Announcement Announcement Module
Collapse
No announcement yet.
ClassCastException: org.springframework.security.web.firewall.RequestW rapper Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • ClassCastException: org.springframework.security.web.firewall.RequestW rapper

    Hello

    I'm using:
    Spring Security 3.1.0
    Oracle Containers for J2EE 10g (10.1.3.5.0)
    Extjs 4.0
    Spring MVC 3.0

    When I invoke my jsp the server dispatch all ok, debug log doesn't show errors and the filters are appliying in a good way but I get an error in the application.log every time when I invoke the jsp. I read about HttpFireWall strategy and I've changed all my relative paths to absolute path, however I get the same error.

    I'm sending all configuration files.

    Code:
    application.log
    
    12/08/16 12:25:31.537 webSCG: Servlet error
    java.lang.ClassCastException: org.springframework.security.web.firewall.RequestWrapper
    	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.NotFoundServlet.sendNotFound(NotFoundServlet.java:26)
    	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.NotFoundServlet.service(NotFoundServlet.java:18)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)
    	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:167)
    	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:644)
    	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:391)
    	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.handleNotFound(HttpRequestHandler.java:1087)
    	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:948)
    	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:458)
    	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:226)
    	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.run(HttpRequestHandler.java:127)
    	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].server.http.HttpRequestHandler.run(HttpRequestHandler.java:116)
    	at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
    	at com.evermind[Oracle Containers for J2EE 10g (10.1.3.5.0) ].util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
    	at java.lang.Thread.run(Thread.java:595)
    web.xml
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    
        <display-name>Sistema de Contabilidad Gubernamental</display-name>
    
        <!--|
            | Parametros de Configuracion de Log4J
            |-->
    
        <context-param>
                <param-name>log4j.appender.logfile.File</param-name>
                <param-value>logs/scg.log</param-value>
        </context-param>
        
        <context-param>
                <param-name>log4j.level</param-name>
                <param-value>ERROR</param-value>
        </context-param>
      
        <context-param>
                <param-name>log4j-init-file</param-name>
                <param-value>/WEB-INF/log4j.properties</param-value>
        </context-param>
    
        <!--|
            | Fitlro que aplica la cadena de pasos de Spring Security
            |-->     
        <filter>
    		<filter-name>springSecurityFilterChain</filter-name>
    		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    	</filter>
    
    	<filter-mapping>
    		<filter-name>springSecurityFilterChain</filter-name>
    		<url-pattern>/*</url-pattern>
    	</filter-mapping>
    	
        <listener>
            <listener-class>
            	gob.shcp.cgtic.scg.web.listener.Log4jInit
            </listener-class>
        </listener>
    
        <!--|
            | Listener que carga la configuracion de Spring
            |-->
        <listener>
            <listener-class>
                org.springframework.web.context.ContextLoaderListener
            </listener-class>
        </listener>
              
        <!--|
            | Servlet que atiende las peticiones de Spring MVC 
         -->
        <servlet>
            <servlet-name>scg-dispatcher</servlet-name>
            <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
            <load-on-startup>1</load-on-startup>
        </servlet>
        <servlet-mapping>
            <servlet-name>scg-dispatcher</servlet-name>
            <url-pattern>*.action</url-pattern>
        </servlet-mapping>
    
        <servlet>
            <servlet-name>testRest</servlet-name>
            <servlet-class>gob.shcp.cgtic.scg.web.sample.TestServlet</servlet-class>
            <load-on-startup>1</load-on-startup>
        </servlet>
        <servlet-mapping>
            <servlet-name>testRest</servlet-name>
            <url-pattern>/testrest</url-pattern>
        </servlet-mapping>
    
    <welcome-file-list>
    		<welcome-file>index.xhtml</welcome-file>
    	</welcome-file-list>
    </web-app>
    security-config.xml
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans"
    	xmlns:context="http://www.springframework.org/schema/context"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans 
    	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    	http://www.springframework.org/schema/context
    	http://www.springframework.org/schema/context/spring-context-3.0.xsd
    	http://www.springframework.org/schema/security 
    	http://www.springframework.org/schema/security/spring-security-3.1.xsd" >
    
    	<http pattern="/login.xhtml" security="none"/>
    	<http pattern="/resources/**" security="none"/>
    	
    
    	<http use-expressions="true">
    		<intercept-url pattern="/**" access="isAuthenticated()" />
    		<form-login login-page='/login.xhtml' 
    			authentication-success-handler-ref="loginSuccessHandler"
    			authentication-failure-handler-ref="loginFailureHandler" />
    
    		<logout invalidate-session="true" logout-success-url="/login.xhtml" logout-url="/j_spring_security_logout" delete-cookies="JSESSIONID"/>
    		<session-management session-fixation-protection="newSession" >
    			<concurrency-control max-sessions="1" error-if-maximum-exceeded="false"/>
    		</session-management>  
    	</http>
        
    
    
    	<context:annotation-config/>
    
    	<beans:bean id="userDao" class="gob.shcp.cgtic.scg.security.dao.impl.UsuarioDaoImpl"
    		scope="prototype">
    		<beans:property name="dataSource" ref="scgJndiDataSource"/>
    	</beans:bean> 
    	
    	<beans:bean id="cgticUserDetailsService" class="gob.shcp.cgtic.security.service.CgticUserDetailsService" />
        
    	<beans:bean id="roleDao" class="gob.shcp.cgtic.scg.security.dao.impl.RolDaoImpl"
    			  scope="prototype">
    				  <beans:property name="dataSource" ref="scgJndiDataSource"/>
    		   </beans:bean>
    
      
    	<beans:bean id="daoAuthenticationProvider"
    		class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    		<beans:property name="userDetailsService" ref="cgticUserDetailsService" />
    	</beans:bean>
    
    	<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    		<beans:constructor-arg  value="ldap://172.22.250.51:389/"/>
    		<beans:property name="userDn" value="[email protected]"/>
    		<beans:property name="password" value="chicoris"/>
    	</beans:bean>
    	
    	<beans:bean id="cgticUserContextMapper" class="gob.shcp.cgtic.security.ldap.CgticUserDetailsMapper"/>
    
    	<beans:bean id="ldapAuthProvider"
    		class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    		<beans:constructor-arg>
    			<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
    				<beans:constructor-arg ref="contextSource"/>
    				<beans:property name="userSearch">
    				<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    				<beans:constructor-arg index="0" value="dc=hacienda,dc=ad,dc=gob,dc=mx"/>
    						<beans:constructor-arg index="1" value="(mailNickname={0})"/>
    						<beans:constructor-arg index="2" ref="contextSource" />
    					</beans:bean>
    				</beans:property>
    			</beans:bean>
    		</beans:constructor-arg>
    		<beans:property name="userDetailsContextMapper" ref="cgticUserContextMapper"/>
    	</beans:bean>
    	
    	<authentication-manager>
    		<authentication-provider ref="ldapAuthProvider"/>
    	</authentication-manager>
    	
    	<beans:bean id="loginSuccessHandler" class="gob.shcp.cgtic.scg.web.auth.LoginSuccessHandler" />
    	<beans:bean id="loginFailureHandler" class="gob.shcp.cgtic.scg.web.auth.LoginFailureHandler" />
    
    </beans:beans>
    I'm attacching debug file

    Attachment


    Thanks in advance. i hope someone help me.

    xmlns:beans=
    Attached Files

  • #2
    Spring Security overrides the HttpServletRequest using a HttpServeltRequestWrapper implementation to integrate the current user with the HttpServletRequest object, ensure the URLs are normalized, ensure the current user is saved, etc. This is something allowed by the specification and is heavily utilized by other frameworks. You can find numerous other reports of the issue (i.e. using Struts, JRuby, etc). With all that said, this is a bug in the NotFoundServlet as it should not assume the implementation of the HttpServletRequest.

    Comment


    • #3
      Thanks Rob

      I found the follow answer in other forum and I'd like to share with all users.


      This is a bug in the com.evermind.server.http.NotFoundServlet -
      whoever wrote that is attempting to cast the ServletRequest instance
      directly to a com.evermind.server.http.EvermindHttpServletReques t
      instance.

      The NotFoundServlet author is incorrectly assuming that the
      ServletRequest instance remains the Servlet Container's implementation
      for the duration of the request. However, with things like the
      HttpServletRequestWrapper (part of the standard servlet API), it is
      completely 'legal' (and expected) that Servlet Filters have the
      ability to replace or wrap the container's ServletRequest with their
      own implementation before sending it down the FilterChain


      Thanks

      Comment

      Working...
      X