Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UrlAuthorizationConfigurer should not call hasRole(ROLE_ANONYMOUS) #6353

Merged
merged 2 commits into from
Jan 15, 2019
Merged

UrlAuthorizationConfigurer should not call hasRole(ROLE_ANONYMOUS) #6353

merged 2 commits into from
Jan 15, 2019

Conversation

msdousti
Copy link
Contributor

@msdousti msdousti commented Jan 4, 2019

The following line:

spring-security/config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java

Line 347 in 5f33bbe

return hasRole("ROLE_ANONYMOUS");

throws this exception:

java.lang.IllegalArgumentException: ROLE_ANONYMOUS should not start with ROLE_ since ROLE_ is automatically prepended when using hasRole. Consider using hasAuthority or access instead.

The easiest remedy is to remove the ROLE_ prefix. One can also use hasAuthority or access instead of hasRole, as suggested in the exception.

@pivotal-issuemaster
Copy link

@msdousti Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@pivotal-issuemaster
Copy link

@msdousti Thank you for signing the Contributor License Agreement!

@rwinch rwinch added status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-feedback We need additional information before we can continue labels Jan 8, 2019
@rwinch rwinch self-requested a review January 8, 2019 19:06
rwinch
rwinch requested changes Jan 8, 2019
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @msdousti! Can you please add a test?

@msdousti
Copy link
Contributor Author

msdousti commented Jan 9, 2019

@rwinch : Thanks for attending the issue. Here's a simple class that, if added to your code base, causes error:

@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .apply(new UrlAuthorizationConfigurer<>(null)).getRegistry()
            .anyRequest().anonymous();
    }

}

Upon compiling the project, I get the following error:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.IllegalArgumentException: ROLE_ANONYMOUS should not start with ROLE_ since ROLE_ is automatically prepended when using hasRole. Consider using hasAuthority or access instead.
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:627) ~[spring-beans-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:456) ~[spring-beans-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1288) ~[spring-beans-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1127) ~[spring-beans-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:538) ~[spring-beans-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:498) ~[spring-beans-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:320) ~[spring-beans-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) ~[spring-beans-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:318) ~[spring-beans-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199) ~[spring-beans-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:307) ~[spring-beans-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199) ~[spring-beans-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:846) ~[spring-beans-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:863) ~[spring-context-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:546) ~[spring-context-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:142) ~[spring-boot-2.1.1.RELEASE.jar:2.1.1.RELEASE]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:775) [spring-boot-2.1.1.RELEASE.jar:2.1.1.RELEASE]
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) [spring-boot-2.1.1.RELEASE.jar:2.1.1.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:316) [spring-boot-2.1.1.RELEASE.jar:2.1.1.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1260) [spring-boot-2.1.1.RELEASE.jar:2.1.1.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1248) [spring-boot-2.1.1.RELEASE.jar:2.1.1.RELEASE]
	at io.msdousti.custom_access.SpringCustomAccessApplication.main(SpringCustomAccessApplication.java:10) [classes/:na]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_181]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_181]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_181]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_181]
	at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) [spring-boot-devtools-2.1.1.RELEASE.jar:2.1.1.RELEASE]
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.IllegalArgumentException: ROLE_ANONYMOUS should not start with ROLE_ since ROLE_ is automatically prepended when using hasRole. Consider using hasAuthority or access instead.
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185) ~[spring-beans-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:622) ~[spring-beans-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	... 26 common frames omitted
Caused by: java.lang.IllegalArgumentException: ROLE_ANONYMOUS should not start with ROLE_ since ROLE_ is automatically prepended when using hasRole. Consider using hasAuthority or access instead.
	at org.springframework.util.Assert.isTrue(Assert.java:136) ~[spring-core-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer.hasRole(UrlAuthorizationConfigurer.java:221) ~[spring-security-config-5.1.2.RELEASE.jar:5.1.2.RELEASE]
	at org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer.access$300(UrlAuthorizationConfigurer.java:90) ~[spring-security-config-5.1.2.RELEASE.jar:5.1.2.RELEASE]
	at org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer$AuthorizedUrl.hasRole(UrlAuthorizationConfigurer.java:307) ~[spring-security-config-5.1.2.RELEASE.jar:5.1.2.RELEASE]
	at org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer$AuthorizedUrl.anonymous(UrlAuthorizationConfigurer.java:347) ~[spring-security-config-5.1.2.RELEASE.jar:5.1.2.RELEASE]
	at io.msdousti.custom_access.security.SecurityConfig.configure(SecurityConfig.java:18) ~[classes/:na]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.getHttp(WebSecurityConfigurerAdapter.java:231) ~[spring-security-config-5.1.2.RELEASE.jar:5.1.2.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.init(WebSecurityConfigurerAdapter.java:322) ~[spring-security-config-5.1.2.RELEASE.jar:5.1.2.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.init(WebSecurityConfigurerAdapter.java:92) ~[spring-security-config-5.1.2.RELEASE.jar:5.1.2.RELEASE]
	at io.msdousti.custom_access.security.SecurityConfig$$EnhancerBySpringCGLIB$$d909c2b.init(<generated>) ~[classes/:na]
	at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.init(AbstractConfiguredSecurityBuilder.java:371) ~[spring-security-config-5.1.2.RELEASE.jar:5.1.2.RELEASE]
	at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:325) ~[spring-security-config-5.1.2.RELEASE.jar:5.1.2.RELEASE]
	at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:41) ~[spring-security-config-5.1.2.RELEASE.jar:5.1.2.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain(WebSecurityConfiguration.java:104) ~[spring-security-config-5.1.2.RELEASE.jar:5.1.2.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerBySpringCGLIB$$15caf399.CGLIB$springSecurityFilterChain$2(<generated>) ~[spring-security-config-5.1.2.RELEASE.jar:5.1.2.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerBySpringCGLIB$$15caf399$$FastClassBySpringCGLIB$$52e1751a.invoke(<generated>) ~[spring-security-config-5.1.2.RELEASE.jar:5.1.2.RELEASE]
	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244) ~[spring-core-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:363) ~[spring-context-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerBySpringCGLIB$$15caf399.springSecurityFilterChain(<generated>) ~[spring-security-config-5.1.2.RELEASE.jar:5.1.2.RELEASE]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_181]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_181]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_181]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_181]
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) ~[spring-beans-5.1.3.RELEASE.jar:5.1.3.RELEASE]
	... 27 common frames omitted

The important line is:

Caused by: java.lang.IllegalArgumentException: ROLE_ANONYMOUS should not start with ROLE_ since ROLE_ is automatically prepended when using hasRole. Consider using hasAuthority or access instead.

@rwinch
Copy link
Member

rwinch commented Jan 9, 2019

Thank you. Can you please turn that into a test and update the PR by pushing to your existing branch? Since it is a private branch, please squash your existing changes and the test in a single commit.

@msdousti msdousti closed this Jan 12, 2019
@msdousti
Removed "ROLE_" to avoid the following error:
213d2bd 
    java.lang.IllegalArgumentException: ROLE_ANONYMOUS should not start
    with ROLE_ since ROLE_ is automatically prepended when using
    hasRole. Consider using hasAuthority or access instead.

Also, added the corresponding test.
@msdousti msdousti reopened this Jan 12, 2019
@msdousti
Copy link
Contributor Author

msdousti commented Jan 12, 2019
edited
Loading

@rwinch: I added a test, which passes only if it is compiled against UrlAuthorizationConfigurer.java, as modified by this PR.

After some tweaking, I also squashed my existing changes and the test in a single commit.

@rwinch rwinch self-assigned this Jan 15, 2019
@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: bug A general bug labels Jan 15, 2019
@rwinch rwinch added this to the 5.2.0.M1 milestone Jan 15, 2019
@rwinch rwinch merged commit d099a62 into spring-projects:master Jan 15, 2019
@rwinch rwinch changed the title hasRole should not be called on a string with "ROLE_" prefix UrlAuthorizationConfigurer should not call hasRole(ROLE_ANONYMOUS) Jan 15, 2019
@rwinch rwinch mentioned this pull request Jan 15, 2019
Closed
rwinch pushed a commit that referenced this pull request Jan 15, 2019
@msdousti @rwinch
hasRole should not be called on a string with "ROLE_" prefix (#6353)
7f2f12c 
Removed "ROLE_" from UrlAuthorizationConfigurer

This fixes IllegalArgumentException: ROLE_ANONYMOUS should not start
with ROLE_ since ROLE_
@rwinch
Copy link
Member

rwinch commented Jan 15, 2019

Thanks for the fast turnaround! This is now merged into master and backported via the listed issues above

@rwinch
Copy link
Member

rwinch commented Jan 15, 2019

Let's take that up as a new issue. However, some of those are fine as you can change the prefix and some of the code is smarter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rwinch rwinch rwinch requested changes

Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
5.2.0.M1
Development

Successfully merging this pull request may close these issues.
3 participants
@msdousti @pivotal-issuemaster @rwinch