SpelEvaluationException: EL1007E:(pos 43): Field or property 'group' cannot be found on null

Question

I have SPRING METHOD security fully configured for my web application. (with PRE/POST annotations enabled).

However recently I encountered a strange issue with them. Summary as follows:

1. Summary of POJOS

   // User Class
   public class User {
       int id;
       String name;
       // getters and setters
   }
   
   // Group Class
   public class Group {
       int id;
       String name;
       // getters and setters
   }
   
   // GroupMembership class
   public class GroupMembership {
       private int id;
       private User user;
       private Group group;
       // getters and setters
   }
   

2. PreAuthorise filter on method .

   @PreAuthorize("canIEditGroupProfile(#membership.group.id)")
   public int updateGroupMembership(GroupMembership membership)
       throws GroupsServiceException;
   

Upon passing a fully populated GroupMembership object (proper user and group compositions present), the security filter throws following exception:

errorMessage: "Failed to evaluate expression
    canIEditGroupProfile(#membership.group.id)'"

Upon digging into the exception:

The cause is found to be:

org.springframework.expression.spel.SpelEvaluationException:
    EL1007E:(pos 33): Field or property 'group' cannot be found on null

Please provide pointers to address the same.

Answer 1

getter/setters seems fine... also no case of null.

However a interesting observation; this one gives me an error:

@PreAuthorize("canIEditGroupProfile(#membership.group.id)")
public int updateGroupMembership(GroupMembership membership)
    throws GroupsServiceException; 

This works fine:

@PreAuthorize("canIEditGroupProfile(#groupmembership.group.id)")
public int updateGroupMembership(GroupMembership groupmembership)
    throws GroupsServiceException;

Further I observed, the parameter name was mismatching in case of first (i.e Service and ServiceImpl both had different parameter names).

Now maintaining the uniformity, the issue seems to be fixed.

Answer 2

I got the same issue in my Spring Boot application. It turned out that I was compiling without my debug symbols information, as it is mentioned in a comment above. I would like to remark that I could fix the issue in two ways:

1.(My favourite one): Just include this in your pom.xml --> plugins

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-compiler-plugin</artifactId>
    <configuration>
       <compilerArgument>-parameters</compilerArgument>
       <testCompilerArgument>-parameters</testCompilerArgument>
    </configuration>
</plugin>

2. If you are using Java 1.8 and Eclipse as an IDE, go to your Project Properties --> Java Compile --> check "Store information about method parameters (usable via reflection)".

I found really interesting this link to know more about the issue.

Hope it helps!

Answer 3

I had the same issue and found that the name of the object to check the authorization against must be the same in the interface and implementation.

For example if you have this method in your interface:

@PreAuthorize("hasPermission(#foo, 'UPDATE')")
public void testMethod(MyObject foo);

you should have the following in the implementation:

public void testMethod(MyObject foo) { ... your code here... }

I hope this helps.

Answer 4

As @zeroflagL asked: Are you compiling without debug information? This is likely the same issue as spring @Cacheable with Ehcache, spel find null for valid object and Spring @Cacheable with SpEL key: always evaluates to null – check your POM (or Eclipse configuration or whatever) for your debug configuration, for instance <debug>false</debug> in the maven-compiler-plugin.