Announcement Announcement Module
Collapse
No announcement yet.
HttpSession returned null object for SPRING_SECURITY_CONTEXT Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • HttpSession returned null object for SPRING_SECURITY_CONTEXT

    I'm trying to port an Acegi config to the Spring Security Namespace configuration but I'm missing something in my configuration. All I want to do is login at /login (Echo app that authenticates) and then once authenticated redirect to /app (All I need is IS_AUTHENTICATED_FULLY to be able to access the /app)

    The configs are as follows in web.xml
    <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFil terProxy</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>

    <listener>
    <listener-class>
    org.springframework.web.context.request.RequestCon textListener
    </listener-class>
    </listener>

    <listener>

    <listener-class>
    org.springframework.web.context.ContextLoaderListe ner
    </listener-class>
    </listener>

    In my appSecurity.xml I have the following
    <authentication-provider user-service-ref="userAccountService"/>

    <!-- accessDescisionManager -->
    <beans:bean id="accessDecisionManager" class="org.springframework.security.vote.Affirmati veBased">
    <beansroperty name="allowIfAllAbstainDecisions" value="false"/>
    <beansroperty name="decisionVoters">
    <beans:list>
    <beans:bean class= "org.springframework.security.vote.AuthenticatedVo ter"/>
    </beans:list>
    </beansroperty>
    </beans:bean>

    <http auto-config="true" access-decision-manager-ref="accessDecisionManager" >

    <intercept-url pattern="/app" access="IS_AUTHENTICATED_FULLY" />
    <intercept-url pattern="/login" filters="none" />
    <intercept-url pattern="/logout" access="IS_AUTHENTICATED_FULLY" />
    <form-login login-page="/login"/>
    </http>

    Here is a short extract from the log:

    2009-04-07 18:31:20,024 DEBUG [http-8080-Processor24] cache.EhCacheBasedUserCache (EhCacheBasedUserCache.java:86) - Cache put: admin@xyz
    2009-04-07 18:31:20,027 DEBUG [http-8080-Processor24] support.AbstractApplicationContext (AbstractApplicationContext.java:272) - Publishing event in context [org.springframework.web.context.support.XmlWebAppl icationContext@6ec21a]: org.springframework.security.event.authentication. AuthenticationSuccessEvent[source=org.springframework.security.providers.User namePasswordAuthenticationToken@562b2663: Principal: com.xyz.server.domain.common.UserAccount@4; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_ALL]
    2009-04-07 18:31:20,050 DEBUG [http-8080-Processor24] request.RequestContextListener (RequestContextListener.java:89) - Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade@51c7ee


    2009-04-07 18:31:35,105 DEBUG [http-8080-Processor21] request.RequestContextListener (RequestContextListener.java:69) - Bound request context to thread: org.apache.catalina.connector.RequestFacade@bf1f08
    2009-04-07 18:31:35,107 DEBUG [http-8080-Processor21] util.FilterChainProxy (FilterChainProxy.java:205) - Converted URL to lowercase, from: '/app'; to: '/app'
    2009-04-07 18:31:35,109 DEBUG [http-8080-Processor21] util.FilterChainProxy (FilterChainProxy.java:212) - Candidate is: '/app'; pattern is /login; matched=false
    2009-04-07 18:31:35,110 DEBUG [http-8080-Processor21] util.FilterChainProxy (FilterChainProxy.java:205) - Converted URL to lowercase, from: '/app'; to: '/app'
    2009-04-07 18:31:35,116 DEBUG [http-8080-Processor21] util.FilterChainProxy (FilterChainProxy.java:212) - Candidate is: '/app'; pattern is /**; matched=true
    2009-04-07 18:31:35,117 DEBUG [http-8080-Processor21] util.FilterChainProxy$VirtualFilterChain (FilterChainProxy.java:385) - /app at position 1 of 10 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionC ontextIntegrationFilter[ order=200; ]'
    2009-04-07 18:31:35,120 DEBUG [http-8080-Processor21] context.HttpSessionContextIntegrationFilter (HttpSessionContextIntegrationFilter.java:286) - HttpSession returned null object for SPRING_SECURITY_CONTEXT

    - you can see that the user admin@xyz is authenticated and put in the cache however upon redirecting to /app the
    code there is no spring security context in the session - do I need another listener? Why is the SpringSecurityContext not present in the session?

  • #2
    Some progress...

    Ok I sort of got it to work

    1) I need to explicitly add the Authentication object to the context
    SecurityContextHolder.getContext().setAuthenticati on(authentication);
    (is there a better way of doing this?)

    2) Also I removed the filters="none" and added the access attribute as follows to the itercept url
    <intercept-url pattern="/login" access="ROLE_ANONYMOUS" />

    However this is still all very experimental and some feedback from the experts would be nice

    Comment


    • #3
      Help please

      Hello,

      Can you please help me on my problem, I think the post above is more or less related.

      The situation is:
      When I tried to login using a Bad Credential, the authentication will be unsuccesful (which is expected), but the problem is, i want to display and notify the user of this error, but no error is displayed.

      Here is my login page:

      PHP Code:
      <%@ include file="/common/taglib.jsp"%>
        
      <
      html>  
        <
      head>  
          <
      title>Login</title>  
        </
      head
        <
      link rel="stylesheet" type="text/css" media="all" href="<c:url value='/css/general_theme.css'/>" />
        <
      link rel="stylesheet" type="text/css" media="all" href="<c:url value='/css/header.css'/>" />
        <
      link rel="stylesheet" type="text/css" media="all" href="<c:url value='/css/login.css'/>" />
       <
      body>
       
           <!-- 
      HEADER IMAGE -->
          <
      div id="headercomponents">
              <
      img id="header-image" src="<c:url value='/img/header.jpg'/>"/>
          </
      div>

          <!-- 
      ERROR MESSAGE IF ANY -->
          <
      c:if test="${param.error != null}">
              <
      div id="error">  
                  
      Your login attempt was not successful, try again.<br/> 
                  
      Reason: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/>.  
              </
      div>  
          </
      c:if>  
            <
      div id="login">
          <
      form name="f" action="<c:url value='j_spring_security_check'/>" method="POST">  
            <
      table>  
              <
      tr><td>User:</td><td><input type='text' name='j_username' style="width: 100%;" value='<c:if test="${not empty param.login_error}"><c:out value="${SPRING_SECURITY_LAST_USERNAME}"/></c:if>'/></td></tr>  
              <
      tr><td>Password:</td><td><input type='password' name='j_password' style="width: 100%;"></td></tr>  
              <
      tr><td colspan="2"><input type="checkbox" name="_spring_security_remember_me"> &nbsp; &nbspDon't ask for my password for two weeks</td></tr>  
        
              <tr><td colspan="2" style="text-align: center;"><input name="submit" type="submit" value="Submit">  &nbsp; &nbsp; <input name="reset" type="reset"></td></tr>  
            </table>  
          </form>
          </div>
        </body>  
      </html> 
      and security.xml

      PHP Code:
      <?xml version="1.0" encoding="UTF-8"?>
      <beans:beans xmlns="http://www.springframework.org/schema/security"
          xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
                    
        <http auto-config="true" session-fixation-protection="none" access-decision-manager-ref="accessDecisionManager"
         access-denied-page="/accessDenied.jsp" >
           <!-- <intercept-url pattern="/index.jsp" access="ANONYMOUS" /> -->
           <intercept-url pattern="/jsp/*.htm" access="USER,ADMIN,SUPER"/>
           <intercept-url pattern="/jsp/admin/*.htm" access="ADMIN,SUPER" />
           <intercept-url pattern="/jsp/secured/*.htm" access="SUPER" />
           <form-login authentication-failure-url="/index.jsp?error=true"
           login-page="/index.jsp" login-processing-url="/j_spring_security_check" default-target-url="/jsp/home.htm" />
           <logout invalidate-session="true" logout-url="/j_spring_security_logout" logout-success-url="/index.jsp" />
           <remember-me token-validity-seconds="604800" data-source-ref="dataSource" />
        </http>
        
        <authentication-provider>
          <jdbc-user-service data-source-ref="dataSource" 
            users-by-username-query="select username, password, enable from EMPLOYEE where username = ? " 
            authorities-by-username-query="select username, role from EMPLOYEE where username = ? " />
        </authentication-provider>
               
        <beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased" >
          <beans:property name="decisionVoters">
            <beans:bean class="org.springframework.security.vote.RoleVoter">
              <beans:property name="rolePrefix" value=""/>
              </beans:bean>
          </beans:property>
        </beans:bean>               
      </beans:beans>
      and my web.xml

      PHP Code:
      <?xml version="1.0" encoding="UTF-8"?>
      <web-app version="2.5" 
          xmlns="http://java.sun.com/xml/ns/javaee" 
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
          http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
          
        <context-param>
          <param-name>contextConfigLocation</param-name>
          <param-value>
            WEB-INF/applicationContext.xml
            WEB-INF/security.xml
          </param-value>
        </context-param>
        
        <filter>
          <filter-name>springSecurityFilterChain</filter-name>
          <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        </filter>
        
        <filter-mapping>
          <filter-name>springSecurityFilterChain</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>
        
        <listener>
          <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
        </listener>
        
        <welcome-file-list>
          <welcome-file>index.jsp</welcome-file>
        </welcome-file-list>
      </web-app>
      but everytime i tried to use a wrong username-password, the page will just be redirected to 'index.jsp?error=true', which is correct, but no error messages in the page, and the username and password fields are cleared.

      might you have any clue on what is going on here?

      i used Tomcat 5.5, SPRING SECURITY 2.0.4. please please please..

      thanks
      -marckun

      ps: console log to follow below..

      Comment


      • #4
        Sorry i have to cut my post into two parts.

        as you can see below, null is assigned to object SPRING_SECURITY_CONTEXT.
        I dont know, but maybe just maybe, this is the reason why I cant seem to display to SPRING_SECURITY_CONTEXT.message, which is the error message in my index.jsp. please help.. thanks

        HTML Code:
        16:16:56,612 DEBUG JdbcTemplate:574 - Executing prepared SQL statement [select username, password, enable from EMPLOYEE where username = ? ]
        16:16:56,626 DEBUG DataSourceUtils:112 - Fetching JDBC Connection from DataSource
        16:16:56,960 DEBUG StatementCreatorUtils:207 - Setting SQL statement parameter value: column index 1, parameter value [], value class [java.lang.String], SQL type 12
        16:16:56,987 DEBUG DataSourceUtils:312 - Returning JDBC Connection to DataSource
        16:16:56,992 DEBUG SpringSecurityMessageSource:116 - Creating MessageFormat for pattern [User {0} not found] and locale 'en_US'
        16:16:56,993 DEBUG XmlWebApplicationContext:272 - Publishing event in context [[email protected]1b8d6f7]: org.springframework.security.event.authentication.AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.providers.UsernamePasswordAuthenticationToken@1f: Principal: ; Password: [PROTECTED]; Authenticated: false; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 98B615561408FB07A8FAEC90F75C53C2; Not granted any authorities]
        16:16:56,993 DEBUG AuthenticationProcessingFilter:405 - Updated SecurityContextHolder to contain null Authentication
        16:16:56,994 DEBUG AuthenticationProcessingFilter:411 - [B]Authentication request failed: org.springframework.security.BadCredentialsException: Bad credentials[/B]
        16:16:56,995 DEBUG PersistentTokenBasedRememberMeServices:187 - Interactive login attempt was unsuccessful.
        16:16:56,995 DEBUG PersistentTokenBasedRememberMeServices:273 - Cancelling cookie
        16:16:56,996 DEBUG HttpSessionContextIntegrationFilter:255 - SecurityContextHolder now cleared, as request processing completed
        16:16:57,000 DEBUG FilterChainProxy:205 - Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
        16:16:57,001 DEBUG FilterChainProxy:212 - Candidate is: '/index.jsp'; pattern is /**; matched=true
        16:16:57,001 DEBUG FilterChainProxy:385 - /index.jsp?error=true at position 1 of 9 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]'
        16:16:57,001 DEBUG HttpSessionContextIntegrationFilter:286 - [B]HttpSession returned null object for SPRING_SECURITY_CONTEXT[/B]
        16:16:57,001 DEBUG HttpSessionContextIntegrationFilter:209 - New SecurityContext instance will be associated with SecurityContextHolder
        16:16:57,001 DEBUG FilterChainProxy:385 - /index.jsp?error=true at position 2 of 9 in additional filter chain; firing Filter: 'org.springframework.security.ui.logout.LogoutFilter[ order=300; ]'
        16:16:57,002 DEBUG FilterChainProxy:385 - /index.jsp?error=true at position 3 of 9 in additional filter chain; firing Filter: 'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]'
        16:16:57,002 DEBUG FilterChainProxy:385 - /index.jsp?error=true at position 4 of 9 in additional filter chain; firing Filter: 'org.springframework.security.ui.basicauth.BasicProcessingFilter[ order=1000; ]'
        16:16:57,002 DEBUG BasicProcessingFilter:115 - [B]Authorization header: null[/B]
        16:16:57,003 DEBUG FilterChainProxy:385 - /index.jsp?error=true at position 5 of 9 in additional filter chain; firing Filter: 'org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1100; ]'
        16:16:57,003 DEBUG SavedRequestAwareWrapper:117 - Wrapper not replaced; SavedRequest was: null
        16:16:57,004 DEBUG FilterChainProxy:385 - /index.jsp?error=true at position 6 of 9 in additional filter chain; firing Filter: 'org.springframework.security.ui.rememberme.RememberMeProcessingFilter[ order=1200; ]'
        16:16:57,004 DEBUG FilterChainProxy:385 - /index.jsp?error=true at position 7 of 9 in additional filter chain; firing Filter: 'org.springframework.security.providers.anonymous.AnonymousProcessingFilter[ order=1300; ]'
        16:16:57,004 DEBUG AnonymousProcessingFilter:93 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.providers.anonymous.AnonymousAuthenticationToken@69ec9c97: Principal: roleAnonymous; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 98B615561408FB07A8FAEC90F75C53C2; Granted Authorities: ROLE_ANONYMOUS'
        16:16:57,005 DEBUG FilterChainProxy:385 - /index.jsp?error=true at position 8 of 9 in additional filter chain; firing Filter: 'org.springframework.security.ui.ExceptionTranslationFilter[ order=1400; ]'
        16:16:57,005 DEBUG FilterChainProxy:385 - /index.jsp?error=true at position 9 of 9 in additional filter chain; firing Filter: 'org.springframework.security.intercept.web.FilterSecurityInterceptor@4a9a7d'
        16:16:57,005 DEBUG DefaultFilterInvocationDefinitionSource:196 - Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'

        Comment


        • #5
          <c:if test="${param.error != null}">
          seems param.error is null - so who should be setting this in the case of an invalid login?

          Comment


          • #6
            Originally posted by nedge View Post
            <c:if test="${param.error != null}">
            seems param.error is null - so who should be setting this in the case of an invalid login?
            oh yeah that part.. it is in security.xml.. it's already configured there:

            PHP Code:
            <form-login login-page="/login.jsp" default-target-url="/jsp/home.html" 
                        
            authentication-failure-url="/index.jsp?error=true" /> 
            that part.. and yes, when i tried to login using a bad credential, the page is redirected to index.jsp?error=true, which is correct.. my only problem is it doesn't display the error message.

            thanks for the reply.. do u have any idea?

            -marckun

            Comment


            • #7
              sorry not really - I have no idea of PHP but is the line "${param.error != null}" correct?
              should it not be:
              "${param.error} != null"

              Comment


              • #8
                You check the wrong variable. In you php file you check login_error parameter: value='<c:if test="${not empty param.login_error}">

                and when you redirect to index.jsp you pass the parameter error:

                /index.jsp?error=true.

                try: /index.jsp?login_error=true

                I hope this is your solution...

                Comment


                • #9
                  Originally posted by TasosCeid View Post
                  You check the wrong variable. In you php file you check login_error parameter: value='<c:if test="${not empty param.login_error}">

                  and when you redirect to index.jsp you pass the parameter error:

                  /index.jsp?error=true.

                  try: /index.jsp?login_error=true

                  I hope this is your solution...
                  oh yeah.. it's merely my error in posting..

                  the correct is index.jsp?error=true and <c:if test="${param.error != null}"> and still it doesnt work.. i also tried <c:if test="${not empty param.error}" /> and still it doesnt work..

                  i really dunno what to do..

                  -marckun

                  Comment


                  • #10
                    Firstly, I want to make clear that I am not a spring expert, but it happened to put spring security on my application at this certain time and I saw your post.

                    If I were in your position I would try a couple of things.After looking at your xml file I have two suggestions.

                    1) The spring security reference (http://static.springsource.org/sprin...form-and-basic) suggests that login page should have any filter intecepted. So try this

                    Code:
                    <intercept-url pattern='/index.jsp*' filters='none'/>
                    .

                    2)Try to use different tag lib for example:

                    Code:
                    <%@ taglib prefix='c' uri='http://java.sun.com/jstl/core_rt' %>
                    (But if the taglib was the problem, the header image would not had been displayed)

                    For the same reason try to show the error parameter to see what is sent..
                    Code:
                    <c:out value="${param.error}"/>
                    I don't think that any of the above may be the solution, but you don't have anything to lose by trying.

                    Comment


                    • #11
                      Why not start from the tutorial sample application (which does what you want)? Then you have a working configuration to build on.

                      Comment


                      • #12
                        Originally posted by TasosCeid View Post
                        Firstly, I want to make clear that I am not a spring expert, but it happened to put spring security on my application at this certain time and I saw your post.

                        If I were in your position I would try a couple of things.After looking at your xml file I have two suggestions.

                        1) The spring security reference (http://static.springsource.org/sprin...form-and-basic) suggests that login page should have any filter intecepted. So try this

                        Code:
                        <intercept-url pattern='/index.jsp*' filters='none'/>
                        .

                        2)Try to use different tag lib for example:

                        Code:
                        <%@ taglib prefix='c' uri='http://java.sun.com/jstl/core_rt' %>
                        (But if the taglib was the problem, the header image would not had been displayed)

                        For the same reason try to show the error parameter to see what is sent..
                        Code:
                        <c:out value="${param.error}"/>
                        I don't think that any of the above may be the solution, but you don't have anything to lose by trying.
                        Hello, I tried everything uv given me above, but it still didnt work. weird though, when i tried to put <c:out value="param.error" /> and <c:out value="params.error" /> what i get are "param.error" and "params.error" printed on the screen, not the value of parameter error which is "true".

                        -marckun

                        Comment


                        • #13
                          I hope that you mean
                          Code:
                          <c:out value="${param.error}/>
                          and not

                          Code:
                          <c:out value="param.error/>
                          If you wrote right the command then the problem is not on spring security but on the jsp and the GET variables.

                          Comment


                          • #14
                            Originally posted by TasosCeid View Post
                            I hope that you mean
                            Code:
                            <c:out value="${param.error}/>
                            and not

                            Code:
                            <c:out value="param.error/>
                            If you wrote right the command then the problem is not on spring security but on the jsp and the GET variables.

                            Hello,

                            Thanks for that very sound comment. Hmmm, probably you are most definitely correct.. Have I missed something then? What I did is I placed jstl.jar and standard.jar on my WEB-INF/lib folder (and MyEclipse automatically adds in the build path). and I tried both these URL's on my jsp pages:

                            PHP Code:
                            <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> 
                            PHP Code:
                            <%@ taglib uri="http://java.sun.com/jstl/core_rt" prefix="c" %> 
                            That's all i did. I didn't put anything in my web.xml etc..

                            (*Sorry if I sound stupid above, this is my first time really setting up a complete project ground-up so I might really be annoying.. )

                            -marckun

                            Comment


                            • #15
                              Originally posted by marcKun View Post
                              Hello, I tried everything uv given me above, but it still didnt work. weird though, when i tried to put <c:out value="param.error" /> and <c:out value="params.error" /> what i get are "param.error" and "params.error" printed on the screen, not the value of parameter error which is "true".

                              -marckun
                              From your quoted post it seams that you have set right the jstl and standar lib. It prints the the value you want. But, when you write:

                              Code:
                              <c:out value="param.error" />
                              you tell to print the string "param.error". In order to print the value of the variable param.error you have to write ${param.error}. Generally, when you want to use a parameter in jsp you put it in ${....}.

                              Did you try this?

                              Comment

                              Working...
                              X