ClassCastException: org.springframework.security.web.firewall.RequestW rapper

Hello

I'm using:
Spring Security 3.1.0
Oracle Containers for J2EE 10g (10.1.3.5.0)
Extjs 4.0
Spring MVC 3.0

When I invoke my jsp the server dispatch all ok, debug log doesn't show errors and the filters are appliying in a good way but I get an error in the application.log every time when I invoke the jsp. I read about HttpFireWall strategy and I've changed all my relative paths to absolute path, however I get the same error.

I'm sending all configuration files.

Code:

---


application.log

12/08/16 12:25:31.537 webSCG: Servlet error
java.lang.ClassCastException: org.springframework.security.web.firewall.RequestWrapper
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.NotFoundServlet.sendNotFound(NotFoundServlet.java:26)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.NotFoundServlet.service(NotFoundServlet.java:18)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:167)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:644)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:391)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.handleNotFound(HttpRequestHandler.java:1087)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:948)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:458)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:226)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.run(HttpRequestHandler.java:127)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.run(HttpRequestHandler.java:116)
        at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
        at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
        at java.lang.Thread.run(Thread.java:595)

---

web.xml

Code:

---

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

    <display-name>Sistema de Contabilidad Gubernamental</display-name>

    <!--|
        | Parametros de Configuracion de Log4J
        |-->

    <context-param>
            <param-name>log4j.appender.logfile.File</param-name>
            <param-value>logs/scg.log</param-value>
    </context-param>
   
    <context-param>
            <param-name>log4j.level</param-name>
            <param-value>ERROR</param-value>
    </context-param>
 
    <context-param>
            <param-name>log4j-init-file</param-name>
            <param-value>/WEB-INF/log4j.properties</param-value>
    </context-param>

    <!--|
        | Fitlro que aplica la cadena de pasos de Spring Security
        |-->   
    <filter>
                <filter-name>springSecurityFilterChain</filter-name>
                <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        </filter>

        <filter-mapping>
                <filter-name>springSecurityFilterChain</filter-name>
                <url-pattern>/*</url-pattern>
        </filter-mapping>
       
    <listener>
        <listener-class>
                gob.shcp.cgtic.scg.web.listener.Log4jInit
        </listener-class>
    </listener>

    <!--|
        | Listener que carga la configuracion de Spring
        |-->
    <listener>
        <listener-class>
            org.springframework.web.context.ContextLoaderListener
        </listener-class>
    </listener>
         
    <!--|
        | Servlet que atiende las peticiones de Spring MVC
    -->
    <servlet>
        <servlet-name>scg-dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>scg-dispatcher</servlet-name>
        <url-pattern>*.action</url-pattern>
    </servlet-mapping>

    <servlet>
        <servlet-name>testRest</servlet-name>
        <servlet-class>gob.shcp.cgtic.scg.web.sample.TestServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>testRest</servlet-name>
        <url-pattern>/testrest</url-pattern>
    </servlet-mapping>

<welcome-file-list>
                <welcome-file>index.xhtml</welcome-file>
        </welcome-file-list>
</web-app>

---

security-config.xml

Code:

---

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans"
        xmlns:context="http://www.springframework.org/schema/context"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context-3.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.1.xsd" >

        <http pattern="/login.xhtml" security="none"/>
        <http pattern="/resources/**" security="none"/>
       

        <http use-expressions="true">
                <intercept-url pattern="/**" access="isAuthenticated()" />
                <form-login login-page='/login.xhtml'
                        authentication-success-handler-ref="loginSuccessHandler"
                        authentication-failure-handler-ref="loginFailureHandler" />

                <logout invalidate-session="true" logout-success-url="/login.xhtml" logout-url="/j_spring_security_logout" delete-cookies="JSESSIONID"/>
                <session-management session-fixation-protection="newSession" >
                        <concurrency-control max-sessions="1" error-if-maximum-exceeded="false"/>
                </session-management> 
        </http>
   


        <context:annotation-config/>

        <beans:bean id="userDao" class="gob.shcp.cgtic.scg.security.dao.impl.UsuarioDaoImpl"
                scope="prototype">
                <beans:property name="dataSource" ref="scgJndiDataSource"/>
        </beans:bean>
       
        <beans:bean id="cgticUserDetailsService" class="gob.shcp.cgtic.security.service.CgticUserDetailsService" />
   
        <beans:bean id="roleDao" class="gob.shcp.cgtic.scg.security.dao.impl.RolDaoImpl"
                          scope="prototype">
                                  <beans:property name="dataSource" ref="scgJndiDataSource"/>
                  </beans:bean>

 
        <beans:bean id="daoAuthenticationProvider"
                class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
                <beans:property name="userDetailsService" ref="cgticUserDetailsService" />
        </beans:bean>

        <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
                <beans:constructor-arg  value="ldap://172.22.250.51:389/"/>
                <beans:property name="userDn" value="oracle_test1@hacienda.ad.gob.mx"/>
                <beans:property name="password" value="chicoris"/>
        </beans:bean>
       
        <beans:bean id="cgticUserContextMapper" class="gob.shcp.cgtic.security.ldap.CgticUserDetailsMapper"/>

        <beans:bean id="ldapAuthProvider"
                class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
                <beans:constructor-arg>
                        <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                                <beans:constructor-arg ref="contextSource"/>
                                <beans:property name="userSearch">
                                <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
                                <beans:constructor-arg index="0" value="dc=hacienda,dc=ad,dc=gob,dc=mx"/>
                                                <beans:constructor-arg index="1" value="(mailNickname={0})"/>
                                                <beans:constructor-arg index="2" ref="contextSource" />
                                        </beans:bean>
                                </beans:property>
                        </beans:bean>
                </beans:constructor-arg>
                <beans:property name="userDetailsContextMapper" ref="cgticUserContextMapper"/>
        </beans:bean>
       
        <authentication-manager>
                <authentication-provider ref="ldapAuthProvider"/>
        </authentication-manager>
       
        <beans:bean id="loginSuccessHandler" class="gob.shcp.cgtic.scg.web.auth.LoginSuccessHandler" />
        <beans:bean id="loginFailureHandler" class="gob.shcp.cgtic.scg.web.auth.LoginFailureHandler" />

</beans:beans>

---

I'm attacching debug file

Attachment 5104


Thanks in advance. i hope someone help me.

xmlns:beans=

Spring Security overrides the HttpServletRequest using a HttpServeltRequestWrapper implementation to integrate the current user with the HttpServletRequest object, ensure the URLs are normalized, ensure the current user is saved, etc. This is something allowed by the specification and is heavily utilized by other frameworks. You can find numerous other reports of the issue (i.e. using Struts, JRuby, etc). With all that said, this is a bug in the NotFoundServlet as it should not assume the implementation of the HttpServletRequest.

Thanks Rob

I found the follow answer in other forum and I'd like to share with all users.


This is a bug in the com.evermind.server.http.NotFoundServlet -
whoever wrote that is attempting to cast the ServletRequest instance
directly to a com.evermind.server.http.EvermindHttpServletReques t
instance.

The NotFoundServlet author is incorrectly assuming that the
ServletRequest instance remains the Servlet Container's implementation
for the duration of the request. However, with things like the
HttpServletRequestWrapper (part of the standard servlet API), it is
completely 'legal' (and expected) that Servlet Filters have the
ability to replace or wrap the container's ServletRequest with their
own implementation before sending it down the FilterChain

Thanks