Spring Security The JSP taglib authorize does not work with the attribute url if actuators are configured and protected

Summary

When activating actuators and securing them, it's not possible to use the url attribute of the authorize

Actual Behavior

The following minimalistic public GitHub repository demonstrates the issue: https://github.com/lpetit-yseop/spring-security-taglib-issue

Version

Problem occurs with both spring boot 2.0.9 and 2.1.5 with default spring security associated versions.

Sample

https://github.com/lpetit-yseop/spring-security-taglib-issue

Comment From: rwinch

Thanks for the report. This is a duplicate of gh-3142

Comment From: lpetit-yseop

Thanks for the report. This is a duplicate of gh-3142

Well, it's not crystal clear to me that it is related to gh-3142, but if you say so …

Comment From: lpetit-yseop

@rwinch The issue that is demonstrated in the sample repo is that the DummyRequest used to fake url access via the taglig <sec:authorize url="/foo"> is created via a proxy construction, and this proxy does not implement the getServletContext() method.

Are you sure this is related to gh-3142 ?

Comment From: rwinch

I'm sorry you are right. The issue is that the getServletContext() method is not implemented.

Comment From: lpetit-yseop

I'm sorry you are right. The issue is that the getServletContext() method is not implemented.

Would you be interested if I try to create a pull request for this? I'm not really sure to understand yet how (or if) I would have to initialize a servlet context, so I don't know whether this is a low-hanging fruit issue or not.

Comment From: rwinch

Thanks for the offer to help @lpetit-yseop! I think we can solve this by updating DummyRequest to have getServletContext() which is implemented using RequestContextHolder.

Comment From: rwinch

This was closed as part of gh-10229