Announcement Announcement Module
Collapse
No announcement yet.
SecurityContextHolder.getContext().getAuthenticati on() null on error-page Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • SecurityContextHolder.getContext().getAuthenticati on() null on error-page

    Hi,
    I'm running Spring 3.0.5 on a Tomcat 6 (Windows Machine). I've found a problem/misconfiguration on Spring/Tomcat Error-Handling.

    When an Exception occurs in a Spring MVC Controller, Tomcat handles the exception by redirecting the request to an error page. (configured in web.xml):

    Code:
        <error-page>
            <exception-type>java.lang.Throwable</exception-type>
            <location>/error.html</location>
        </error-page>
    The problem is that in the error handling conroller, the SecurityContext.getContext().getAuthentication() is returning null. However if I navigate to another page, it returns the Authentication object as expected.

    Any ideas?
    Thanks-

  • #2
    Consider refactoring your exception handling. For example, use http://static.springsource.org/sprin...slation-filter for spring security exceptions.

    The only exception that you might need to have in web.xml is a http 500 error. Catching throwable is probably a bad practice. For example, it's probably nice to give users a page not found page if a 404 is thrown rather then zomg error page.

    Comment


    • #3
      If you want error pages that are managed by the container to be protected / include Spring Security's SecurityContext you need to ensure to include the ERROR request dispatcher for the springSecurityFilterChain. For example the following in your web.xml
      Code:
      <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>ERROR</dispatcher>
      </filter-mapping>

      Comment


      • #4
        rwinch,
        This did the trick. I had read a lot of articles that talk about configuring error-denied-page and overriding ExceptionTranslationFilter, but this seems to be the best solution by far. Thanks much.

        Comment

        Working...
        X