java – Spring Security AuthenticationCredentialsNotFoundException,SecurityContextHolder. Getcontext is null
I have a strange mistake, a few hours of debugging, I don't understand
Update 1: I use spring security 4.0 3. Run on Tomcat 7
The problem is close to this question. Maybe the securitycontextholder is in response Missing in redirect(), but the answer is not helpful
The question seems close to this question, but the answer doesn't make sense to me
This is my configuration:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class ProjectSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().antMatchers("/login").anonymous();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser(Constants.PROFIL_ADMIN).password(Constants.PROFIL_ADMIN).
roles("ADMIN","TEST_SERVICE");
}
}
After signing in, I try to get a secure URL:
@RequestMapping(value = "/myurl",method = RequestMethod.GET)
@ResponseBody
public boolean getTestService(HttpServletRequest request)
throws sqlException,PoRulesException {
System.out.println("get security context");
System.out.println("--------------------");
SecurityContext secuContext = (SecurityContext) request.getSession().getAttribute("SPRING_Security_CONTEXT");
System.out.println(secuContext);
System.out.println("get security context holder");
System.out.println(SecurityContextHolder.getContext());
return testService.getTestMethod();
}
Methods in services
@Secured("ROLE_TEST_SERVICE")
public boolean getTestMethod() {
Sysout.out.println("Hiii")
return true
}
Now, when the log does not work:
INFO 2016-07-11 15:57:00,006 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController - Login
INFO 2016-07-11 15:57:00,057 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController - User : axel
INFO 2016-07-11 15:57:00,065 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController - Authenticate : true
INFO 2016-07-11 15:57:00,065 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController - Authenticate : org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bbbc4f45: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_CONSULTER_CA,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 613DFE47B2CE6E29DA3C227F8E028590; Granted Authorities: ROLE_ADMIN,ROLE_TEST_SERVICE
get security context
--------------------
org.springframework.security.core.context.SecurityContextImpl@bbbc4f45: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bbbc4f45: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_TEST_SERVICE
get security context holder
org.springframework.security.core.context.SecurityContextImpl@ffffffff: Null authentication
ERROR 2016-07-11 15:57:01,960 [http-bio-8080-exec-10] com.po.exception.GlobalControllerExceptionHandler - org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:378)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:222)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.cglibAopProxy$DynamicAdvisedInterceptor.intercept(cglibAopProxy.java:655)
at com.po.service.CAService$$EnhancerBySpringcglib$$f6e21857.getVarAndPrevCa(<generated>)
at com.po.mvc.controller.CaController.getVarAndPrevCa(CaController.java:56)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:222)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:814)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:737)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:969)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:860)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:845)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:964)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:304)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
When it works I just see no difference... The spring context is set and contains the credentials as sysout proove, but the securitycontextholder is not set
INFO 2016-07-11 16:09:45,374 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController - Login INFO 2016-07-11 16:09:45,393 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController - User : axel INFO 2016-07-11 16:09:45,395 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController - Authenticate : true INFO 2016-07-11 16:09:45,395 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController - Authenticate : org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bbbc4f45: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_TEST_SERVICE; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 613DFE47B2CE6E29DA3C227F8E028590; Granted Authorities: ROLE_ADMIN,ROLE_TEST_SERVICE Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 613DFE47B2CE6E29DA3C227F8E028590; Granted Authorities: ROLE_ADMIN,ROLE_USER get security context holder org.springframework.security.core.context.SecurityContextImpl@4440cc59: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4440cc59: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 19994511EEE72462E8D680CDADCFEC4C; Granted Authorities: ROLE_ADMIN,ROLE_USER INFO 2016-07-11 16:09:46,879 [http-bio-8080-exec-3] Hiii
The only difference between its working principle and when is:
>Work when I connect from the page of my website, for example, I'm in mywebsite COM is public, and go to mywebsite com/login? User = me it works > but if I'm in mywebsite com/login? Invalid if user = me is from Google
Session properties spring_ Security_ Context is set in both cases, but not securitycontextholder. It triggers an exception in @ secured line 222
I don't want to use a trick, such as manually checking the securitycontextholder (after redirection). If it is empty, set the session property spring_ Security_ Context, this attribute is not empty. I want to solve the problem at the root
Solution
Assuming that you cannot integrate with existing SSO providers, the following solution may be the best solution you want
Basically, nothing you do will work unless you limit yourself to one thread in the container (which is a terrible idea) From documents on securitycontextholder:
This is important – the current thread of execution If you create a login request processed by thread a, you try to go to the Security page, but the request is processed by thread B, the securitycontext you set on a will not be available on B
Spring security handles this problem well by storing the security context in the session and storing / retrieving it as needed (see org. Springframework. Security. Web. Session. Sessionmanagementfilter) However, you need to make some changes to the configuration
Primarily, you will need to create a new class that extends from abstractauthenticationprocessingfilter and overrides the useauthentication method Then, the new filter needs to be registered and replace the existing org springframework. security. web. authentication. UsernamePasswordAuthenticationFilter. This class may also be a good place to learn how to hang them all together and what you can configure
This new filter will do something
public Authentication attemptAuthentication(HttpServletRequest request,HttpServletResponse response) throws AuthenticationException {
UserLDAP ldapUser = CorpLDAP.findUser(request);
User user = new User(ldapUser.getProfil(),ldapUser.getPwd(),Collections.emptyList());
return new UsernamePasswordAuthenticationToken(user,"",Collections.emptyList());
}
This will return a fully authenticated user that can be used later This will be saved in the securitycontextholder and can be easily retrieved It will also be stored in the session (if configured), so I recommend making sure it is serializable Since you do not use a password, I strongly recommend that you do not store it in the user
I hope this will lead you in the right direction