Description
Description
Custom form login DefaultErrorController throws NullPointerException after providing credentials on the login page using authorization_code grant type.
To Reproduce
- Clone the [demo authorization server sample] (https://github.com/spring-projects/spring-authorization-server/tree/a74f90d2dfa708bbae5c3890a9a7323902493d64/samples/demo-authorizationserver)
- Run the custom form based login sample and try to get the access token using Postman or Browser.
- After entering the credentials, the error page shows blank error message.
Expected behavior
Custom form based login sample should successfully complete oauth2 authorization_code flow and client should get the access_token.
Sample
[demo authorization server sample] (https://github.com/spring-projects/spring-authorization-server/tree/a74f90d2dfa708bbae5c3890a9a7323902493d64/samples/demo-authorizationserver)
Details
Following stacktrace gets printed from the DefaultErrorController at line
return (String) request.getAttribute(RequestDispatcher.ERROR_MESSAGE);
2023-06-24T14:09:53.415+05:30 ERROR 8240 --- [nio-8080-exec-1] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because "errorMessage" is null] with root cause java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because "errorMessage" is null at com.sample.authservice.controller.DefaultErrorController.handleError(DefaultErrorController.java:25) ~[classes/:na] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[na:na] at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na] at java.base/java.lang.reflect.Method.invoke(Method.java:568) ~[na:na] at org.springframework.web.method.support.I
While debugging at this line
return (String) request.getAttribute(RequestDispatcher.ERROR_MESSAGE); in the DefaultErrorController
it shows this in the debug console:
((ApplicationHttpRequest)((StrictFirewalledRequest)((Servlet3SecurityContextHolderAwareRequestWrapper)((ResourceUrlEncodingRequestWrapper)request).request).request).request).mapping = Cannot cast 'org.springframework.security.web.savedrequest.SavedRequestAwareWrapper' to 'org.springframework.security.web.firewall.StrictHttpFirewall$StrictFirewalledRequest'
Note- The authorization_code flow works successfully if we do not use custom form based login.
Spring Boot version: 3.1.1
Spring Authorization Server version: 1.1.1
More details
Here is the stackoverflow question I have already asked which has more details.
This issue seems similar to spring-security issue talking about StrictFirewalledRequest