Announcement Announcement Module
No announcement yet.
Unable to retrieve security context from within Spring-Jersey Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unable to retrieve security context from within Spring-Jersey

    Hello all,

    I am trying to retrieve a security context within my spring-jersey bean, however I keep getting Null authentication. When I run the same command from within my spring application it correctly retrieves the current logged in users security context.

    The configuration of spring-jersey requires creating a separate servlet to the main spring application, thus the web.xml has two servlet's - one for spring app, second for jersey rest api.

    Assuming the problem is related to this, I tried setting the security context sharing mode to global, however I still unable to get the context information from within Jersey.

    Any help with this would be greatly appreciated!

    Many thanks,

  • #2
    Are you authenticated to the Jersey portion? To authenticate you are most likely passing some sort of credentials in the request (i.e. username/password as basic authentication). My guess is that the web browser is maintaining a JSESSIONID cookie to keep you authenticated and the REST portion has no notion of this cookie.


    • #3
      I can see your point about session cookies, I am able to retrieve session cookies from my Jersey code using @Context HttpServletRequest req, then retrieving session from there. However SecurityContextHolder is session independent from what I understand (?).


      • #4
        You may want to read how the SecurityContextHolder is populated. By default it is held within session, so it is directly tied to the session. If you don't authenticate in some manner (i.e. providing a valid JSESSIONID cookie, basic auth credentials, etc) you cannot be authenticated.


        • #5
          Thank you for the link.

          Interesting it seems the SecurityContextHolder while itself is stored in ThredLocal see, for authenticated users it's populated from the session attributes by Spring Security filters (src:

          This clue helped solve the problem, checking how my security filters were configured, I found this line in my spring security configuration

          <security:intercept-url pattern="/api/**" filters="none" />
          This line effectively disables all spring security filters, removing this fixed the problem.

          Many thanks for your help
          Last edited by NigelVT; Sep 24th, 2010, 04:05 AM.