Stevo Slavić (Migrated from SEC-1699) said:
DefaultFilterChainValidator near the end of checkLoginPageIsntProtected method issues a call to
fsi.getAccessDecisionManager().decide(token, new Object(), attributes);
which throws exception
java.lang.ClassCastException: java.lang.Object cannot be cast to org.springframework.security.web.FilterInvocation
AccessDecisionManager is org.springframework.security.access.vote.AffirmativeBased and when it asks
org.springframework.security.web.access.expression.WebExpressionVoter to vote passing Object instead of FilterInvocation, ClassCastException is thrown.
Probably either AffirmativeBased AccessDecisionManager should first check if voter(s) support Object.class before giving them chance to vote, or DefaultFilterChainValidator should pass in FilterInvocation when checking in web environment.
Luke Taylor said:
Thanks for the report. I've changed the code to pass the FilterInvocation object, since one was already created earlier in the method.