Results 1 to 3 of 3

Thread: ClassCastException: org.springframework.security.web.firewall.RequestW rapper

Hybrid View

  1. Aug 16th, 2012, 01:14 PM #1
    adavalos
    adavalos is offline Junior Member
    Join Date
    Mar 2007
    Posts
    2

    Unhappy ClassCastException: org.springframework.security.web.firewall.RequestW rapper

    Hello

    I'm using:
    Spring Security 3.1.0
    Oracle Containers for J2EE 10g (10.1.3.5.0)
    Extjs 4.0
    Spring MVC 3.0

    When I invoke my jsp the server dispatch all ok, debug log doesn't show errors and the filters are appliying in a good way but I get an error in the application.log every time when I invoke the jsp. I read about HttpFireWall strategy and I've changed all my relative paths to absolute path, however I get the same error.

    I'm sending all configuration files.

    Code:
    application.log

12/08/16 12:25:31.537 webSCG: Servlet error
java.lang.ClassCastException: org.springframework.security.web.firewall.RequestWrapper
	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.NotFoundServlet.sendNotFound(NotFoundServlet.java:26)
	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.NotFoundServlet.service(NotFoundServlet.java:18)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:167)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:644)
	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:391)
	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.handleNotFound(HttpRequestHandler.java:1087)
	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:948)
	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:458)
	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:226)
	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.run(HttpRequestHandler.java:127)
	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.run(HttpRequestHandler.java:116)
	at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
	at java.lang.Thread.run(Thread.java:595)
    web.xml
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

    <display-name>Sistema de Contabilidad Gubernamental</display-name>

    <!--|
        | Parametros de Configuracion de Log4J
        |-->

    <context-param>
            <param-name>log4j.appender.logfile.File</param-name>
            <param-value>logs/scg.log</param-value>
    </context-param>
    
    <context-param>
            <param-name>log4j.level</param-name>
            <param-value>ERROR</param-value>
    </context-param>
  
    <context-param>
            <param-name>log4j-init-file</param-name>
            <param-value>/WEB-INF/log4j.properties</param-value>
    </context-param>

    <!--|
        | Fitlro que aplica la cadena de pasos de Spring Security
        |-->     
    <filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	
    <listener>
        <listener-class>
        	gob.shcp.cgtic.scg.web.listener.Log4jInit
        </listener-class>
    </listener>

    <!--|
        | Listener que carga la configuracion de Spring
        |-->
    <listener>
        <listener-class>
            org.springframework.web.context.ContextLoaderListener
        </listener-class>
    </listener>
          
    <!--|
        | Servlet que atiende las peticiones de Spring MVC 
     -->
    <servlet>
        <servlet-name>scg-dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>scg-dispatcher</servlet-name>
        <url-pattern>*.action</url-pattern>
    </servlet-mapping>

    <servlet>
        <servlet-name>testRest</servlet-name>
        <servlet-class>gob.shcp.cgtic.scg.web.sample.TestServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>testRest</servlet-name>
        <url-pattern>/testrest</url-pattern>
    </servlet-mapping>

<welcome-file-list>
		<welcome-file>index.xhtml</welcome-file>
	</welcome-file-list>
</web-app>
    security-config.xml
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans"
	xmlns:context="http://www.springframework.org/schema/context"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans 
	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
	http://www.springframework.org/schema/context
	http://www.springframework.org/schema/context/spring-context-3.0.xsd
	http://www.springframework.org/schema/security 
	http://www.springframework.org/schema/security/spring-security-3.1.xsd" >

	<http pattern="/login.xhtml" security="none"/>
	<http pattern="/resources/**" security="none"/>
	

	<http use-expressions="true">
		<intercept-url pattern="/**" access="isAuthenticated()" />
		<form-login login-page='/login.xhtml' 
			authentication-success-handler-ref="loginSuccessHandler"
			authentication-failure-handler-ref="loginFailureHandler" />

		<logout invalidate-session="true" logout-success-url="/login.xhtml" logout-url="/j_spring_security_logout" delete-cookies="JSESSIONID"/>
		<session-management session-fixation-protection="newSession" >
			<concurrency-control max-sessions="1" error-if-maximum-exceeded="false"/>
		</session-management>  
	</http>
    


	<context:annotation-config/>

	<beans:bean id="userDao" class="gob.shcp.cgtic.scg.security.dao.impl.UsuarioDaoImpl"
		scope="prototype">
		<beans:property name="dataSource" ref="scgJndiDataSource"/>
	</beans:bean> 
	
	<beans:bean id="cgticUserDetailsService" class="gob.shcp.cgtic.security.service.CgticUserDetailsService" />
    
	<beans:bean id="roleDao" class="gob.shcp.cgtic.scg.security.dao.impl.RolDaoImpl"
			  scope="prototype">
				  <beans:property name="dataSource" ref="scgJndiDataSource"/>
		   </beans:bean>

  
	<beans:bean id="daoAuthenticationProvider"
		class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
		<beans:property name="userDetailsService" ref="cgticUserDetailsService" />
	</beans:bean>

	<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
		<beans:constructor-arg  value="ldap://172.22.250.51:389/"/>
		<beans:property name="userDn" value="oracle_test1@hacienda.ad.gob.mx"/>
		<beans:property name="password" value="chicoris"/>
	</beans:bean>
	
	<beans:bean id="cgticUserContextMapper" class="gob.shcp.cgtic.security.ldap.CgticUserDetailsMapper"/>

	<beans:bean id="ldapAuthProvider"
		class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
		<beans:constructor-arg>
			<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
				<beans:constructor-arg ref="contextSource"/>
				<beans:property name="userSearch">
				<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
				<beans:constructor-arg index="0" value="dc=hacienda,dc=ad,dc=gob,dc=mx"/>
						<beans:constructor-arg index="1" value="(mailNickname={0})"/>
						<beans:constructor-arg index="2" ref="contextSource" />
					</beans:bean>
				</beans:property>
			</beans:bean>
		</beans:constructor-arg>
		<beans:property name="userDetailsContextMapper" ref="cgticUserContextMapper"/>
	</beans:bean>
	
	<authentication-manager>
		<authentication-provider ref="ldapAuthProvider"/>
	</authentication-manager>
	
	<beans:bean id="loginSuccessHandler" class="gob.shcp.cgtic.scg.web.auth.LoginSuccessHandler" />
	<beans:bean id="loginFailureHandler" class="gob.shcp.cgtic.scg.web.auth.LoginFailureHandler" />

</beans:beans>
    I'm attacching debug file

    debug.zip


    Thanks in advance. i hope someone help me.

    xmlns:beans=
    Reply With Quote Reply With Quote
  2. Aug 16th, 2012, 01:58 PM #2
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,833

    Default

    Spring Security overrides the HttpServletRequest using a HttpServeltRequestWrapper implementation to integrate the current user with the HttpServletRequest object, ensure the URLs are normalized, ensure the current user is saved, etc. This is something allowed by the specification and is heavily utilized by other frameworks. You can find numerous other reports of the issue (i.e. using Struts, JRuby, etc). With all that said, this is a bug in the NotFoundServlet as it should not assume the implementation of the HttpServletRequest.
    Rob Winch
    Twitter @rob_winch
    Spring Security Lead
    Spring by Pivotal
    Reply With Quote Reply With Quote
  3. Aug 16th, 2012, 03:50 PM #3
    adavalos
    adavalos is offline Junior Member
    Join Date
    Mar 2007
    Posts
    2

    Default

    Thanks Rob

    I found the follow answer in other forum and I'd like to share with all users.


    This is a bug in the com.evermind.server.http.NotFoundServlet -
    whoever wrote that is attempting to cast the ServletRequest instance
    directly to a com.evermind.server.http.EvermindHttpServletReques t
    instance.

    The NotFoundServlet author is incorrectly assuming that the
    ServletRequest instance remains the Servlet Container's implementation
    for the duration of the request. However, with things like the
    HttpServletRequestWrapper (part of the standard servlet API), it is
    completely 'legal' (and expected) that Servlet Filters have the
    ability to replace or wrap the container's ServletRequest with their
    own implementation before sending it down the FilterChain

    Thanks
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules