1

I just recently upgraded from Spring Security 3 to 4 and my @AuthenticationPrincipal annotated input arguments in controllers are now empty. I managed to work around it by using the deprecated org.springframework.security.web.bind.annotation.AuthenticationPrincipal, but when using the one from the org.springframework.security.core.annotation package it is empty.

It'll also work if I do:
User activeUser = (User) ((Authentication) principal).getPrincipal();

I followed the migration guide as best as I could.

Here's my spring-security.xml:

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">

<!-- enable use-expressions -->
<http auto-config="false" use-expressions="true">
    <intercept-url pattern="/secure/admin**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_SUPER_ADMIN')" />
    <intercept-url pattern="/secure/admin/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_SUPER_ADMIN')" />
    <intercept-url pattern="/secure/user**" access="isAuthenticated()" />
    <intercept-url pattern="/secure/user/**" access="isAuthenticated()" />
    <intercept-url pattern="/**" access="permitAll" />

    <form-login login-page="/login"
        authentication-success-handler-ref="redirectRoleStrategy"
        authentication-failure-url="/login?error"
        username-parameter="username"
        password-parameter="password"
        login-processing-url="/auth/login_check" />

    <logout logout-success-url="/login?logout" delete-cookies="JSESSIONID" />
    <csrf disabled="true" />
</http>

<beans:bean id='userDetailsService' class='com.myproject.security.UserDetailsServiceImpl' />

<beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>

<beans:bean id='authenticationManager' class='org.springframework.security.authentication.ProviderManager'>
    <beans:constructor-arg>
        <beans:list>
            <beans:ref bean='authenticationProvider' />
        </beans:list>
    </beans:constructor-arg>
</beans:bean>

<!-- Select users and user_roles from database -->
<authentication-manager>
    <authentication-provider user-service-ref='userDetailsService'>
        <password-encoder ref="encoder" />
    </authentication-provider>
</authentication-manager>

<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
    <beans:constructor-arg name="strength" value="10" />
</beans:bean>

<beans:bean id="redirectRoleStrategy" class="com.myproject.security.RoleBasedAuthenticationSuccessHandler">
    <beans:property name="roleUrlMap">
        <beans:map>
            <beans:entry key="ROLE_ADMIN" value="/secure/admin"/>
            <beans:entry key="ROLE_SUPER_ADMIN" value="/secure/admin"/>
        </beans:map>
    </beans:property>
</beans:bean>

KSTN
  • 2,002
  • 14
  • 18
Dudewonder
  • 43
  • 6

1 Answers1

1

I just figured it out. It's indeed a duplicate of Spring Security deprecated @AuthenticationPrincipal. Unfortunately never managed to find that post.

I changed 

<mvc:annotation-driven>
    <mvc:argument-resolvers>
        <bean class="org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver" />
    </mvc:argument-resolvers>
</mvc:annotation-driven>

To

<mvc:annotation-driven>
    <mvc:argument-resolvers>
        <bean class="org.springframework.security.web.method.annotation.AuthenticationPrincipalArgumentResolver" />
    </mvc:argument-resolvers>
</mvc:annotation-driven>

In my applicationContext.xml.

Community
  • 1
  • 1
Dudewonder
  • 43
  • 6