Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1699: DefaultFilterChainValidator's check if login page isn't protected is broken #1934

spring-issuemaster opened this Issue Mar 17, 2011 · 1 comment


None yet
1 participant

Stevo Slavić (Migrated from SEC-1699) said:

DefaultFilterChainValidator near the end of checkLoginPageIsntProtected method issues a call to

fsi.getAccessDecisionManager().decide(token, new Object(), attributes);

which throws exception

java.lang.ClassCastException: java.lang.Object cannot be cast to org.springframework.security.web.FilterInvocation

AccessDecisionManager is org.springframework.security.access.vote.AffirmativeBased and when it asks
org.springframework.security.web.access.expression.WebExpressionVoter to vote passing Object instead of FilterInvocation, ClassCastException is thrown.

Probably either AffirmativeBased AccessDecisionManager should first check if voter(s) support Object.class before giving them chance to vote, or DefaultFilterChainValidator should pass in FilterInvocation when checking in web environment.

Luke Taylor said:

Thanks for the report. I've changed the code to pass the FilterInvocation object, since one was already created earlier in the method.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment