Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring security @PreAuthorize NullPointerException. Why?

I'm trying to implement a check of User's role in the controller, so when User is calling a particular web adress he gets access to the page (or not).

So I put @PreAuthorize("hasPermission...) in one of my controller's method and created my custom * PermissionEvaluator*. It takes a two string as a parameters (entity name - String, permission name - String), which I'll later take from User's role object. For the testing purposes it always returns true.

The problem: I always get a NullPointerException when placing @PreAuthorize. Could you please explain what am I doing wrong?

Controller

@RequestMapping(value = "goal/new", method = RequestMethod.GET)
@PreAuthorize("hasPermission('GOAL', 'WRITE')")
public String add (Model model,  RedirectAttributes redirect) {
   User user = AuthUtils.getCurrentUser();
   Goal goal = new Goal();
   Set<Unit> units = unitService.getUnitsByRole(user.getRoles());
   model.addAttribute("goal", goal);
   model.addAttribute("units", units);
return WEB_FORM_URL;
}

Permission evaluator

@Component
public class CustomPermissionEvaluator implements PermissionEvaluator {
    @Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
        System.out.println("Permission eveluator: called");
        boolean permissionGranted = true;
        return permissionGranted;
    }

    @Override
    public boolean hasPermission(Authentication authentication, Serializable serializable, String targetType,
                                 Object permission) {
        return false;
    }
}

GlobalMethodSecurityConfiguration

@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, jsr250Enabled = true, proxyTargetClass = true)
public class CustomMethodSecurityConfig extends GlobalMethodSecurityConfiguration {

    @Autowired
    CustomPermissionEvaluator permissionEvaluator;

    @Bean
    public MethodSecurityExpressionHandler methodSecurityExpressionHandler() {
        DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
        handler.setPermissionEvaluator(permissionEvaluator);
        return handler;
    }
}

Errorstack

java.lang.NullPointerException: null
    at org.springframework.security.access.expression.SecurityExpressionRoot.hasPermission(SecurityExpressionRoot.java:177) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_201]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_201]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_201]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_201]
    at org.springframework.expression.spel.support.ReflectiveMethodExecutor.execute(ReflectiveMethodExecutor.java:130) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]
    at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:138) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]
    at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:94) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]
    at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:114) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]
    at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:300) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]
    at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:26) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice.before(ExpressionBasedPreInvocationAdvice.java:59) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
like image 988
Dec0de Avatar asked Jun 29 '26 20:06

Dec0de


1 Answers

I'm not a 100% sure, but could you change the method signature in your CustomMethodSecurityConfig to actually override the proper method in GlobalMethodSecurityConfiguration.

So

 @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {

instead of

  @Bean
    public MethodSecurityExpressionHandler methodSecurityExpressionHandler() {
like image 63
Marco Behler Avatar answered Jul 01 '26 10:07

Marco Behler