SEC-1699: DefaultFilterChainValidator's check if login page isn't protected is broken #1934

spring-issuemaster opened this Issue Mar 17, 2011 · 1 comment


None yet
1 participant

Stevo Slavić (Migrated from SEC-1699) said:

DefaultFilterChainValidator near the end of checkLoginPageIsntProtected method issues a call to

fsi.getAccessDecisionManager().decide(token, new Object(), attributes);

which throws exception

java.lang.ClassCastException: java.lang.Object cannot be cast to

AccessDecisionManager is and when it asks to vote passing Object instead of FilterInvocation, ClassCastException is thrown.

Probably either AffirmativeBased AccessDecisionManager should first check if voter(s) support Object.class before giving them chance to vote, or DefaultFilterChainValidator should pass in FilterInvocation when checking in web environment.

Luke Taylor said:

Thanks for the report. I've changed the code to pass the FilterInvocation object, since one was already created earlier in the method.

spring-issuemaster added this to the 3.1.0.RC2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment