SpelEvaluationException: EL1007E:(pos 43): Field or property 'group' cannot be found on null

Question

I have SPRING METHOD security fully configured for my web application. (with PRE/POST annotations enabled).

However recently I encountered a strange issue with them. Summary as follows:

1. Summary of POJOS

   // User Class
   public class User {
       int id;
       String name;
       // getters and setters
   }
   
   // Group Class
   public class Group {
       int id;
       String name;
       // getters and setters
   }
   
   // GroupMembership class
   public class GroupMembership {
       private int id;
       private User user;
       private Group group;
       // getters and setters
   }
   

2. PreAuthorise filter on method .

   @PreAuthorize("canIEditGroupProfile(#membership.group.id)")
   public int updateGroupMembership(GroupMembership membership)
       throws GroupsServiceException;
   

Upon passing a fully populated GroupMembership object (proper user and group compositions present), the security filter throws following exception:

errorMessage: "Failed to evaluate expression
    canIEditGroupProfile(#membership.group.id)'"

Upon digging into the exception:

The cause is found to be:

org.springframework.expression.spel.SpelEvaluationException:
    EL1007E:(pos 33): Field or property 'group' cannot be found on null

Please provide pointers to address the same.

Answer 1

getter/setters seems fine... also no case of null.

However a interesting observation; this one gives me an error:

@PreAuthorize("canIEditGroupProfile(#membership.group.id)")
public int updateGroupMembership(GroupMembership membership)
    throws GroupsServiceException; 

This works fine:

@PreAuthorize("canIEditGroupProfile(#groupmembership.group.id)")
public int updateGroupMembership(GroupMembership groupmembership)
    throws GroupsServiceException;

Further I observed, the parameter name was mismatching in case of first (i.e Service and ServiceImpl both had different parameter names).

Now maintaining the uniformity, the issue seems to be fixed.

Answer 2

I got the same issue in my Spring Boot application. It turned out that I was compiling without my debug symbols information, as it is mentioned in a comment above. I would like to remark that I could fix the issue in two ways:

1.(My favourite one): Just include this in your pom.xml --> plugins

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-compiler-plugin</artifactId>
    <configuration>
       <compilerArgument>-parameters</compilerArgument>
       <testCompilerArgument>-parameters</testCompilerArgument>
    </configuration>
</plugin>

2. If you are using Java 1.8 and Eclipse as an IDE, go to your Project Properties --> Java Compile --> check "Store information about method parameters (usable via reflection)".

I found really interesting this link to know more about the issue.

Hope it helps!