The JSP taglib `authorize` does not work with the attribute `url` if actuators are configured and protected

[lpetit-yseop]

Summary

When activating actuators and securing them, it's not possible to use the url attribute of the authorize

Actual Behavior

The following minimalistic public GitHub repository demonstrates the issue: https://github.com/lpetit-yseop/spring-security-taglib-issue

Version

Problem occurs with both spring boot 2.0.9 and 2.1.5 with default spring security associated versions.

Sample

https://github.com/lpetit-yseop/spring-security-taglib-issue

[rwinch]

Thanks for the report. This is a duplicate of gh-3142

[lpetit-yseop]

Thanks for the report. This is a duplicate of gh-3142

Well, it's not crystal clear to me that it is related to gh-3142, but if you say so …

[lpetit-yseop]

@rwinch The issue that is demonstrated in the sample repo is that the DummyRequest used to fake url access via the taglig <sec:authorize url="/foo"> is created via a proxy construction, and this proxy does not implement the getServletContext() method.

Are you sure this is related to gh-3142 ?

[rwinch]

I'm sorry you are right. The issue is that the getServletContext() method is not implemented.

[lpetit-yseop]

I'm sorry you are right. The issue is that the getServletContext() method is not implemented.

Would you be interested if I try to create a pull request for this?
I'm not really sure to understand yet how (or if) I would have to initialize a servlet context, so I don't know whether this is a low-hanging fruit issue or not.

[rwinch]

Thanks for the offer to help @lpetit-yseop! I think we can solve this by updating DummyRequest to have getServletContext() which is implemented using RequestContextHolder.