SEC-1836: NPE when authorizing using JspAuthorizeTag #2066

Closed
spring-issuemaster opened this Issue Oct 7, 2011 · 2 comments

Comments

Projects
None yet
1 participant

John Cook (Migrated from SEC-1836) said:

When using Spring security setup as enclosed in attachment, since I started to use attribute 'method' in intercept-url tags, I run into trouble when using JSP tag WITH url attribute filled but WITHOUT method attribute filled (like <security:authorize url="someUrl">).
In that case, URL patterns with HTTP method set (as showed in my applicationContext-security.xml attachment) are compared against DummyRequest without HTTP method filled (created for the tag), which causes NPE.

Sorry, I'm in a time pressure now so I can't explain is more deeply but I believe this stacktrace fragment (which comens from authorization for <security:authorize url="/image-bundles/"> tag) explains it all:

Caused by: java.lang.NullPointerException: Name is null
at java.lang.Enum.valueOf(Enum.java:195)
at org.springframework.http.HttpMethod.valueOf(HttpMethod.java:1)
at org.springframework.security.web.util.AntPathRequestMatcher.matches(AntPathRequestMatcher.java:83)
at org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource.getAttributes(DefaultFilterInvocationSecurityMetadataSource.java:86)
at org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator.isAllowed(DefaultWebInvocationPrivilegeEvaluator.java:90)
at org.springframework.security.taglibs.authz.AbstractAuthorizeTag.authorizeUsingUrlCheck(AbstractAuthorizeTag.java:207)
at org.springframework.security.taglibs.authz.AbstractAuthorizeTag.authorize(AbstractAuthorizeTag.java:107)
at org.springframework.security.taglibs.authz.JspAuthorizeTag.doStartTag(JspAuthorizeTag.java:54)
at freemarker.ext.jsp.TagTransformModel$TagWriter.onStart(TagTransformModel.java:360)
at freemarker.core.Environment.visit(Environment.java:296)
at freemarker.core.UnifiedCall.accept(UnifiedCall.java:130)
at freemarker.core.Environment.visit(Environment.java:210)
at freemarker.core.MixedContent.accept(MixedContent.java:92)
at freemarker.core.Environment.visit(Environment.java:210)
at freemarker.core.Environment.process(Environment.java:190)
at freemarker.template.Template.process(Template.java:237)
at freemarker.ext.servlet.FreemarkerServlet.process(FreemarkerServlet.java:452)
at freemarker.ext.servlet.FreemarkerServlet.doGet(FreemarkerServlet.java:391)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:684)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:593)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:530)
at org.apache.tiles.servlet.context.ServletTilesRequestContext.include(ServletTilesRequestContext.java:260)
at org.apache.tiles.context.TilesRequestContextWrapper.include(TilesRequestContextWrapper.java:97)
at org.apache.tiles.freemarker.context.FreeMarkerTilesRequestContext.dispatch(FreeMarkerTilesRequestContext.java:66)
at org.apache.tiles.renderer.impl.TemplateAttributeRenderer.write(TemplateAttributeRenderer.java:44)
at org.apache.tiles.renderer.impl.AbstractBaseAttributeRenderer.render(AbstractBaseAttributeRenderer.java:106)
at org.apache.tiles.renderer.impl.ChainedDelegateAttributeRenderer.write(ChainedDelegateAttributeRenderer.java:76)
at org.apache.tiles.renderer.impl.AbstractBaseAttributeRenderer.render(AbstractBaseAttributeRenderer.java:106)
at org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:670)
at org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:336)
at org.apache.tiles.template.InsertAttributeModel.renderAttribute(InsertAttributeModel.java:210)
at org.apache.tiles.template.InsertAttributeModel.end(InsertAttributeModel.java:126)
at org.apache.tiles.freemarker.template.InsertAttributeFMModel.execute(InsertAttributeFMModel.java:89)

John Cook said:

Note: current workaround is simply to set also the method attribute of the authorize tag.

BTW, one more comment to authorize tag - in my opinion, it should not output enclosing SECURED_UI_PREFIX/SECURED_UI_SUFFIX in case that var attribute is set.

Luke Taylor said:

I've modified the Authorize tag to default to using GET as the default HTTP method. This means a URL will be matched by a RequestMatcher that is not method-specific or by one that is configured to use GET. If another method-specific match is required then the method must be set in the tag.

spring-issuemaster added this to the 3.1.0 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment