SEC-2084: NullPointerException for intercept-url without specified method #2317
There is a NullPointerException when Spring Security attempts to find which Http methods that are allowed for a resource whose intercept-url does not have any specific method.
Unzip the provided project
Execute "mvn jetty:run"
Navigate to http://localhost:8080/application.wadl in a browser
Enter the credentials "user" / "secret"
A generated wadl file such as the provided application.3.0.7.wadl (see the root folder of the attached .zip file).
java.lang.NullPointerException: Name is null
The above steps work in the 3.0.7 version of Spring Security. Simply
Change the org.springframework.security.version in the pom.xml to 3.0.7.RELEASE
Update the spring security schema location in the securityContext.xml to http://www.springframework.org/schema/security/spring-security-3.0.4.xsd
Visit http://localhost:8080/application.wadl (log in using the credentials above)
The result is the application.3.0.7.wadl file in the root folder of the attached zip file
The NPE may (or may not) be another manifestation of the issue that was reported in https://jira.springsource.org/browse/SEC-1836 ?
Rob Winch said:
Thank you for the bug submission. The issue was related to updates that occurred in 3.1 in how the DefaultFilterInvocationSecurityMetadataSource resolved the ConfigAttributes and the fact that WADLGenerator uses DefaultWebInvocationPrivilegeEvaluator.isAllowed(String,Authentication) directly.
A fix has been pushed to master and to the 3.1.x branch.