Results 1 to 3 of 3

Thread: Spring Security, 'getAuthentication' == null if there are more than 1 http element

  1. Mar 2nd, 2012, 05:03 PM #1
    qualcommRobert
    qualcommRobert is offline Junior Member
    Join Date
    Jan 2012
    Posts
    4

    Default Spring Security, 'getAuthentication' == null if there are more than 1 http element

    Within version 3.1.0.RELEASE of Spring Security, 'getAuthentication()' returns null within an EndpointInterceptor
    if there is more than 1 http element within my applicationContext-security.xml

    In my case, I am using Spring Security with Spring Webservices, and I am checking authentication within a class that implements org.springframework.ws.server.EndpointInterceptor, and extends org.springframework.xml.transform.TransformerObjec tSupport.

    My applicationContext-security.xml configuration file (imported by applicationContext.xml) contains the following:
    <!-- <s:http pattern="/*.wsdl" security="none"/> -->
    <s:http auto-config='true'
    access-decision-manager-ref="affirmativeBased" >
    <s:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
    <s:http-basic />
    </s:http>

    With "<s:http pattern="/*.wsdl" security="none"/>" comment out, the following code executes without exception:
    SecurityContext secureContext = SecurityContextHolder.getContext();
    Authentication auth = secureContext.getAuthentication();
    if ( auth == null )
    throw new UsernameNotFoundException("Spring Security SecurityContextHolder failing");

    If "<s:http pattern="/*.wsdl" security="none"/>" is enabled, the exception this thrown.

    Anyone else seen this, or know a work-around?
    Reply With Quote Reply With Quote
  2. Mar 2nd, 2012, 06:50 PM #2
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,826

    Default

    What URL are you requesting when you have this problem? Can you provide the debug logs for when the request fails?
    Rob Winch - @rob_winch
    Spring Security Lead
    Pivotal
    Reply With Quote Reply With Quote
  3. Mar 6th, 2012, 11:38 AM #3
    qualcommRobert
    qualcommRobert is offline Junior Member
    Join Date
    Jan 2012
    Posts
    4

    Default

    The problem was that I was using a URL with WSDL as the soap address location within the application SoapUI.

    The default soap address location according the to WSDL is: http://localhost:8080/{appname}/

    However, when doing testing, I was switching my test suite from a deployed host to localhost, and I copied the WSDL URL of http://localhost:8080/{appname}/{appname}.wsdl and set that as the soap address (which always worked before enabling Spring Security).

    When SoapUI makes the call through "http://localhost:8080/{appname}/{appname}.wsdl", the configuration above allows the WSDL to be accessed without security. However, because web-methods are accessible using the WSDL URL as soap address, the SecurityContextHolder.getContext().getAuthenticati on() is then null.

    Thanks for the question prompting me to look at the URL.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules