From WebSecurityConfigurerAdapter.init(WebSecurity):
public void init(final WebSecurity web) throws Exception {
final HttpSecurity http = getHttp();
web
.addSecurityFilterChainBuilder(http)
.postBuildAction(new Runnable() {
public void run() {
FilterSecurityInterceptor securityInterceptor = http.getSharedObject(FilterSecurityInterceptor.class);
web.securityInterceptor(securityInterceptor);
}
});
}I actually don't understand how this is supposed to work since there
is only one WebSecurity (and only one post build hook) and there can
be many WebSecurityConfigurerAdapters (and many HttpSecurity
instances).
The problem I am seeing is that I get a null
FilterSecurityInterceptor from one of my
WebSecurityConfigurerAdapters and it happens to be the last one
applied, so it leads to a null WebInvocationPrivilegeEvaluator (and
errors in JSP/Thymeleaf rendering). I don't understand how the
renderer support supposed to work either because the it needs to know
the runtime behaviour of the whole filter chain, but it's only ever
going to get one HttpSecurity configuration this way, even if it
isn't null.
To see the null error, just take the "spring-boot-sample-web-secure" app and add Thymeleaf Spring Security, then put this in the home page:
<html xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
...
<div sec:authorize-url="/" th:text="${message}">Fake content</div>
...Run the app, log in and get an NPE.