Announcement Announcement Module
No announcement yet.
An Authentication object was not found in the SecurityContext Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • An Authentication object was not found in the SecurityContext

    I'm using the Spring framework 3.2.0 and the same version of Spring security. My spring-security.xml file looks like the following.

    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns=""
        <http pattern="/Login.htm*" security="none"></http>    
        <http auto-config='true'>
        <!--<remember-me key="myAppKey"/>-->
            <session-management session-fixation-protection="newSession">
                <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
            <intercept-url pattern="/admin_side/**" access="ROLE_ADMIN" requires-channel="any"/>
            <form-login login-page="/" default-target-url="/admin_side/Home.htm" authentication-failure-url="/LoginFailed.htm" authentication-success-handler-ref="loginSuccessHandler"/>
            <logout logout-success-url="/Login.htm" invalidate-session="true" delete-cookies="JSESSIONID"/>
                <jdbc-user-service data-source-ref="dataSource"
                   users-by-username-query="select email_id, password, enabled from user_table where lower(email_id)=lower(?)"
                   authorities-by-username-query="select ut.email_id, ur.authority from user_table ut, user_roles ur where ut.user_id=ur.user_id and lower(ut.email_id)=lower(?)"/>
        <beans:bean id="loginSuccessHandler" class="loginsuccesshandler.LoginSuccessHandler"/>
        <global-method-security secured-annotations="enabled" proxy-target-class="true">
            <protect-pointcut expression="execution(* dao.*.*(..))" access="ROLE_ADMIN"/>
        <!--<global-method-security secured-annotations="enabled" />-->
    This works fine in my entire application. After successful login, I need to use AuthenticationSuccessEvent. The class that implements ApplicationListener<AuthenticationSuccessEvent> is as follows.

    package loginsuccesshandler;
    import dao.UserDAO;
    import daoservice.UserSevice;
    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.context.ApplicationListener;
    import org.springframework.stereotype.Service;
    public final class AuthSuccessHandler implements ApplicationListener<AuthenticationSuccessEvent>
        private UserService userSevice;
        public void onApplicationEvent(AuthenticationSuccessEvent event) 
            String userName = ((UserDetails) event.getAuthentication().getPrincipal()).getUsername();
            System.out.println("userName = "+userSevice.getUser(userName).getFirstName());
    This class has been registered as a bean in the applicationContext.xml file and it is a part of <context:component-scan>

    With this, when I attempt to login, I receive the message as the question title indicates. (The exception is consumed under the hood and the full exception stacktrace not available. This message is from sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message).

    when I entirely remove the <global-method-security>...</global-method-security> section, it works and the debugging statement shows the user's first name from the database.

    So, it has to do something with the global method security.

    The following statement,

    in that event handler displays,

    Code:*​@bad860a5: Principal: [email protected]: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]fffdaa0*​8: RemoteIpAddress:; SessionId: AEE54A59C9181C05A176D12E27D88CB1; Granted Authorities: ROLE_ADMIN
    So it appears that the user is authenticated and the authentication object is available. Is there anything I'm missing? What is the way to get around this? Kindly let me know.

    Apparently, I cannot see anything wrong in my application. I cannot imagine what might be the fair reason behind it. If you see something what I may be missing, may be in the config file or somewhere else, then please let me know but I can smell it like a jira issue in the version specified. If someone has already used in the version specified, does it really work with the version specified (3.2.0)?
    Last edited by Tiny; Mar 20th, 2013, 05:24 AM.