0

I have been working on application that is using spring security. I am quite new to spring security and ended up with problem similar to this and this. But it is a bit different.

I do manual authentication this way: 

UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password);
Authentication authentication = this.authenticationProvider.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(authentication);

When the page loads everything seems OK. But, when I navigate around application it seems that I loose my SecurityContext. (I have status bar showing user name if user is logged in)

I get my context this way:

SecurityContextHolder.getContext()

What is more the context is not lost entirely sometimes it loads correctly, after some incorrect loads. It seems that I have several contexts in one session ( I have HttpSessionListener and sessionCreated fires only once). I tried printing out context's objects hashes and noticed that there are several different hashes repeating. Only one is with my connected user the others are not.

So I assume that there are several context's in one session (if this is even possible). I hope I explained everything clearly. I would be grateful if anybody could provide me with some help.

Community
  • 1
  • 1
Vytautas Alkimavičius
  • 554
  • 5
  • 8

2 Answers2

1

For what you're doing the context needs to be bound to the current thread. Because, when you call

SecurityContextHolder.getContext()

the context from a ThreadLocal store is returned. Make sure the context is bound to your current thread with each request (can't tell more as you don't describe how you're doing that).

Marcel Stör
  • 22,695
  • 19
  • 92
  • 198
  • Thanks, now I, at least, have something to hold on to. I am still not sure how to fix this. _"Make sure the context is bound to your current thread with each request (can't tell more as you don't describe how you're doing that)."_ Problem is that I am not doing this. I thought spring takes care of that. What do you want me to describe more. – Vytautas Alkimavičius Jan 20 '13 at 23:03
  • @VytautasAlkimavičius, "I thought spring takes care of that." - yes, Spring _does_ take care of that, given it is setup properly. Your question includes no hints as for what Spring config/infrastructure you have in place. – Marcel Stör Jan 21 '13 at 16:19
1

At last i did it! Marcel Stör answer did help me to look for correct keewords and so on. Thank you.

The problem was that I was setting SecurityContext in bean that was not aware of Security filter chain. It was called on @PostConstruct and it was not right.

What I really needed was PRE_AUTH_FILTER and proper Spring security configuration. So PRE_AUTH_FILTER is in SpringSecurity filter chain puts authentication object correctly.

Vytautas Alkimavičius
  • 554
  • 5
  • 8