This week's book giveaway is in the Agile and Other Processes forum.
We're giving away four copies of Real-World Software Development: A Project-Driven Guide to Fundamentals in Java and have Dr. Raoul-Gabriel Urma & Richard Warburton on-line!
See this thread for details.
Win a copy of Real-World Software Development: A Project-Driven Guide to Fundamentals in Java this week in the Agile and Other Processes forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Liutauras Vilda
  • Knute Snortum
  • Bear Bibeault
Sheriffs:
  • Devaka Cooray
  • Jeanne Boyarsky
  • Junilu Lacar
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
  • salvin francis
Bartenders:
  • Tim Holloway
  • Piet Souris
  • Frits Walraven

Spring security @PreAuthorize gives NullPointerException. Why?

 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm trying to implement a check of User's role in the controller, so when User is calling a particular web adress he gets access to the page (or not).

So I put @PreAuthorize("hasPermission...) in one of my controller's (URL GET) method and created my custom *PermissionEvaluator*.
It takes a two strings as a parameters (entity name - String, permission name - String), which I'll later take from User's role object.
For the testing purposes now it always returns "true".

The problem: I always get a NullPointerException when placing @PreAuthorize. The text inside CustomPermissionEvaluator is not even called.
Could you please explain what am I doing wrong?

Controller



Permission evaluator


GlobalMethodSecurityConfiguration


Error stack
 
Saloon Keeper
Posts: 11470
247
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think instead of adding a methodSecurityExpressionHandler() bean factory to your configuration subclass, you should override the getExpressionHandler() method to return your permissionEvaluator. Set a breakpoint inside of it or add a logging statement to see if the auto-wired permissionEvaluator is not null.

Note that the @Configuration annotation on your CustomMethodSecurityConfig is redundant; it's already implied by @EnableGlobalMethodSecurity.
 
George Smithss
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Stephan van Hulst wrote: Set a breakpoint inside of it or add a logging statement to see if the auto-wired permissionEvaluator is not null.


Thank you. I've checked wheter the auto-wired permissionEvaluator is null and its surprisingly null.
But why?

Stephan van Hulst wrote:
I think instead of adding a methodSecurityExpressionHandler() bean factory to your configuration subclass, you should override the getExpressionHandler() method to return your permissionEvaluator.


Could you please explain how (or provide any links)?
According to Spring's doc it's final, so I've got an appropriate error (can't be overridden)
I'm trying to add it like this:

Surprisingly my permissionEvaluater started to work when I fully commented methodSecurityExpressionHandler. Now I'm even more confused...


 
Stephan van Hulst
Saloon Keeper
Posts: 11470
247
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

George Smithss wrote:I've checked wheter the auto-wired permissionEvaluator is null and its surprisingly null.
But why?


Because @Configuration components are initialized before other components, so your CustomMethodSecurityConfig class is initialized by Spring before your CustomPermissionEvaluator is created.

Could you please explain how (or provide any links)?
According to Spring's doc it's final


Sorry, this is my bad. I read the docs but I missed this modifier.

Surprisingly my permissionEvaluater started to work when I fully commented methodSecurityExpressionHandler. Now I'm even more confused...


The handler you injected via that factory method didn't work because you initialized it with a null permissionEvaluator. Removing the factory method caused Spring to use its own MethodSecurityExpressionHandler, and it's possible that the default handler picked up on your CustomPermissionEvaluator automatically.
 
George Smithss
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This one worked:
@Override
   protected MethodSecurityExpressionHandler createExpressionHandler() {
 
My, my, aren't you a big fella. Here, have a tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!