Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Method Security fails to propagate method parameters to SpEL expressions #14637

Closed
Jef-VDD opened this issue Feb 19, 2024 · 2 comments
Closed

Method Security fails to propagate method parameters to SpEL expressions #14637

Jef-VDD opened this issue Feb 19, 2024 · 2 comments
Assignees
@jzheaux
Labels
in: core An issue in spring-security-core type: task A general task

Comments

@Jef-VDD
Copy link

Jef-VDD commented Feb 19, 2024

Describe the bug
When adding an @PreAuthorize annotation to my repository interface that checks certain entity fields the following error occurs even when the entity is not null :
org.springframework.expression.spel.SpelEvaluationException: EL1007E: Property or field '*fieldName*' cannot be found on null

To Reproduce
Create repository with @PreAuthorize annotation and perform check on any entity field.

Expected behavior
Authorization on fields is possible and throws the AccessDeniedException when pre authorize fails

Sample
Demo project with 2 tests that execute an authorization that should fail and an authorization that should work
https://github.com/Jef-VDD/spel-demo

Extra info
This appears to be working when running with versions of org.springframework:spring-aop of 6.1.2 or lower. If this is not an issue with spring-security feel free to close this ticket and I will try to move my issue to the correct project (I assume either spring-expression or spring-aop)

If related to Spring AOP does not propagate arguments for dynamic prototype-scoped advice I will upgrade when possible!
@Jef-VDD Jef-VDD added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Feb 19, 2024
@jzheaux jzheaux self-assigned this Feb 21, 2024
@kse-music
Copy link
Contributor

It looks like this issue has been fixed by this commit

@jzheaux
Copy link
Contributor

jzheaux commented Feb 26, 2024
edited
Loading

Thanks for the report, @Jef-VDD! This appears to have been fixed already in Spring Framework, as you and @kse-music indicated. When I update your application to use <spring-framework.version>6.1.4</spring-framework.version>, the tests pass again.

As I check against future issues, I've added a test in c639d0a

@jzheaux jzheaux added in: core An issue in spring-security-core type: task A general task and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Feb 26, 2024
@jzheaux jzheaux changed the title Prepost annotation on entity field with Spring-EL expression no longer works on repository interface in 3.2.2 Method Security fails to propagate method parameters to SpEL expressions Feb 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core type: task A general task
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jzheaux @kse-music @Jef-VDD