Cannot get rid of "An Authentication object was not found in the SecurityContext" in a Spring Boot application without @WithMockUser

spring spring-mvc spring-boot spring-security
11,597

I'm sorry that tons of code I provided do not reveal the real cause of the issue. After some more experiments with it I've been suggested to run the use case in production mode (I've forgotten it totally because of tests first), and it works in production mode without any issues. Narrowing down to the tests, I checked the tests annotations first to make sure that it has all annotations including @WithSecurityContextTestExecutionListener like what other modules have. And then I figured out that I missed a totally crucial thing: the smallest scope listeners can affect is a single test, and probably the mocked MVC object (MockMvc that I didn't include to the original question because I did believe it's just a configuration issue) is not configured well. And yes, MockMvc instances were initialized in the following way (a @Before method in one of the test super classes):

mvc = webAppContextSetup(webApplicationContext)
        .build();

This is why it didn't work to me, because MockMvc instances must be configured as well.

mvc = webAppContextSetup(webApplicationContext)
        .apply(springSecurity()) // this is the key
        .build();

A good example of not trusting "annotations can do everything you need themselves". Unfortunately, I wasted a lot of time, but I'm glad I could finally find the very cause.

Share:
11,597

Related videos on Youtube

Lyubomyr Shaydariv
Author by

Lyubomyr Shaydariv

... and I fail at interviews.

Updated on June 04, 2022

Comments

  • Lyubomyr Shaydariv
    Lyubomyr Shaydariv almost 2 years

    I have spent a few whole days already trying to figure out what I'm doing wrong, but have no clue why it's not working. First of all, I would like to say that the following configuration is mostly copied from another projects I'm working on, and those projects can work without any issues (however they are configured slightly differently and use older Spring/Spring Boot versions). I cannot provide less code because I believe these classes are misconfigured and I'm unable to see a typo or whatever else in the following configuration classes. I would love to rewrite from scratch, but not this time. (Components whose names start with I are mine, not parts of the Spring Framework).

    So the exception here is:

    org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:379) ~[spring-security-core-4.2.1.RELEASE.jar:4.2.1.RELEASE]
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:223) ~[spring-security-core-4.2.1.RELEASE.jar:4.2.1.RELEASE]
    at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:65) ~[spring-security-core-4.2.1.RELEASE.jar:4.2.1.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) ~[spring-aop-4.3.5.RELEASE.jar:4.3.5.RELEASE]
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:656) ~[spring-aop-4.3.5.RELEASE.jar:4.3.5.RELEASE]
    at FOO.BAR.AuthenticationController$$EnhancerBySpringCGLIB$$b4949cda.getSelf(<generated>) ~[classes/:na]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_65]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_65]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_65]
    at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_65]
    at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:220) ~[spring-web-4.3.5.RELEASE.jar:4.3.5.RELEASE]
    at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:134) ~[spring-web-4.3.5.RELEASE.jar:4.3.5.RELEASE]
    at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:116) ~[spring-webmvc-4.3.5.RELEASE.jar:4.3.5.RELEASE]
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827) ~[spring-webmvc-4.3.5.RELEASE.jar:4.3.5.RELEASE]
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738) ~[spring-webmvc-4.3.5.RELEASE.jar:4.3.5.RELEASE]
    at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85) ~[spring-webmvc-4.3.5.RELEASE.jar:4.3.5.RELEASE]
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:963) ~[spring-webmvc-4.3.5.RELEASE.jar:4.3.5.RELEASE]
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:897) ~[spring-webmvc-4.3.5.RELEASE.jar:4.3.5.RELEASE]
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) [spring-webmvc-4.3.5.RELEASE.jar:4.3.5.RELEASE]
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861) [spring-webmvc-4.3.5.RELEASE.jar:4.3.5.RELEASE]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:622) ~[tomcat-embed-core-8.5.6.jar:8.5.6]
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) [spring-webmvc-4.3.5.RELEASE.jar:4.3.5.RELEASE]
    at org.springframework.test.web.servlet.TestDispatcherServlet.service(TestDispatcherServlet.java:65) [spring-test-4.3.5.RELEASE.jar:4.3.5.RELEASE]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) ~[tomcat-embed-core-8.5.6.jar:8.5.6]
    at org.springframework.mock.web.MockFilterChain$ServletFilterProxy.doFilter(MockFilterChain.java:167) [spring-test-4.3.5.RELEASE.jar:4.3.5.RELEASE]
    at org.springframework.mock.web.MockFilterChain.doFilter(MockFilterChain.java:134) [spring-test-4.3.5.RELEASE.jar:4.3.5.RELEASE]
    at org.springframework.test.web.servlet.MockMvc.perform(MockMvc.java:155) [spring-test-4.3.5.RELEASE.jar:4.3.5.RELEASE]
    at FOO.BAR.AbstractControllerTest.get(AbstractControllerTest.java:55) [web-test-0-SNAPSHOT.jar:na]
    at FOO.BAR.AuthenticationControllerOkTest.testAuthenticate(AuthenticationControllerOkTest.java:31) [test-classes/:na]
    <...JUnit stuff...>

    The only similar question I found in the Web is this one. But it seems to describe a slightly different case, if I'm not wrong. Worth nothing, of course: adding @WithMockUser to the tests does not cause the exception, but since I'm testing the authentication controller, I cannot use this annotation (and it's impossible in the production mode, of course).

    AbstractCustomTypesGlobalMethodSecurityConfiguration

    This is a boilerplate class I use to add some custom types support to @PreAuthorize. Pretty easy I think, and this one does not look suspicious:

    public abstract class AbstractCustomTypesGlobalMethodSecurityConfiguration
        extends GlobalMethodSecurityConfiguration {

    @Nonnull
    protected abstract ApplicationContext applicationContext();

    @Nonnull
    protected abstract ConversionService conversionService();

    @Nonnull
    protected abstract PermissionEvaluator permissionEvaluator();

    @Nonnull
    @SuppressWarnings("DesignForExtension")
    protected Object filter(@Nonnull final MethodSecurityExpressionHandler handler, @Nonnull final Object filterTarget,
            @Nonnull final Expression filterExpression, @Nonnull final EvaluationContext context) {
        return handler.filter(filterTarget, filterExpression, context);
    }

    @Override
    protected final MethodSecurityExpressionHandler createExpressionHandler() {
        final ApplicationContext applicationContext = applicationContext();
        final TypeConverter typeConverter = new StandardTypeConverter(conversionService());
        final DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler() {
            @Override
            public StandardEvaluationContext createEvaluationContextInternal(final Authentication authentication, final MethodInvocation methodInvocation) {
                final StandardEvaluationContext decoratedStandardEvaluationContext = super.createEvaluationContextInternal(authentication, methodInvocation);
                return new ForwardingStandardEvaluationContext() {
                    @Override
                    protected StandardEvaluationContext standardEvaluationContext() {
                        return decoratedStandardEvaluationContext;
                    }

                    @Override
                    public TypeConverter getTypeConverter() {
                        return typeConverter;
                    }
                };
            }

            @Override
            public Object filter(final Object filterTarget, final Expression filterExpression, final EvaluationContext context) {
                return AbstractCustomTypesGlobalMethodSecurityConfiguration.this.filter(this, filterTarget, filterExpression, context);
            }
        };
        handler.setApplicationContext(applicationContext);
        handler.setPermissionEvaluator(permissionEvaluator());
        return handler;
    }

}

    SecurityConfiguration

    Basically the following configuration just extends the latter configuration providing required beans using the template method design pattern. Nothing suspicious, I guess except @EnableGlobalMethodSecurity, however the annotation seems to work and enabling/disabling its flags affect the overall behavior too. (Moving the annotation to another configuration does not work either as it might work for some cases.)

    @Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
class SecurityConfiguration
        extends AbstractCustomTypesGlobalMethodSecurityConfiguration {

    @Autowired
    private ApplicationContext applicationContext;

    @Autowired
    private ConversionService conversionService;

    @Nonnull
    @Override
    protected ApplicationContext applicationContext() {
        return applicationContext;
    }

    @Nonnull
    @Override
    protected ConversionService conversionService() {
        return conversionService;
    }

    @Nonnull
    @Override
    protected final PermissionEvaluator permissionEvaluator() {
        return getAlwaysPermittedPermissionEvaluator();
    }

    @Nonnull
    @Override
    protected final Object filter(@Nonnull final MethodSecurityExpressionHandler handler, @Nonnull final Object filterTarget,
            @Nonnull final Expression filterExpression, @Nonnull final EvaluationContext context) {
        final MethodSecurityExpressionOperations operations = (MethodSecurityExpressionOperations) context.getRootObject().getValue();
        operations.setFilterObject(filterTarget);
        return filterExpression.getValue(context, Object.class);
    }

}

    WebSecurityConfiguration

    More or less trivial Web security configuration that defines some rules to access the service endpoints. Please note that the filter "beaned" with authenticationTokenProcessingFilter is not being invoked, because the exception occurs first.

    @Configuration
@EnableWebSecurity
class WebSecurityConfiguration
        extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private ITokenAuthenticationService tokenAuthenticationService;

    @Override
    protected final void configure(final HttpSecurity httpSecurity)
            throws Exception {
        httpSecurity
                .authorizeRequests()
                .antMatchers(POST, "/api/v0/authentication").permitAll()
                .antMatchers("/api/v0/**").fullyAuthenticated()
                .antMatchers("/**").permitAll();
        httpSecurity
                .csrf().disable()
                .httpBasic()
                .authenticationEntryPoint(customAuthenticationEntryPoint());
        httpSecurity
                .sessionManagement()
                .sessionCreationPolicy(STATELESS);
        httpSecurity
                .addFilterBefore(authenticationTokenProcessingFilter(), UsernamePasswordAuthenticationFilter.class);
    }

    @Bean
    AuthenticationEntryPoint customAuthenticationEntryPoint() {
        return getCustomAuthenticationEntryPoint();
    }

    @Bean
    GenericFilterBean authenticationTokenProcessingFilter() {
        return getAuthenticationTokenProcessingFilter(tokenAuthenticationService);
    }

    @Bean
    PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Autowired
    void registerGlobalAuthentication(final AuthenticationManagerBuilder managerBuilder)
            throws Exception {
        managerBuilder
                .userDetailsService(userDetailsService)
                .and()
                .eraseCredentials(false);
    }

}

    That is pretty much and hopefully complete code that might require diagnostics, I think. It does not look broken or so, but I still cannot figure out the reason of why I'm getting the exception. I'm starting to feel my hair is becoming gray.

    Any help is greatly appreciated!

    Dependencies:

    • org.springframework.boot:spring-boot-dependencies:1.4.3.RELEASE:pom
    • org.springframework.boot:spring-boot-starter-web:1.4.3.RELEASE
    • org.springframework.security:spring-security-config:4.2.1.RELEASE
    • org.springframework.security:spring-security-core:4.2.1.RELEASE
    • org.springframework.security:spring-security-web:4.2.1.RELEASE

    Edit 1

    @Test
@DatabaseSetup(DATASET)
// @WithMockUser is commented out -- we're authenticating as Alice ourselves to obtain the authentication token
public void testAuthenticate()
        throws Exception {
    final MockHttpServletResponse response = post("/authentication", asJson(), identityWithKeyGsonIncomingDto("Alice", "alice123"))
            // Here is where it fails: the exception causes HTTP 500 rather than HTTP 201
            .andExpect(status().isCreated())
            .andReturn()
            .getResponse();
    @SuppressWarnings("unchecked")
    final Map<String, Object> responseMap = gson.fromJson(response.getContentAsString(), Map.class);
    final String token = (String) responseMap.get("token");
    get("/users/self", headers("Authorization", token))
            .andExpect(status().isOk());
}

    Edit 2

    public final class AuthenticationTokenProcessingFilter
        extends GenericFilterBean {

...

    @Override
    public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain)
            throws IOException, ServletException {
        @Nullable
        final String authenticationToken = getAuthenticationToken(request);
        if ( authenticationToken != null ) {
            try {
                final HttpServletRequest httpServletRequest = (HttpServletRequest) request;
                final Authentication authentication = tokenAuthenticationService.authenticate(authenticationToken, httpServletRequest);
                setCurrentAuthentication(authentication);
            } catch ( final AuthenticationException ex ) {
                ...
            }
        }
        chain.doFilter(request, response);
    }

}

    Unfortunately, the exception happens before the filter above can take control for some reason. Please note that this filter is intended to set current user authentication only under certain circumstances, but never -- anonymous. At least this is how it works in my other modules.

  • hecko84
    hecko84 over 4 years
    Thank you for saving me days and solving this topic in 5min with your hints
  • khush
    khush over 4 years
    Thanks a lot for solution. You saved my day
  • lyrio
    lyrio over 3 years
    U'r giving too much of codes! Still have the error message, but not with Spring boot, but with Spring with basic simple security config activated. Any would be appriciated.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to use AuthorizationServerSecurityConfigurer?
Spring security 401 Unauthorized even with permitAll
Java Spring Security - User.withDefaultPasswordEncoder() is deprecated?
how to achieve Ldap Authentication using spring security(spring boot)
Spring security + session : Receive "Set-Cookie" header but not set in browser
Spring Boot Security Anonymous authorization
Spring boot - return 403 Forbidden instead of redirect to login page
@WithMockUser doesn't pick Spring Security auth credentials
Null @AuthenticationPrincipal with Spring-Boot / Security
Java + Spring Boot: I am trying to add CacheControl header to ResponseEntity