Cannot retrieve viewer params/cookies from SecurityContextHolderAwareRequestWrapper

**Louis Jordaan** · Feb 24th, 2011, 09:06 AM

Hi,

I have integrated spring security into a webapp which relies on an authentication servlet outside of the webapp (at different host/url) to determine whether the user has been authenticated. I used a custom filter in a "PRE_AUTH_FILTER" position in the spring security filter chain.

Now for local development purposes, i would like to have an authentication servlet inside the webapp. I have written the servlet as follows:

When the "doPost" method of the servlet is called, the user is authenticated (this is working). The problem I'm having is with the "doGet" method which verifies whether a user has been authenticated... I do a get request to the servlet, passing a session id as a url parameter. The problem is that inside the "doGet" method, I cannot retrieve the parameter from the HttpServletRequest object:

request.getParameter(<parameter name>);

The above just returns null.

But when constructing the get request to the servlet, the url parameter is definitely included. I also tried setting a cookie and getting the cookie value inside the doGet method, but no luck - the list of cookies returned by request.getCookies() is null.

I debugged the code and noticed that the instance type of the HttpServletRequest parameter (of the doGet method) is of type SecurityContextHolderAwareRequestWrapper. Is this the reason for the problem? If so, how can I go about getting the request parameter from the url?

**amiladomingo** · Feb 24th, 2011, 01:42 PM

Few things i'd verify,

Did you try debugging your filter chain to check if your request parameter is there?
Did you try entering the url manually in the browser with parameter appended to check if there is something wrong in the way you append
Would it come it come (param) if it is a POST request?

**Rob Winch** · Feb 24th, 2011, 07:29 PM

Originally Posted by Louis Jordaan

But when constructing the get request to the servlet, the url parameter is definitely included. I debugged the code and noticed that the instance type of the

As amiladomingo requested, I'd be curious what the logs look like and also how you made the request with the cookie and the request with the "parameter in the url"

Originally Posted by Louis Jordaan

SecurityContextHolderAwareRequestWrapper. Is this the reason for the problem? If so, how can I go about getting the request parameter from the url?

SecurityContextHolderAwareRequestWrapper is an instance of HttpServletRequestWrapper which delegates to the original HttpServletRequest in order to perform getParameter and getCookies, so it is very unlikely that Spring Security is causing this.

**Louis Jordaan** · Feb 25th, 2011, 04:34 AM

amiladomingo:

1. Yes, I did debug and it is there - If I drill down trough all the wapped request objects in the doGet method of the Servlet (SecurityContextHolderAwareRequestWrapper -> RequestWrapper -> RequestFacade -> Request -> coyoteRequest) I can see that the url parameter is part of the request string.

2. Hitting the servlet url manually using a browser with exactly the same url (including request parameter) as is called from within my app's code (i.e. in my filter code), I get the same problem: request parameters are not available. However, then request.getCookies() is not null, i.e. i can get the cookies.

Here is an extract of my security config:

<http auto-config="true" use-expressions="true" >
...
<custom-filter ref="propagatedIdentityFilter" position="PRE_AUTH_FILTER" />
<intercept-url pattern="/jsf/AuthenticateCredentials*" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('USER')" />
</http>

propagatedIdentityFilter is my custom filter. It extends GenericFilterBean.
AuthenticateCredentials is the servlet which authenticates a user in "doPost" and verifies whether a user is authenticated in "doGet".

I did notice however that when debugging and hitting the servlet directly with a url like this...

http://localhost:7001/myApp/jsf/Auth...4C3D3B75383D04

...execution stops at my breakpoints inside the doFilter method of my propagatedIdentityFilter filter, even though i specified a permitAll permission for the AuthenticateCredentials servlet. Is this normal?

**amiladomingo** · Feb 25th, 2011, 05:14 AM

Code:

http://localhost:7001/myApp/jsf/AuthenticateCredentials;PORTALWLJSESSIONID=697446F12FFA1DBE3B4C3D3B75383D04

Isn't ";" has to be "?"

Code:

http://localhost:7001/myApp/jsf/AuthenticateCredentials?PORTALWLJSESSIONID=697446F12FFA1DBE3B4C3D3B75383D04

**Louis Jordaan** · Feb 25th, 2011, 05:30 AM

Thanks amiladomingo, the ";" was the problem. Now that I've replaced it with "?" I can get the request parameters. Here is a useful explanation why I got this issue, I'm running my apps on tomcat:

http://www.issociate.de/board/post/1...semicolon.html

Thanks again for your help :-)

Thread: Cannot retrieve viewer params/cookies from SecurityContextHolderAwareRequestWrapper

Thread Tools

Display

Cannot retrieve viewer params/cookies from SecurityContextHolderAwareRequestWrapper

Tags for this Thread

Posting Permissions