Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-2084: NullPointerException for intercept-url without specified method #2317

Closed
spring-issuemaster opened this issue Nov 25, 2012 · 1 comment

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link

commented Nov 25, 2012

Mattias Severson (Migrated from SEC-2084) said:

There is a NullPointerException when Spring Security attempts to find which Http methods that are allowed for a resource whose intercept-url does not have any specific method.

Unzip the provided project

Execute "mvn jetty:run"

Navigate to http://localhost:8080/application.wadl in a browser

Enter the credentials "user" / "secret"

Expected result:

A generated wadl file such as the provided application.3.0.7.wadl (see the root folder of the attached .zip file).

Actual result:

java.lang.NullPointerException: Name is null
at java.lang.Enum.valueOf(Enum.java:235)
at org.springframework.http.HttpMethod.valueOf(HttpMethod.java:1)
at org.springframework.security.web.util.AntPathRequestMatcher.matches(AntPathRequestMatcher.java:83)
at org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource.getAttributes(DefaultFilterInvocationSecurityMetadataSource.java:86)
at org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator.isAllowed(DefaultWebInvocationPrivilegeEvaluator.java:90)
at org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator.isAllowed(DefaultWebInvocationPrivilegeEvaluator.java:67)
at com.jayway.security.WADLGenerator.createResource(WADLGenerator.java:39)
at com.sun.jersey.server.wadl.WadlBuilder.generateResource(WadlBuilder.java:330)
at com.sun.jersey.server.wadl.WadlBuilder.generateResource(WadlBuilder.java:326)
at com.sun.jersey.server.wadl.WadlBuilder.generate(WadlBuilder.java:108)
at com.sun.jersey.server.impl.wadl.WadlApplicationContextImpl.getApplication(WadlApplicationContextImpl.java:111)
at com.sun.jersey.server.impl.wadl.WadlApplicationContextInjectionProxy.getApplication(WadlApplicationContextInjectionProxy.java:63)
at com.sun.jersey.server.impl.wadl.WadlResource.getWadl(WadlResource.java:95)
[...]

Note:

The above steps work in the 3.0.7 version of Spring Security. Simply

Change the org.springframework.security.version in the pom.xml to 3.0.7.RELEASE

Update the spring security schema location in the securityContext.xml to http://www.springframework.org/schema/security/spring-security-3.0.4.xsd

Visit http://localhost:8080/application.wadl (log in using the credentials above)

The result is the application.3.0.7.wadl file in the root folder of the attached zip file

The NPE may (or may not) be another manifestation of the issue that was reported in https://jira.springsource.org/browse/SEC-1836 ?

@spring-issuemaster

This comment has been minimized.

Copy link
Author

commented Dec 3, 2012

Rob Winch said:

Thank you for the bug submission. The issue was related to updates that occurred in 3.1 in how the DefaultFilterInvocationSecurityMetadataSource resolved the ConfigAttributes and the fact that WADLGenerator uses DefaultWebInvocationPrivilegeEvaluator.isAllowed(String,Authentication) directly.

A fix has been pushed to master and to the 3.1.x branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.