SEC-2084: NullPointerException for intercept-url without specified method

[spring-projects-issues]

Mattias Severson (Migrated from SEC-2084) said:

There is a NullPointerException when Spring Security attempts to find which Http methods that are allowed for a resource whose intercept-url does not have any specific method.

Unzip the provided project

Execute "mvn jetty:run"

Navigate to http://localhost:8080/application.wadl in a browser

Enter the credentials "user" / "secret"

Expected result:

A generated wadl file such as the provided application.3.0.7.wadl (see the root folder of the attached .zip file).

Actual result:

java.lang.NullPointerException: Name is null
at java.lang.Enum.valueOf(Enum.java:235)
at org.springframework.http.HttpMethod.valueOf(HttpMethod.java:1)
at org.springframework.security.web.util.AntPathRequestMatcher.matches(AntPathRequestMatcher.java:83)
at org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource.getAttributes(DefaultFilterInvocationSecurityMetadataSource.java:86)
at org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator.isAllowed(DefaultWebInvocationPrivilegeEvaluator.java:90)
at org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator.isAllowed(DefaultWebInvocationPrivilegeEvaluator.java:67)
at com.jayway.security.WADLGenerator.createResource(WADLGenerator.java:39)
at com.sun.jersey.server.wadl.WadlBuilder.generateResource(WadlBuilder.java:330)
at com.sun.jersey.server.wadl.WadlBuilder.generateResource(WadlBuilder.java:326)
at com.sun.jersey.server.wadl.WadlBuilder.generate(WadlBuilder.java:108)
at com.sun.jersey.server.impl.wadl.WadlApplicationContextImpl.getApplication(WadlApplicationContextImpl.java:111)
at com.sun.jersey.server.impl.wadl.WadlApplicationContextInjectionProxy.getApplication(WadlApplicationContextInjectionProxy.java:63)
at com.sun.jersey.server.impl.wadl.WadlResource.getWadl(WadlResource.java:95)
[...]

Note:

The above steps work in the 3.0.7 version of Spring Security. Simply

Change the org.springframework.security.version in the pom.xml to 3.0.7.RELEASE

Update the spring security schema location in the securityContext.xml to http://www.springframework.org/schema/security/spring-security-3.0.4.xsd

Visit http://localhost:8080/application.wadl (log in using the credentials above)

The result is the application.3.0.7.wadl file in the root folder of the attached zip file

The NPE may (or may not) be another manifestation of the issue that was reported in https://jira.springsource.org/browse/SEC-1836 ?

[spring-projects-issues]

Rob Winch said:

Thank you for the bug submission. The issue was related to updates that occurred in 3.1 in how the DefaultFilterInvocationSecurityMetadataSource resolved the ConfigAttributes and the fact that WADLGenerator uses DefaultWebInvocationPrivilegeEvaluator.isAllowed(String,Authentication) directly.

A fix has been pushed to master and to the 3.1.x branch.