Senior Member
NPE in RoleVoter line 105
Hi,
After trying to add Security to Spring Webflow I'm facing a NullPointerException in
org.springframework.security.vote.RoleVoter.vote(R oleVoter.java:105)
The line in question is :
Of course, the authentication variable is null because no user was authenticated yet. It seems that simply checking for null and returning ACCESS_DENIED would do the trick.Code:GrantedAuthority[] authorities = authentication.getAuthorities();
Should I file an issue?
Regards,
Junior Member
I'm not sure but when you are trying to access a web which has an access restriction and you are not authenticated the FilterSecurityInterceptor throws and exception
org.springframework.security.intercept.AbstractSec urityInterceptor
beforeInvocation()
So, if in the SecurityContext the authentication object does not exists (because the user is not authenticated yet) the credentialsNotFoundException is thrown and the FilterInterceptorSecurity does not continue. The next step is that the ExceptionTranslationFilter sends you to the entry point.Code:if (SecurityContextHolder.getContext().getAuthentication() == null) { credentialsNotFound(messages.getMessage("AbstractSecurityInterceptor.authenticationNotFound", "An Authentication object was not found in the SecurityContext"), object, attr); } ... private void credentialsNotFound(String reason, Object secureObject, ConfigAttributeDefinition configAttribs) { AuthenticationCredentialsNotFoundException exception = new AuthenticationCredentialsNotFoundException(reason); AuthenticationCredentialsNotFoundEvent event = new AuthenticationCredentialsNotFoundEvent(secureObject, configAttribs, exception); publishEvent(event); throw exception; }
Please, correct me if I'm telling something wrong. I'm really new in Spring security but I've worked hard and debug alot to understand all XD
In conclusion, I think you problem is rare, maybe you have something that is not correctly configured :S
Last edited by Yuki; Jul 30th, 2008 at 09:26 AM.
Senior Member
That would be true if it wasn't for line 230
which is null and makes the function exit at line 246Code:ConfigAttributeDefinition attr = this.obtainObjectDefinitionSource().getAttributes(object);
Regards
Senior Member
Acegi Security System TeamSpring Team
Which would normally mean that the AccessDecisionManager (and hence the voters) would not be called.
The security interceptor code hasn't really changed much in the last four years so there's unlikely to be a problem there. Perhaps you could provide some more concrete information on what you are doing, where the exception occurs (attach a log, for example) or submit a test case.
Senior Member
The call is made by Spring Webflow not Spring Security:
The exception is thrown in RoleVoter though as it does not check for nulls. IMO the code should not rely in being invoked correctly and should check that the authentication token is valid.Code:Caused by: java.lang.NullPointerException at org.springframework.security.vote.RoleVoter.vote(RoleVoter.java:105) at org.springframework.security.vote.AffirmativeBased.decide(AffirmativeBased.java:51) at org.springframework.webflow.security.SecurityFlowExecutionListener.decide(SecurityFlowExecutionListener.java:108) at org.springframework.webflow.security.SecurityFlowExecutionListener.stateEntering(SecurityFlowExecutionListener.java:73)
Member
I get this same error message but it is thrown from the Spring MVC Dispatcher Servlet in addition to <Attempting to handle [org.springframework.webflow.execution.FlowExecutio nException: Exception thrown within inactive flow 'operations'] with root cause [java.lang.NullPointerEception]>. I have seen this error if the user logs out and then uses the back button. It appears to occur if the session times out within a flow as well.
Anyone know how to redirect to login page?
Posting Permissions
