap.keySet()) {
            if (existingFilterChainMap.containsKey(matcherBean)) {
                Map<Integer,ValueHolder> args = matcherBean.getConstructorArgumentValues().getIndexedArgumentValues();
                pc.getReaderContext().error("The filter chain map already contains this request matcher ["

---> + args.get(0).getValue() + ", " +args.get(1).getValue() + "]", source);

args is size 0 in my case

Serge

@spring-issuemaster

Luke Taylor said:

Thanks for the report. The error occurs because at least one of the elements needs to define a pattern (otherwise both defined filter chains are supposed to be applied to "/"). The code you've pointed to was erroneously assuming that the RequestMatcher instances have two arguments (as the path matching ones do), but for "/" an optimized AnyRequestMatcher instance is used. Hence you get the invalid access to the argument list.

I've added a check on the number of arguments when formatting the error message.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment