SecurityContextHolder.getContext().getAuthenticati on() null on error-page

[scranthdaddy]

Hi,
I'm running Spring 3.0.5 on a Tomcat 6 (Windows Machine). I've found a problem/misconfiguration on Spring/Tomcat Error-Handling.

When an Exception occurs in a Spring MVC Controller, Tomcat handles the exception by redirecting the request to an error page. (configured in web.xml):

Code:

    <error-page>
        <exception-type>java.lang.Throwable</exception-type>
        <location>/error.html</location>
    </error-page>

The problem is that in the error handling conroller, the SecurityContext.getContext().getAuthentication() is returning null. However if I navigate to another page, it returns the Authentication object as expected.

Any ideas?
Thanks-

[arthomps]

Consider refactoring your exception handling. For example, use http://static.springsource.org/sprin...slation-filter for spring security exceptions.

The only exception that you might need to have in web.xml is a http 500 error. Catching throwable is probably a bad practice. For example, it's probably nice to give users a page not found page if a 404 is thrown rather then zomg error page.

[Rob Winch]

If you want error pages that are managed by the container to be protected / include Spring Security's SecurityContext you need to ensure to include the ERROR request dispatcher for the springSecurityFilterChain. For example the following in your web.xml

Code:

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>ERROR</dispatcher>
</filter-mapping>

[scranthdaddy]

rwinch,
This did the trick. I had read a lot of articles that talk about configuring error-denied-page and overriding ExceptionTranslationFilter, but this seems to be the best solution by far. Thanks much.