Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebInvocationPrivilegeEvaluator does not provide a way to pass a ServletContext #10208

Closed
philwebb opened this issue Aug 17, 2021 · 2 comments · Fixed by #10229
Closed

WebInvocationPrivilegeEvaluator does not provide a way to pass a ServletContext #10208

philwebb opened this issue Aug 17, 2021 · 2 comments · Fixed by #10229
Assignees
@marcusdacoregio
Labels
in: web An issue in web modules (web, webmvc) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.6.0-RC1

Comments

@philwebb
Copy link
Member

Describe the bug
See spring-projects/spring-boot#27728 for background.

When using the following Thymeleaf markup:

<div sec:authorize-url="/admin"> /admin is accessable</div>

The following exception is thrown if the getServletContext is called on the request.

java.lang.UnsupportedOperationException: public abstract javax.servlet.ServletContext javax.servlet.ServletRequest.getServletContext() is not supported
	at org.springframework.security.web.FilterInvocation$UnsupportedOperationExceptionInvocationHandler.invoke(FilterInvocation.java:304) ~[spring-security-web-5.5.1.jar:5.5.1]
	at com.sun.proxy.$Proxy93.getServletContext(Unknown Source) ~[na:na]
	at javax.servlet.ServletRequestWrapper.getServletContext(ServletRequestWrapper.java:369) ~[tomcat-embed-core-9.0.50.jar:4.0.FR]
	at org.springframework.boot.security.servlet.ApplicationContextRequestMatcher.matches(ApplicationContextRequestMatcher.java:58) ~[spring-boot-2.5.3.jar:2.5.3]

I think this is because this Thymeleaf code uses a WebInvocationPrivilegeEvaluator to determine if path can be used. The WebInvocationPrivilegeEvaluator creates a DummyRequest which throws the error.

To Reproduce
Run https://github.com/tvahrst/springboot-security-thymeleaf and hit localhost:8080/main

Expected behavior
Thymeleaf has a IWebContext which has access to ServletContext. If WebInvocationPrivilegeEvaluator has a isAllowed method that could accept the context then it could be passed along.

Alternatively, there's a WebAttributes.WEB_INVOCATION_PRIVILEGE_EVALUATOR_ATTRIBUTE which Thymleaf checks. Spring Security could add this attribute with the ServletContext propagated from the request.

Sample
https://github.com/tvahrst/springboot-security-thymeleaf
@philwebb philwebb added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Aug 17, 2021
@philwebb philwebb mentioned this issue Aug 17, 2021
Closed
@philwebb
Copy link
Member Author

Discussing this issue today on our call and @wilkinsona suggested another fix might be to make the WebInvocationPrivilegeEvaluator bean ServletContextAware.

@marcusdacoregio marcusdacoregio added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 19, 2021
@marcusdacoregio
Copy link
Contributor

Also, @rwinch suggested that we can allow DefaultWebInvocationPrivilegeEvaluator to optionally access the current HttpServletRequest (by enabling it via a property, or so) from RequestContextHolder, and construct FilterInvocation with this request.

marcusdacoregio added a commit to marcusdacoregio/spring-security that referenced this issue Aug 31, 2021
@marcusdacoregio
Update DefaultWebInvocationPrivilegeEvaluator to use current ServletC…
1c55b65 
…ontext

Closes spring-projectsgh-10208
@marcusdacoregio marcusdacoregio mentioned this issue Aug 31, 2021
Merged
@marcusdacoregio marcusdacoregio added this to the 5.6.0-RC1 milestone Oct 14, 2021
marcusdacoregio added a commit that referenced this issue Oct 14, 2021
@marcusdacoregio
Update DefaultWebInvocationPrivilegeEvaluator to use current ServletC…
faec20b 
…ontext

Closes gh-10208
marcusdacoregio added a commit that referenced this issue Oct 22, 2021
@marcusdacoregio
Update DefaultWebInvocationPrivilegeEvaluator to use current ServletC…
00f4033 
…ontext

Closes gh-10208
@spring-projects-issues spring-projects-issues added the status: backported An issue that has been backported to maintenance branches label Oct 22, 2021
Closed
marcusdacoregio added a commit to marcusdacoregio/spring-security that referenced this issue Oct 22, 2021
@marcusdacoregio
Update DefaultWebInvocationPrivilegeEvaluator to use current ServletC…
89db1c3 
…ontext

Closes spring-projectsgh-10208
Closed
This was referenced Jan 25, 2022
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: web An issue in web modules (web, webmvc) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.6.0-RC1
3 participants
@philwebb @marcusdacoregio @spring-projects-issues