I have SPRING METHOD security fully configured for my web application. (with PRE/POST annotations enabled).
However recently I encountered a strange issue with them. Summary as follows:
Summary of POJOS
// User Class
public class User {
int id;
String name;
// getters and setters
}
// Group Class
public class Group {
int id;
String name;
// getters and setters
}
// GroupMembership class
public class GroupMembership {
private int id;
private User user;
private Group group;
// getters and setters
}
PreAuthorise filter on method .
@PreAuthorize("canIEditGroupProfile(#membership.group.id)")
public int updateGroupMembership(GroupMembership membership)
throws GroupsServiceException;
Upon passing a fully populated GroupMembership
object (proper user and group compositions present), the security filter throws following exception:
errorMessage: "Failed to evaluate expression
canIEditGroupProfile(#membership.group.id)'"
Upon digging into the exception:
The cause is found to be:
org.springframework.expression.spel.SpelEvaluationException:
EL1007E:(pos 33): Field or property 'group' cannot be found on null
Please provide pointers to address the same.
getter/setters seems fine... also no case of null
.
However a interesting observation; this one gives me an error:
@PreAuthorize("canIEditGroupProfile(#membership.group.id)")
public int updateGroupMembership(GroupMembership membership)
throws GroupsServiceException;
This works fine:
@PreAuthorize("canIEditGroupProfile(#groupmembership.group.id)")
public int updateGroupMembership(GroupMembership groupmembership)
throws GroupsServiceException;
Further I observed, the parameter name was mismatching in case of first (i.e Service and ServiceImpl both had different parameter names).
Now maintaining the uniformity, the issue seems to be fixed.