-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AuthorizationManagerWebInvocationPrivilegeEvaluator does not provide access to ServletContext #10908
Comments
Thanks for the report @mengelbrecht. I've assigned it to the next patch releases, 5.5.6, 5.6.3, and 5.7.0-M3. |
@marcusdacoregio I just tested this with Spring-Boot 2.6.7 which includes Spring-Security 5.6.3 and this issue is still present (can be checked using the sample from my initial post with an updated Spring-Boot version). |
…ocationPrivilegeEvaluator Issue gh-10908
…ocationPrivilegeEvaluator Issue gh-10908
…ocationPrivilegeEvaluator Issue gh-10908
Hi @mengelbrecht, thanks for testing it fast and reporting it back. I've opened #11165 for that and the fix is already committed. It'd be great if you could use the SNAPSHOT version to test your application. |
Hi @marcusdacoregio thanks for the fix. I can confirm that the servlet context is set correctly when using the snapshot version. However, the response is different when using Spring-Security
whereas version But maybe this is another issue? |
It's hard to tell exactly without knowing what your configuration looks like. There are some issues in the Spring Boot repository that may be a clue, if you don't find anything related, please file a new ticket |
…ocationPrivilegeEvaluator Issue gh-10908
Describe the bug
When using Spring-Boot 2.6.4 + Spring-Security usage of an
ApplicationContextRequestMatcher
(such asEndpointRequest.to(HealthEndpoint::class.java)
from actuator orPathRequest.toH2Console()
for h2) will lead to an errorjava.lang.IllegalArgumentException: ServletContext must not be null
when usingauthorizeHttpRequests
and performing an unauthorized request.The response will also contain unexpected html.
According to my analysis this is because
AuthorizationManagerWebInvocationPrivilegeEvaluator
creates aFilterInvocation
which does not contain the servlet context. This filter invocation is then checked usingRequestMatcherDelegatingAuthorizationManager
which then passes it to aApplicationContextRequestMatcher
which accesses the servlet context which is null.This is related to #10779.
To Reproduce
Start the sample project and perform a GET http://localhost:8080 without credentials.
Expected behavior
No exception is thrown and the response contains no unexpected html.
Sample
demo.zip
The text was updated successfully, but these errors were encountered: