SEC-1662: NPE when when defining two <http> elements during registerFilterChainProxy #1900

spring-issuemaster opened this Issue Jan 26, 2011 · 1 comment


None yet
1 participant

Serge Sozonoff (Migrated from SEC-1662) said:

I am defining two elements which apparently is permitted in Spring Security 3.1.0M2 per documentation

<http auto-config="false" entry-point-ref="http403ForbiddenEntryPoint">
    <intercept-url pattern="/api/**" access="ROLE_USER"/>
    <custom-filter ref="apikeyAuthFilter" position="FORM_LOGIN_FILTER"/>

<http auto-config="false">
    <intercept-url pattern="/**" access="ROLE_USER"/>
    <logout invalidate-session="true"/>

During startup I get an NPE, partial stack trace below.

Caused by: java.lang.NullPointerException
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(
... 37 more

Relevant code area

        for (BeanDefinition matcherBean : filterChainMap.keySet()) {
            if (existingFilterChainMap.containsKey(matcherBean)) {
                Map<Integer,ValueHolder> args = matcherBean.getConstructorArgumentValues().getIndexedArgumentValues();
                pc.getReaderContext().error("The filter chain map already contains this request matcher ["

---> + args.get(0).getValue() + ", " +args.get(1).getValue() + "]", source);

args is size 0 in my case


Luke Taylor said:

Thanks for the report. The error occurs because at least one of the elements needs to define a pattern (otherwise both defined filter chains are supposed to be applied to "/"). The code you've pointed to was erroneously assuming that the RequestMatcher instances have two arguments (as the path matching ones do), but for "/" an optimized AnyRequestMatcher instance is used. Hence you get the invalid access to the argument list.

I've added a check on the number of arguments when formatting the error message.

spring-issuemaster added this to the 3.1.0.RC1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment