NPE in EndpointRequestMatcher.matches #12380
Description
Courtesy of @ptahchiev:
java.lang.NullPointerException
at org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest$EndpointRequestMatcher.matches(EndpointRequest.java:191)
at org.springframework.boot.security.servlet.ApplicationContextRequestMatcher.matches(ApplicationContextRequestMatcher.java:57)
at org.springframework.security.web.DefaultSecurityFilterChain.matches(DefaultSecurityFilterChain.java:57)
at org.springframework.security.web.FilterChainProxy.getFilters(FilterChainProxy.java:226)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:198)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
The problem's in ApplicationContextRequestMatcher, which EndpointRequestMatcher extends:
private Supplier<C> getContext(HttpServletRequest request) {
if (this.context == null) {
synchronized (this.contextLock) {
if (this.context == null) {
this.context = createContext(request);
initialized(this.context);
}
}
}
return this.context;
}
If two threads call getContext at roughly the same time, there's a window where this.context is no longer null but when initialized hasn't been called or is still in the process of being called. In the case of EndpointRequestMatcher, this leads to matches being called while this.delegate is still null. The problem's exacerbated by this.delegate not being volatile so there's a visibility problem too.