I'm trying to implement a check of User's role in the controller, so when User is calling a particular web adress he gets access to the page (or not).
So I put @PreAuthorize("hasPermission...) in one of my controller's method and created my custom * PermissionEvaluator*. It takes a two string as a parameters (entity name - String, permission name - String), which I'll later take from User's role object. For the testing purposes it always returns true.
The problem: I always get a NullPointerException when placing @PreAuthorize. Could you please explain what am I doing wrong?
Controller
@RequestMapping(value = "goal/new", method = RequestMethod.GET)
@PreAuthorize("hasPermission('GOAL', 'WRITE')")
public String add (Model model, RedirectAttributes redirect) {
User user = AuthUtils.getCurrentUser();
Goal goal = new Goal();
Set<Unit> units = unitService.getUnitsByRole(user.getRoles());
model.addAttribute("goal", goal);
model.addAttribute("units", units);
return WEB_FORM_URL;
}
Permission evaluator
@Component
public class CustomPermissionEvaluator implements PermissionEvaluator {
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
System.out.println("Permission eveluator: called");
boolean permissionGranted = true;
return permissionGranted;
}
@Override
public boolean hasPermission(Authentication authentication, Serializable serializable, String targetType,
Object permission) {
return false;
}
}
GlobalMethodSecurityConfiguration
@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, jsr250Enabled = true, proxyTargetClass = true)
public class CustomMethodSecurityConfig extends GlobalMethodSecurityConfiguration {
@Autowired
CustomPermissionEvaluator permissionEvaluator;
@Bean
public MethodSecurityExpressionHandler methodSecurityExpressionHandler() {
DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
handler.setPermissionEvaluator(permissionEvaluator);
return handler;
}
}
Errorstack
java.lang.NullPointerException: null
at org.springframework.security.access.expression.SecurityExpressionRoot.hasPermission(SecurityExpressionRoot.java:177) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_201]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_201]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_201]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_201]
at org.springframework.expression.spel.support.ReflectiveMethodExecutor.execute(ReflectiveMethodExecutor.java:130) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]
at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:138) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]
at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:94) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]
at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:114) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]
at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:300) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]
at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:26) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice.before(ExpressionBasedPreInvocationAdvice.java:59) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
I'm not a 100% sure, but could you change the method signature in your CustomMethodSecurityConfig to actually override the proper method in GlobalMethodSecurityConfiguration.
So
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
instead of
@Bean
public MethodSecurityExpressionHandler methodSecurityExpressionHandler() {
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With