Skip to content

Missing native-image reflection hint for CsrfTokenRequestAttributeHandler$SupplierCsrfToken #14397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mmoayyed opened this issue Jan 2, 2024 · 5 comments
Closed

Missing native-image reflection hint for CsrfTokenRequestAttributeHandler$SupplierCsrfToken #14397

mmoayyed opened this issue Jan 2, 2024 · 5 comments
Assignees
@marcusdacoregio
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Milestone
6.1.7

Comments

@mmoayyed
Copy link

mmoayyed commented Jan 2, 2024
edited
Loading

Describe the bug

Spring Security 6.2.2-SNAPSHOT with Spring Boot 3.2.1 fails to register appropriate native image hints for:

  • CsrfTokenRequestAttributeHandler$SupplierCsrfToken
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1008E: Property or field 'token' cannot be found on object of type 'org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler$SupplierCsrfToken' - maybe not public or not valid?
	at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:228)
	at org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:111)
	at org.springframework.expression.spel.ast.PropertyOrFieldReference$AccessorLValue.getValue(PropertyOrFieldReference.java:416)
	at org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:98)
	at org.springframework.expression.spel.ast.SpelNodeImpl.getValue(SpelNodeImpl.java:114)
	at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:338)
	at org.thymeleaf.spring6.expression.SPELVariableExpressionEvaluator.evaluate(SPELVariableExpressionEvaluator.java:265)
	... 217 common frames omitted

Link to GitHub Actions that runs the below commands: https://github.com/mmoayyed/cas/actions/runs/7376598119/job/20071321335

To Reproduce

# Need JDK 21
git clone --depth=1 [email protected]:mmoayyed/cas.git
cd cas

# Build the image
./ci/tests/puppeteer/run.sh --nb --scenario $PWD/ci/tests/puppeteer/scenarios/mfa-provider-selection-trigger-attr

# Run the image
./ci/tests/puppeteer/run.sh --nr --scenario $PWD/ci/tests/puppeteer/scenarios/mfa-provider-selection-trigger-attr
@mmoayyed mmoayyed added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jan 2, 2024
@marcusdacoregio marcusdacoregio self-assigned this Jan 3, 2024
@marcusdacoregio marcusdacoregio added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 3, 2024
@mmoayyed
Copy link
Author

Hello, is there anything I can do to help out and resolve this issue? Happy to test with 6.2.2-SNAPSHOT if you need a tester :)

@marcusdacoregio
Copy link
Contributor

Hi, @mmoayyed. Sorry for the delay. Can you elaborate more on your setup to achieve the error or provide a minimal sample? My minimal sample works fine.

@mmoayyed
Copy link
Author

mmoayyed commented Jan 17, 2024
edited
Loading

I think you basically need to have the following stanza in your setup, if you do not have it already:

http.csrf(c -> {
    var pattern = new AntPathRequestMatcher("helloworld/**");
    var delegate = new XorCsrfTokenRequestAttributeHandler();
    delegate.setSecureRandom(...);
    c.requireCsrfProtectionMatcher(pattern)
        .csrfTokenRequestHandler(delegate::handle)
        .csrfTokenRepository(...);
});

Then the user-interface (thymeleaf in this case) should have something similar to:

    <meta name="_csrf" th:if="${_csrf}" th:content="${_csrf.token}"/>
    <meta name="_csrf_header" th:if="${_csrf}" th:content="${_csrf.headerName}"/>

Does this help?

@marcusdacoregio marcusdacoregio added this to the 6.1.7 milestone Jan 17, 2024
@marcusdacoregio marcusdacoregio mentioned this issue Jan 17, 2024
Closed
@marcusdacoregio
Copy link
Contributor

Thanks, @mmoayyed, that helped a lot. Initially I was thinking that Thymeleaf should add that hint since it is using SpEL and, therefore, reflection, to resolve the token. However, since we guide users to use the meta tag I decided that it would be good to include the hints ourself.

Thanks again for the report.

@mmoayyed
Copy link
Author

Thanks much for taking care of this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
6.1.7
Development

No branches or pull requests
2 participants
@mmoayyed @marcusdacoregio