SEC-1886: UnsupportedOperationException is thrown by DefaultFilterChainValidator if voter invokes an unsupported method #2114

Closed
spring-issuemaster opened this Issue Jan 5, 2012 · 3 comments

2 participants

@spring-issuemaster

Kyle Cronin (Migrated from SEC-1886) said:

The DefaultFilterChainValidator prevents the application context from starting up if a custom AccessDecisionVoter attempts to access an unsupported method of the DummyRequest, for example the #getRemoteAddr(). There is no way to turn off this validation when using config.

Caused by: java.lang.UnsupportedOperationException
    at org.springframework.security.web.DummyRequest.getRemoteAddr(FilterInvocation.java:358)
    at com.foo.security.vote.IPRestrictionAccessVoter.vote(IPRestrictionAccessVoter.java:80)
    at com.foo.security.vote.IPRestrictionAccessVoter.vote(IPRestrictionAccessVoter.java:37)
    at org.springframework.security.access.vote.UnanimousBased.decide(UnanimousBased.java:77)
    at org.springframework.security.config.http.DefaultFilterChainValidator.checkLoginPageIsntProtected(DefaultFilterChainValidator.java:170)
    at org.springframework.security.config.http.DefaultFilterChainValidator.validate(DefaultFilterChainValidator.java:35)
    at org.springframework.security.web.FilterChainProxy.afterPropertiesSet(FilterChainProxy.java:148)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1514)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452)
    ... 155 more
@spring-issuemaster

Luke Taylor said:

We should trap unexpected exceptions in this code and skip the login page check if one is thrown, as it shouldn't cause an app failure.

@spring-issuemaster

Rob Winch said:

This is a duplicate of SEC-1878

@spring-issuemaster spring-issuemaster added this to the 3.1.1 milestone Feb 5, 2016
@spring-issuemaster

This issue duplicates #2106

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment