Announcement Announcement Module
No announcement yet.
Spring Security, 'getAuthentication' == null if there are more than 1 http element Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security, 'getAuthentication' == null if there are more than 1 http element

    Within version 3.1.0.RELEASE of Spring Security, 'getAuthentication()' returns null within an EndpointInterceptor
    if there is more than 1 http element within my applicationContext-security.xml

    In my case, I am using Spring Security with Spring Webservices, and I am checking authentication within a class that implements, and extends org.springframework.xml.transform.TransformerObjec tSupport.

    My applicationContext-security.xml configuration file (imported by applicationContext.xml) contains the following:
    <!-- <s:http pattern="/*.wsdl" security="none"/> -->
    <s:http auto-config='true'
    access-decision-manager-ref="affirmativeBased" >
    <s:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
    <s:http-basic />

    With "<s:http pattern="/*.wsdl" security="none"/>" comment out, the following code executes without exception:
    SecurityContext secureContext = SecurityContextHolder.getContext();
    Authentication auth = secureContext.getAuthentication();
    if ( auth == null )
    throw new UsernameNotFoundException("Spring Security SecurityContextHolder failing");

    If "<s:http pattern="/*.wsdl" security="none"/>" is enabled, the exception this thrown.

    Anyone else seen this, or know a work-around?

  • #2
    What URL are you requesting when you have this problem? Can you provide the debug logs for when the request fails?


    • #3
      The problem was that I was using a URL with WSDL as the soap address location within the application SoapUI.

      The default soap address location according the to WSDL is: http://localhost:8080/{appname}/

      However, when doing testing, I was switching my test suite from a deployed host to localhost, and I copied the WSDL URL of http://localhost:8080/{appname}/{appname}.wsdl and set that as the soap address (which always worked before enabling Spring Security).

      When SoapUI makes the call through "http://localhost:8080/{appname}/{appname}.wsdl", the configuration above allows the WSDL to be accessed without security. However, because web-methods are accessible using the WSDL URL as soap address, the SecurityContextHolder.getContext().getAuthenticati on() is then null.

      Thanks for the question prompting me to look at the URL.