SEC-1836: NPE when authorizing using JspAuthorizeTag #2066

Closed
spring-issuemaster opened this Issue Oct 7, 2011 · 2 comments

1 participant

@spring-issuemaster

John Cook (Migrated from SEC-1836) said:

When using Spring security setup as enclosed in attachment, since I started to use attribute 'method' in intercept-url tags, I run into trouble when using JSP tag WITH url attribute filled but WITHOUT method attribute filled (like ).
In that case, URL patterns with HTTP method set (as showed in my applicationContext-security.xml attachment) are compared against DummyRequest without HTTP method filled (created for the tag), which causes NPE.

Sorry, I'm in a time pressure now so I can't explain is more deeply but I believe this stacktrace fragment (which comens from authorization for tag) explains it all:

Caused by: java.lang.NullPointerException: Name is null
at java.lang.Enum.valueOf(Enum.java:195)
at org.springframework.http.HttpMethod.valueOf(HttpMethod.java:1)
at org.springframework.security.web.util.AntPathRequestMatcher.matches(AntPathRequestMatcher.java:83)
at org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource.getAttributes(DefaultFilterInvocationSecurityMetadataSource.java:86)
at org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator.isAllowed(DefaultWebInvocationPrivilegeEvaluator.java:90)
at org.springframework.security.taglibs.authz.AbstractAuthorizeTag.authorizeUsingUrlCheck(AbstractAuthorizeTag.java:207)
at org.springframework.security.taglibs.authz.AbstractAuthorizeTag.authorize(AbstractAuthorizeTag.java:107)
at org.springframework.security.taglibs.authz.JspAuthorizeTag.doStartTag(JspAuthorizeTag.java:54)
at freemarker.ext.jsp.TagTransformModel$TagWriter.onStart(TagTransformModel.java:360)
at freemarker.core.Environment.visit(Environment.java:296)
at freemarker.core.UnifiedCall.accept(UnifiedCall.java:130)
at freemarker.core.Environment.visit(Environment.java:210)
at freemarker.core.MixedContent.accept(MixedContent.java:92)
at freemarker.core.Environment.visit(Environment.java:210)
at freemarker.core.Environment.process(Environment.java:190)
at freemarker.template.Template.process(Template.java:237)
at freemarker.ext.servlet.FreemarkerServlet.process(FreemarkerServlet.java:452)
at freemarker.ext.servlet.FreemarkerServlet.doGet(FreemarkerServlet.java:391)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:684)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:593)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:530)
at org.apache.tiles.servlet.context.ServletTilesRequestContext.include(ServletTilesRequestContext.java:260)
at org.apache.tiles.context.TilesRequestContextWrapper.include(TilesRequestContextWrapper.java:97)
at org.apache.tiles.freemarker.context.FreeMarkerTilesRequestContext.dispatch(FreeMarkerTilesRequestContext.java:66)
at org.apache.tiles.renderer.impl.TemplateAttributeRenderer.write(TemplateAttributeRenderer.java:44)
at org.apache.tiles.renderer.impl.AbstractBaseAttributeRenderer.render(AbstractBaseAttributeRenderer.java:106)
at org.apache.tiles.renderer.impl.ChainedDelegateAttributeRenderer.write(ChainedDelegateAttributeRenderer.java:76)
at org.apache.tiles.renderer.impl.AbstractBaseAttributeRenderer.render(AbstractBaseAttributeRenderer.java:106)
at org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:670)
at org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:336)
at org.apache.tiles.template.InsertAttributeModel.renderAttribute(InsertAttributeModel.java:210)
at org.apache.tiles.template.InsertAttributeModel.end(InsertAttributeModel.java:126)
at org.apache.tiles.freemarker.template.InsertAttributeFMModel.execute(InsertAttributeFMModel.java:89)

@spring-issuemaster

John Cook said:

Note: current workaround is simply to set also the method attribute of the authorize tag.

BTW, one more comment to authorize tag - in my opinion, it should not output enclosing SECURED_UI_PREFIX/SECURED_UI_SUFFIX in case that var attribute is set.

@spring-issuemaster

Luke Taylor said:

I've modified the Authorize tag to default to using GET as the default HTTP method. This means a URL will be matched by a RequestMatcher that is not method-specific or by one that is configured to use GET. If another method-specific match is required then the method must be set in the tag.

@spring-issuemaster spring-issuemaster added this to the 3.1.0 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment