Spring Security SecurityContextHolder.getContext().getAuthentication() returns null

3
votes

I have implemented a custom security mechanism mapped to a particular URL "/partner/login" where I'm using my own subclassed AbstractAuthenticationProcessingFilter that generates a subclassed AbstractAuthenticationToken that is authenticated by an implementation of AuthenticationProvider. On success I call a SimpleUrlAuthenticationSuccessHandler which will try to redirect to "/UserProfile". This "/partner/login" handles SSO requests from one of our partners. Whereas in development, our internal login procedure is simulated using the default login form of Spring Security, that's why auto-config is true.

Initially I was using the folllowing (spring security )configuration for development:

<http  auto-config="true">
    <intercept-url pattern="/**/*.jsp" access="ROLE_USER, ROLE_PARTNER_USER"/>
    <custom-filter after = "FORM_LOGIN_FILTER" ref = "partnerSsoAuthFilter"/>
</http>

Now this works as expected, and I get the Authentication object from the SecurityContextHolder after I'm rediirected to the "/UserProfile"

The problem starts once I use these in the production (spring security) configuration that uses a custom filter-chain-map. (We use CAS in production for our own logins)

<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
    <sec:filter-chain-map path-type="ant">
        <sec:filter-chain pattern="/partner/login" filters="sif,partnerSsoAuthFilter,etfPartner,fsi" />
        <sec:filter-chain pattern="/" filters="casValidationFilter, wrappingFilter" />**
        <sec:filter-chain pattern="/secure/receptor" filters="casValidationFilter" />
        <sec:filter-chain pattern="/j_spring_security_logout" filters="logoutFilter,etf,fsi" />
        ***More filters***
    </sec:filter-chain-map>
</bean>

Here sif,etf,fsi are the regular SecurityContextPersistenceFilter, ExceptionTranslationFilter and FilterSecurityInterceptor.

With this configuration, when redirected to "/UserDetails" SecurityContextHolder.getContext().getAuthentication() returns null, but I can still access the authentication object placed in the session.

I'm confused about this behaviour. I am using the same custom filter/provider/token etc in both cases for "/partner/login" . Why in one case getAuthentication() is not null and in the other it is null? Any help would be great. TIA.

1
javaspringspring-securityservlet-filters
Which version of Spring Security do you use? - Maksym Demidas
Spring Security version is 3.1.1 - Devashish Pandey
Did you ever solved this issue ? Please share your solution.. - Amit

1 Answers

1
votes

I have an idea but I am not sure at all (I do not have any expiriance with SS+CAS and I do not like declare SS filters manually in the conf). I know that there is a SecurityContextPersistenceFilter that is responsible for populating SecurityContextHolder. Please check is it fired in your dev config? And if it is fired, please check the same thing for your production environment. Hope this helps.