Spring Method Level Security fails on second call
This problem has been solved.
The last part of the solution was to remove the request to make SecurityContextHolder global.
If you are having the same problem might find this post helpful.
WhiteKnight
Updated on June 04, 2022Comments
-
WhiteKnight almost 2 years
I want to use method level security on my GWT application. I'm trying to use Spring Security 3.1, as I found a working example here, but it doesn't use form-login. After reading this answer the first method call successfully obtains the SecurityContext, but then clears it before the next call:
[org.springframework.security.web.context.HttpSessionSecurityContextRepository] - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@6fe9f089: Authentication: org.example.MyAppName.server.auth.MyAppNameUserAuthentication@6fe9f089' ... [org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor] - Authorization successful ... [org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed ... [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. [org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed ... [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - HttpSession returned null object for SPRING_SECURITY_CONTEXT
The second call happens straight after the first and just after the user logs in.
Is it because I followed the other answer and removed
<http pattern="/MyAppName/**" security="none" />
and added<intercept-url pattern="/MyAppName/**" access="permitAll()" />
?My filters are as follows:
<http pattern="/favicon.ico" security="none" /> <http access-decision-manager-ref="accessDecisionManager" use-expressions="true" auto-config="false" entry-point-ref="LoginUrlAuthenticationEntryPoint"> <form-login login-page="/Login.html" always-use-default-target="true" default-target-url="/Main.html?gwt.codesvr=127.0.0.1:9997" /> <intercept-url pattern="/Login.html" access="permitAll()" /> <intercept-url pattern="/Login2.html" access="permitAll()" /> <intercept-url pattern="/MyAppName/**" access="permitAll()" /> <intercept-url pattern="/**" access="isAuthenticated()" /> <logout delete-cookies="JSESSIONID" logout-success-url="/Login.html" /> <remember-me token-validity-seconds="86400" key="key" user-service-ref="userDetailsService" /> </http>
Following the example I obtained I use AspectJ for the global method security, but would not use it if I could get that working:
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" mode="aspectj" proxy-target-class="true" > <expression-handler ref="expressionHandler"/> </global-method-security>
Thank you for taking the time to read this
Please let me know if more detail is needed.
-
Tiny almost 11 yearsHow did you actually solve the problem? I'm having the same problem. I went through the link but it didn't help.
-
WhiteKnight almost 11 years@Tiny While trying to get two factor authentication working, I'd set SecurityContextHolder to be global, so removing that fixed the problem for me, but there may have been many things causing the problem. Also I didn't hear back from Luke on why that would have caused the problem that I experienced.