SpelEvaluationException: EL1007E:(pos 43): Field or property 'group' cannot be found on null

hemantvsn picture hemantvsn · Apr 9, 2014 · Viewed 23.5k times · Source

I have SPRING METHOD security fully configured for my web application. (with PRE/POST annotations enabled).

However recently I encountered a strange issue with them. Summary as follows:

  1. Summary of POJOS

    // User Class
    public class User {
        int id;
        String name;
        // getters and setters
    }
    
    // Group Class
    public class Group {
        int id;
        String name;
        // getters and setters
    }
    
    // GroupMembership class
    public class GroupMembership {
        private int id;
        private User user;
        private Group group;
        // getters and setters
    }
    
  2. PreAuthorise filter on method .

    @PreAuthorize("canIEditGroupProfile(#membership.group.id)")
    public int updateGroupMembership(GroupMembership membership)
        throws GroupsServiceException;
    

Upon passing a fully populated GroupMembership object (proper user and group compositions present), the security filter throws following exception:

errorMessage: "Failed to evaluate expression
    canIEditGroupProfile(#membership.group.id)'"

Upon digging into the exception:

The cause is found to be:

org.springframework.expression.spel.SpelEvaluationException:
    EL1007E:(pos 33): Field or property 'group' cannot be found on null

Please provide pointers to address the same.

Answer

hemantvsn picture hemantvsn · Apr 14, 2014

getter/setters seems fine... also no case of null.

However a interesting observation; this one gives me an error:

@PreAuthorize("canIEditGroupProfile(#membership.group.id)")
public int updateGroupMembership(GroupMembership membership)
    throws GroupsServiceException; 

This works fine:

@PreAuthorize("canIEditGroupProfile(#groupmembership.group.id)")
public int updateGroupMembership(GroupMembership groupmembership)
    throws GroupsServiceException;

Further I observed, the parameter name was mismatching in case of first (i.e Service and ServiceImpl both had different parameter names).

Now maintaining the uniformity, the issue seems to be fixed.