SEC-1878: DefaultFilterChainValidator throws UnsupportedOperationException #2106

Closed
spring-issuemaster opened this Issue Dec 21, 2011 · 1 comment

2 participants

@spring-issuemaster

Jake Landis (Migrated from SEC-1878) said:

If the expression used in the access attribute of the intercept-url element references a request element not supported by the new [1] org.springframework.security.web.FilterInvocation$DummyRequest class AND a custom-filter is defined, then the filterChainProxy bean will fail to be created [2]. This is a regression from 3.0.6.RELEASE.

For example:


will fail with the stack trace below[2].

There is an easy (hacky) workaround...just check the for request.contextPath = '/cp' (assuming you don't really have a /cp path!)...this works because contextPath is supported by the DummyRequest.

I have attached simple maven project that will exercise this bug. To reproduce, download, unzip the intercpet-url-access-bug.zip attachment, and run mvn jetty:run.

[1] https://fisheye.springsource.org/browse/spring-security/web/src/main/java/org/springframework/security/web/FilterInvocation.java?r2=93438defffe5c339026469afa09dad60b2928a4f&r1=052537c8b04182595e92abd1e1949b0ff7e731b4

[2]
SEVERE: Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChainProxy': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Failed to evaluate expression 'request.parameterMap['test'] == null ? permitAll : permitAll'
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1455)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:585)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:913)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:464)
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:282)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:204)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4206)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4705)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1057)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:840)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1057)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463)
at org.apache.catalina.core.StandardService.start(StandardService.java:525)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:592)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: java.lang.IllegalArgumentException: Failed to evaluate expression 'request.parameterMap['test'] == null ? permitAll : permitAll'
at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:13)
at org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:34)
at org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:18)
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:62)
at org.springframework.security.config.http.DefaultFilterChainValidator.checkLoginPageIsntProtected(DefaultFilterChainValidator.java:170)
at org.springframework.security.config.http.DefaultFilterChainValidator.validate(DefaultFilterChainValidator.java:35)
at org.springframework.security.web.FilterChainProxy.afterPropertiesSet(FilterChainProxy.java:148)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1514)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452)
... 27 more
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1021E:(pos 8): A problem occurred whilst attempting to access the property 'parameterMap': 'Unable to access property 'parameterMap' through getter'
at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:201)
at org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:72)
at org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:57)
at org.springframework.expression.spel.ast.OpEQ.getValueInternal(OpEQ.java:37)
at org.springframework.expression.spel.ast.OpEQ.getValueInternal(OpEQ.java:1)
at org.springframework.expression.spel.ast.SpelNodeImpl.getValue(SpelNodeImpl.java:135)
at org.springframework.expression.spel.ast.Ternary.getValueInternal(Ternary.java:47)
at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:102)
at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:97)
at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:11)
... 35 more
Caused by: org.springframework.expression.AccessException: Unable to access property 'parameterMap' through getter
at org.springframework.expression.spel.support.ReflectivePropertyAccessor$OptimalPropertyAccessor.read(ReflectivePropertyAccessor.java:499)
at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:196)
... 44 more
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:592)
at org.springframework.expression.spel.support.ReflectivePropertyAccessor$OptimalPropertyAccessor.read(ReflectivePropertyAccessor.java:495)
... 45 more
Caused by: java.lang.UnsupportedOperationException
at org.springframework.security.web.DummyRequest.getParameterMap(FilterInvocation.java:334)
... 50 more

@spring-issuemaster

Rob Winch said:

Thanks for the bug submission. This issue is now fixed in master.

@spring-issuemaster spring-issuemaster added this to the 3.1.1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment