Closed spring-projects-issues closed 5 years ago
Rob Winch commented
Thanks for the report smallufo!
This seems to be a general issue with proxies on the Spring MVC Controllers. I create a sample that uses @Transactional
rather than @PreAuthorize
in spring-framework-issues/SPR-13580. For your convenience, the following TestController also reproduces the issue:
@Controller
@RequestMapping("/test")
@Transactional
public class TestController {
private Logger logger = LoggerFactory.getLogger(getClass());
@Inject
private MyValidator myValidator;
@InitBinder("myObj")
private void initBinder(WebDataBinder binder) {
logger.info("myValidator = {}", myValidator);
binder.initDirectFieldAccess();
binder.setValidator(myValidator);
}
@RequestMapping(value = "/doPost", method = RequestMethod.POST)
public String doPost(@Valid MyObj myObj, BindingResult br) throws IOException {
logger.info("myObj = {} , bindingResult = {}", myObj, br);
if(br.hasErrors()) {
return "error";
}
return "redirect:/test/form";
}
}
At this point, I'm not sure if this is an issue with Spring framework or Spring Boot but it does not appear to be isolated to Spring Security.
Rossen Stoyanchev commented
I cannot fully explain the behavior but I'm pretty sure this has to do with the fact that initBinder is a private method and CGLib cannot proxy private (nor final) methods.
Bulk closing outdated, unresolved issues. Please, reopen if still relevant.
smallufo opened SPR-13580 and commented
In a simple controller :
I noticed the injected validator is always null in the initBinder method , the logger is even null (and throws NPE) , this is weird.
If I totally remove the
@InitBinder
initBinder() method , the myValidator is available (not null) again in each method.After eliminating many factors , I found the culprit is the
@PreAuthorize
("hasAuthority('USER')") . After removing this@PreAuthorize
, everything works fine.Is it a bug ? I feel it seems like a bug ... Does something conflicts with SpringSecurity and SpringValidation and SpringMVC ?
environments :
Thanks in advanced.
Affects: 4.2.1
Reference URL: http://stackoverflow.com/questions/33174428/preauthorize-controller-invalidates-inject-in-initbinder
0 votes, 6 watchers