SEC-1699: DefaultFilterChainValidator's check if login page isn't protected is broken #1934

Closed
spring-issuemaster opened this Issue Mar 17, 2011 · 1 comment

1 participant

@spring-issuemaster

Stevo Slavić (Migrated from SEC-1699) said:

DefaultFilterChainValidator near the end of checkLoginPageIsntProtected method issues a call to

fsi.getAccessDecisionManager().decide(token, new Object(), attributes);

which throws exception

java.lang.ClassCastException: java.lang.Object cannot be cast to org.springframework.security.web.FilterInvocation

AccessDecisionManager is org.springframework.security.access.vote.AffirmativeBased and when it asks
org.springframework.security.web.access.expression.WebExpressionVoter to vote passing Object instead of FilterInvocation, ClassCastException is thrown.

Probably either AffirmativeBased AccessDecisionManager should first check if voter(s) support Object.class before giving them chance to vote, or DefaultFilterChainValidator should pass in FilterInvocation when checking in web environment.

@spring-issuemaster

Luke Taylor said:

Thanks for the report. I've changed the code to pass the FilterInvocation object, since one was already created earlier in the method.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment