Announcement Announcement Module
No announcement yet.
Not able to access securityContext from http filters why ? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Not able to access securityContext from http filters why ?


    I have http filters in position. After user logs in its authentication object is set in securityContextHolder as far as my knowledge is concerned.
    When second request goes i have written my own filter which runs before any other filter runs. I am trying to access this authentication object my code for that is SecurityContextHolder.getContext().getAuthenticati on() but it returns me null.

    this happens after authentication had taken place so i believe object will be in session. I was able to access some token object from session. SPRING_SECURITY_CONTEXT but its value i am getting null
    How can I get this authentication object in my servlet filters ? any clue ?
    Last edited by abhi patil; Feb 21st, 2012, 01:15 AM.

  • #2
    I believe I have the same problem with version 3.1.0.RELEASE of Spring Security.
    In my case, I am using Spring Security with Webservices, and I am checking authentication within a class that extends

    My applicationContext-security.xml configuration file (imported by applicationContext.xml) contains the following:
    <!-- <s:http pattern="/*.wsdl" security="none"/> -->
    <s:http auto-config='true'
    access-decision-manager-ref="affirmativeBased" >
    <s:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
    <s:http-basic />

    With "<s:http pattern="/*.wsdl" security="none"/>" comment out, the following code executes without exception:
    SecurityContext secureContext = SecurityContextHolder.getContext();
    Authentication auth = secureContext.getAuthentication();
    if ( auth == null )
    throw new UsernameNotFoundException("Spring Security SecurityContextHolder failing");

    If "<s:http pattern="/*.wsdl" security="none"/>" is enabled, the exception this thrown.

    Try simplifying your configuration to a single intercept-url and see if this causes your code to work properly.
    I am also going to write this up as a question, and see if anyone else has seen this bug.


    • #3
      The value will be in session, but it will not be placed into the SecurityContextHolder until after the SessionManagementFilter extracts the SecurityContext from the session and places the SecurityContext on the SecurityContextHolder. In short, you cannot obtain values from the SecurityContextHolder until after the SessionManagementFilter places it there.