SEC-1836: NPE when authorizing using JspAuthorizeTag #2066

spring-issuemaster opened this Issue Oct 7, 2011 · 2 comments


None yet
1 participant

John Cook (Migrated from SEC-1836) said:

When using Spring security setup as enclosed in attachment, since I started to use attribute 'method' in intercept-url tags, I run into trouble when using JSP tag WITH url attribute filled but WITHOUT method attribute filled (like <security:authorize url="someUrl">).
In that case, URL patterns with HTTP method set (as showed in my applicationContext-security.xml attachment) are compared against DummyRequest without HTTP method filled (created for the tag), which causes NPE.

Sorry, I'm in a time pressure now so I can't explain is more deeply but I believe this stacktrace fragment (which comens from authorization for <security:authorize url="/image-bundles/"> tag) explains it all:

Caused by: java.lang.NullPointerException: Name is null
at java.lang.Enum.valueOf(
at org.springframework.http.HttpMethod.valueOf(
at freemarker.ext.jsp.TagTransformModel$TagWriter.onStart(
at freemarker.core.Environment.visit(
at freemarker.core.UnifiedCall.accept(
at freemarker.core.Environment.visit(
at freemarker.core.MixedContent.accept(
at freemarker.core.Environment.visit(
at freemarker.core.Environment.process(
at freemarker.template.Template.process(
at freemarker.ext.servlet.FreemarkerServlet.process(
at freemarker.ext.servlet.FreemarkerServlet.doGet(
at javax.servlet.http.HttpServlet.service(
at javax.servlet.http.HttpServlet.service(
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
at org.apache.catalina.core.ApplicationFilterChain.doFilter(
at org.apache.catalina.core.ApplicationDispatcher.invoke(
at org.apache.catalina.core.ApplicationDispatcher.doInclude(
at org.apache.catalina.core.ApplicationDispatcher.include(
at org.apache.tiles.servlet.context.ServletTilesRequestContext.include(
at org.apache.tiles.context.TilesRequestContextWrapper.include(
at org.apache.tiles.freemarker.context.FreeMarkerTilesRequestContext.dispatch(
at org.apache.tiles.renderer.impl.TemplateAttributeRenderer.write(
at org.apache.tiles.renderer.impl.AbstractBaseAttributeRenderer.render(
at org.apache.tiles.renderer.impl.ChainedDelegateAttributeRenderer.write(
at org.apache.tiles.renderer.impl.AbstractBaseAttributeRenderer.render(
at org.apache.tiles.impl.BasicTilesContainer.render(
at org.apache.tiles.impl.BasicTilesContainer.render(
at org.apache.tiles.template.InsertAttributeModel.renderAttribute(
at org.apache.tiles.template.InsertAttributeModel.end(
at org.apache.tiles.freemarker.template.InsertAttributeFMModel.execute(

John Cook said:

Note: current workaround is simply to set also the method attribute of the authorize tag.

BTW, one more comment to authorize tag - in my opinion, it should not output enclosing SECURED_UI_PREFIX/SECURED_UI_SUFFIX in case that var attribute is set.

Luke Taylor said:

I've modified the Authorize tag to default to using GET as the default HTTP method. This means a URL will be matched by a RequestMatcher that is not method-specific or by one that is configured to use GET. If another method-specific match is required then the method must be set in the tag.

spring-issuemaster added this to the 3.1.0 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment