Null password was supplied in authentication token spring security

0
votes

I am using spring security in my application and using AccessDecisionManager. In decide method i need pass database name to controller so set db name in in SecurityContextHolder . My code in decide method is as :

   UsernamePasswordAuthenticationToken token = new 
               UsernamePasswordAuthenticationToken( authentication.getPrincipal(), authentication.getCredentials());

    token.setDetails("databaseNAme");
    SecurityContextHolder.getContext().setAuthentication(token);

Url in spring-security.xml as:'

intercept-url pattern="/hello" access="ROLE_ADMIN">

In web.xml :

<filter>
        <filter-name>springSecurityFilterChain"<"filter-name>

<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
</filter-mapping>

But on some urls i got this error :

HTTP Status 500 - Null password was supplied in authentication token

type Exception report

message Null password was supplied in authentication token

description The server encountered an internal error that prevented it from   fulfilling this request.

exception

java.lang.IllegalArgumentException: Null password was supplied in authentication token
org.springframework.util.Assert.notNull(Assert.java:112)
org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:59)
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
org.springframework.security.access.intercept.AbstractSecurityInterceptor.authenticateIfRequired(AbstractSecurityInterceptor.java:316)
org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:202)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

SO please help me how can I resolve this issue . In some url I got this exception and 98% url of my application run successfully .

1
springspring-mvcauthenticationspring-security

1 Answers

0
votes
UsernamePasswordAuthenticationToken token = new 
               UsernamePasswordAuthenticationToken( authentication.getPrincipal(), authentication.getCredentials());

This Authentication is not authenticated, and the authenticated Authentication(authentication.getCredentials()) doesn't contain credentials.

protected Authentication createNewAuthentication(Authentication currentAuth,
            String newPassword) {
        UserDetails user = loadUserByUsername(currentAuth.getName());

        UsernamePasswordAuthenticationToken newAuthentication = new UsernamePasswordAuthenticationToken(
                user, null, user.getAuthorities());
        newAuthentication.setDetails(currentAuth.getDetails());

        return newAuthentication;
    }

When you request your resource at first time with right credentials, it will succeed, but the Authentication in SecurityContentHolder will changed by your code in decide method and the unauthenticated authentication without credentials will set to session, and then you try to access your resource in same session, the the unauthenticated authentication without credentials will load from session, and FilterSecurityInterceptor will check the authentication, and it's unauthenticated, so it will do authenticated again. then it will throw Null password exception.

I think you can just cast the authentication to UsernamePasswordAuthenticationToken in you decide method, and then set the detail into it.