Null pointer Exception in Spring Security Expression's isAnonymous method

Question

I'm using Spring Security 3.2. I get the Null Pointer Exception whenever I deploy my project on Apache Tomcat Server. The web.xml is

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
 <display-name>ch04</display-name>


<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/applicationContext-security.xml
    </param-value>
</context-param>
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>
        org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>

<servlet>
    <servlet-name>terrormovies</servlet-name>
    <servlet-class> org.springframework.web.servlet.DispatcherServlet </servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping><servlet-name>terrormovies</servlet-name><url-pattern>/</url-pattern></servlet-mapping></web-app>

The Application context Security.xml file is

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<security:http auto-config="true" use-expressions="true">
    <security:expression-handler ref="expressionHandler" />
    <security:intercept-url pattern="/admin/*"
        access="hasIpAddress('127.0.0.1')and (isAnonymous() ? false : principal.lastname == 'Scarioni') and over18" />
    <security:remember-me key="terror-key" />
    <security:logout delete-cookies="JSESSIONID"
        success-handler-ref="logoutRedirectToAny" />
    <security:form-login login-page="/custom_login"
        authentication-failure-handler-ref="serverErrorHandler"
        username-parameter="user_param" password-parameter="pass_param" />
</security:http>
<security:authentication-manager>
    <security:authentication-provider
        user-service-ref="inMemoryUserServiceWithCustomUser" />
</security:authentication-manager>
<bean id="expressionHandler"
    class="com.apress.pss.terrormovies.security.CustomWebSecurityExpressionHandler" />
<bean id="inMemoryUserServiceWithCustomUser"
    class="com.apress.pss.terrormovies.spring.CustomInMemoryUserDetailsManager">
    <constructor-arg>
        <list>
            <bean class="com.apress.pss.terrormovies.model.User">
                <constructor-arg value="admin" />
                <constructor-arg value="admin" />
                <constructor-arg>
                    <list>
                        <bean class="org.springframework.security.core.authority.SimpleGrantedAuthority">              
<constructor-arg value="ROLE_ADMIN" />
          </bean>
          </list>
          </constructor-arg>
          <constructor-arg value="Scarioni" />
          <constructor-arg value="19" />
          </bean>
          </list>
          </constructor-arg>
          </bean>
          <bean id="logoutRedirectToAny"   class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
        <property name="targetUrlParameter" value="redirectTo" />
        </bean>
        <bean id="serverErrorHandler"
    class="com.apress.pss.terrormovies.security.ServerErrorFailureHandler" />

The stack trace of error is as follows.

java.lang.NullPointerException
      org.springframework.security.access.expression.SecurityExpressionRoot.isAnonymous(SecurityExpressionRoot.java:88)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:601)
org.springframework.expression.spel.support.ReflectiveMethodExecutor.execute(ReflectiveMethodExecutor.java:69)
org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:122)
org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:80)
org.springframework.expression.spel.ast.SpelNodeImpl.getValue(SpelNodeImpl.java:134)
org.springframework.expression.spel.ast.Ternary.getValueInternal(Ternary.java:47)
org.springframework.expression.spel.ast.SpelNodeImpl.getValue(SpelNodeImpl.java:134)
org.springframework.expression.spel.ast.OpAnd.getBooleanValue(OpAnd.java:51)
org.springframework.expression.spel.ast.OpAnd.getValueInternal(OpAnd.java:46)
org.springframework.expression.spel.ast.SpelNodeImpl.getValue(SpelNodeImpl.java:134)
org.springframework.expression.spel.ast.OpAnd.getBooleanValue(OpAnd.java:51)
org.springframework.expression.spel.ast.OpAnd.getValueInternal(OpAnd.java:42)
org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:102)
org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:98)
org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:11)
org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:34)
org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:18)
org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:62)
org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:139)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)

How to resolve this error? Any help will be gratefully appreciated

I suspect something is wrong in your CustomWebSecurityExpressionHandler. Can you show it? — holmis83
– holmis83, Commented Jun 9, 2015 at 11:35
Sir, you are absolutely correct. There was a problem with my SpringWebSecurityExpressionHandler. Please answer this question so that I may accept your answer. — Ankit
– Ankit, Commented Jun 9, 2015 at 12:29

holmis83 · Accepted Answer · 2015-06-09 14:15:04Z

1

I suspect something is wrong in your CustomWebSecurityExpressionHandler.

Did you forget to set an AuthenticationTrustResolver?

answered Jun 9, 2015 at 14:15

holmis83

16.7k5 gold badges88 silver badges88 bronze badges

Sign up to request clarification or add additional context in comments.

Collectives™ on Stack Overflow

Null pointer Exception in Spring Security Expression's isAnonymous method

1 Answer 1

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

1 Answer 1

Comments

Your Answer

Sign up or log in

Post as a guest

Related