HttpSession returned null object for SPRING_SECURITY_CONTEXT

spring spring-security saml-2.0 opensaml spring-saml
20,114

I've experienced the same problem. After debugging realized that SecurityContext is cleared before it's persisted. After googling I found this: https://jira.springsource.org/browse/SEC-2027 Moving to spring security version 3.1.2 solved it for me.

I hope it will help someone.

Share:
20,114
Emanuele
Author by

Emanuele

Updated on July 15, 2022

Comments

  • Emanuele
    Emanuele almost 2 years

    I'm trying to integrate the Spring Saml library in a sample webapplication, using Shibboleth as IDP. I'm able to load the login page, to login and to show the index page.

    The problem is that when I click on other links the webapp redirect me to the login page, then the IDP recognizes me and redirects to the requested page (if the network is fast it's very difficult to see this). It's like I'm not logged in for Spring security.

    I checked the log and I found this:

    org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@fde8fb. A new one will be created.

    This is the web.xml

    <!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring/root-context.xml
        /WEB-INF/spring/security/securityContext.xml
    </param-value>
</context-param>
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<!-- Processes application requests -->
<servlet>
    <servlet-name>dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>



<!-- Custom error pages -->
<error-page>
    <error-code>400</error-code>
    <location>/errors/missing-en.html</location>
</error-page>
<error-page>
    <error-code>401</error-code>
    <location>/errors/restricted-en.html</location>
</error-page>
<error-page>
    <error-code>403</error-code>
    <location>/errors/restricted-en.html</location>
</error-page>
<error-page>
    <error-code>404</error-code>
    <location>/errors/missing-en.html</location>
</error-page>
<error-page>
    <error-code>500</error-code>
    <location>/errors/missing-en.html</location>
</error-page>
<error-page>
    <error-code>503</error-code>
    <location>/errors/missing-en.html</location>
</error-page>

    and the securityContext

    <beans xmlns="http://www.springframework.org/schema/beans" 
xmlns:security="http://www.springframework.org/schema/security" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security-3.1.xsd 
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context.xsd">

<!-- Enable autowiring -->
<context:annotation-config />
<context:component-scan base-package="org.springframework.security.saml" />

<security:http pattern="/logout.jsp" security="none" />
<security:http pattern="/login.jsp" security="none" />
<security:http pattern="/index.html" security="none" />

<security:http entry-point-ref="samlEntryPoint">
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
    <security:custom-filter before="FIRST" ref="metadataGeneratorFilter" />
    <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter" />
</security:http>

<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
    <security:filter-chain-map path-type="ant">
        <security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint" />
        <security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter" />
        <security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter" />
        <security:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter" />
        <security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter" />
    </security:filter-chain-map>
</bean>

<!-- Handler deciding where to redirect user after successful login -->
<bean id="successRedirectHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <property name="defaultTargetUrl" value="/" />
</bean>
<!-- Use the following for interpreting RelayState coming from unsolicited response as redirect URL: <bean id="successRedirectHandler" class="org.springframework.security.saml.SAMLRelayStateSuccessHandler"> 
    <property name="defaultTargetUrl" value="/" /> </bean> -->

<!-- Handler for successful logout -->
<bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
    <property name="defaultTargetUrl" value="/logout.jsp" />
</bean>

<!-- Register authentication manager with SAML provider -->
<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="samlAuthenticationProvider" />
</security:authentication-manager>

<!-- Logger for SAML messages and events -->
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger" />

<!-- Central storage of cryptographic keys -->
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
    <constructor-arg value="/WEB-INF/spring/security/myKeystore.jks" />
    <constructor-arg type="java.lang.String" value="betfair" />
    <constructor-arg>
        <map>
            <entry key="tomcat" value="betfair" />
        </map>
    </constructor-arg>
    <constructor-arg type="java.lang.String" value="tomcat" />
</bean>

<!-- Entry point to initialize authentication, default values taken from properties file -->
<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
    <property name="defaultProfileOptions">
        <bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
            <property name="includeScoping" value="false" />
        </bean>
    </property>
</bean>

<!-- IDP Discovery Service -->
<bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
    <property name="idpSelectionPath" value="/WEB-INF/security/idpSelection.jsp" />
</bean>

<!-- Filter automatically generates default SP metadata -->
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg>
        <bean class="org.springframework.security.saml.metadata.MetadataGenerator" />
    </constructor-arg>
</bean>

<!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there -->
<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter" />

<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here -->
<!-- Do no forget to call iniitalize method on providers -->
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>

            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">/WEB-INF/spring/security/shibboleth.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool" />
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
            </bean>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">/WEB-INF/spring/security/localhost_sp.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool" />
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                        <property name="local" value="true" />
                        <property name="alias" value="localhost" />
                        <property name="securityProfile" value="metaiop" />
                        <property name="sslSecurityProfile" value="pkix" />
                        <property name="signingKey" value="tomcat" />
                        <property name="encryptionKey" value="tomcat" />
                        <property name="tlsKey" value="tomcat" />
                        <property name="requireArtifactResolveSigned" value="false" />
                        <property name="requireLogoutRequestSigned" value="false" />
                        <property name="requireLogoutResponseSigned" value="false" />
                    </bean>
                </constructor-arg>
            </bean>
        </list>
    </constructor-arg>      
    <!-- OPTIONAL used when one of the metadata files contains information about this service provider -->
    <property name="hostedSPName" value="localhost"/>
    <!-- OPTIONAL property: can tell the system which IDP should be used for authenticating user by default. -->
    <!-- <property name="defaultIDP" value="http://localhost:8080/opensso"/> -->
</bean>

<!-- SAML Authentication Provider responsible for validating of received SAML messages -->
<bean id="samlAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider">
    <!-- OPTIONAL property: can be used to store/load user data after login -->
    <!-- <property name="userDetails" ref="bean" /> -->
</bean>

<!-- Provider of default SAML Context -->
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl" />

<!-- Processing filter for WebSSO profile messages -->
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationSuccessHandler" ref="successRedirectHandler" />
</bean>

<!-- Processing filter for WebSSO Holder-of-Key profile -->
<bean id="samlWebSSOHoKProcessingFilter" class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationSuccessHandler" ref="successRedirectHandler" />
</bean>

<!-- Logout handler terminating local session -->
<bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
    <property name="invalidateHttpSession" value="false" />
</bean>

<!-- Override default logout processing filter with the one processing SAML messages -->
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
    <constructor-arg ref="successLogoutHandler" />
    <constructor-arg ref="logoutHandler" />
    <constructor-arg ref="logoutHandler" />
</bean>

<!-- Filter processing incoming logout messages -->
<!-- First argument determines URL user will be redirected to after successful global logout -->
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
    <constructor-arg ref="successLogoutHandler" />
    <constructor-arg ref="logoutHandler" />
</bean>

<!-- Class loading incoming SAML messages from httpRequest stream -->
<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
    <constructor-arg>
        <list>
            <ref bean="redirectBinding" />
            <ref bean="postBinding" />
            <ref bean="artifactBinding" />
            <ref bean="soapBinding" />
            <ref bean="paosBinding" />
        </list>
    </constructor-arg>
</bean>

<!-- SAML 2.0 WebSSO Assertion Consumer -->
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl" />

<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl" />

<!-- SAML 2.0 Web SSO profile -->
<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl" />

<!-- SAML 2.0 Holder-of-Key Web SSO profile -->
<bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl" />

<!-- SAML 2.0 ECP profile -->
<bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl" />

<!-- SAML 2.0 Logout Profile -->
<bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl" />

<!-- Bindings, encoders and decoders used for creating and parsing messages -->
<bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
    <constructor-arg ref="parserPool" />
    <constructor-arg ref="velocityEngine" />
</bean>

<bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
    <constructor-arg ref="parserPool" />
</bean>

<bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding">
    <constructor-arg ref="parserPool" />
    <constructor-arg ref="velocityEngine" />
    <constructor-arg>
        <bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
            <constructor-arg>
                <bean class="org.apache.commons.httpclient.HttpClient" />
            </constructor-arg>
            <property name="processor">
                <bean id="soapProcessor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
                    <constructor-arg ref="soapBinding" />
                </bean>
            </property>
        </bean>
    </constructor-arg>
</bean>

<bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
    <constructor-arg ref="parserPool" />
</bean>

<bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
    <constructor-arg ref="parserPool" />
</bean>

<!-- Initialization of OpenSAML library -->
<bean class="org.springframework.security.saml.SAMLBootstrap" />

<!-- Initialization of the velocity engine -->
<bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine" />

<!-- XML parser pool needed for OpenSAML parsing -->
<bean id="parserPool" class="org.opensaml.xml.parse.BasicParserPool" scope="singleton" />

    Any idea?

    Thanks emanuele

  • Emanuele
    Emanuele over 11 years
    Thanks, we'll try that. Actually we need Spring, but think to a solution decoupled from the framework is a good idea indeed
  • Ricardo Vila
    Ricardo Vila over 6 years
    This answer don't have anything to do with the question!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

"Signature did not validate against the credential's key" with Junos as IdP
SAMLException: Response has invalid status code status message is null
Signature trust establishment failed for SAML metadata entry
IDP initiated SAML login error - Authentication statement is too old to be used with value
Spring security Saml - Time difference between SP and IDP
configuring saml-sample (SP) to work with Okta (IdP)
java.io.IOException: Invalid keystore format Spring Security SAML Extension
trusted certificate entries are not password-protected Spring SAML
Custom WebSecurityConfigurerAdapter
Connect multiple authentication mechanisms Spring Boot Security