Results 1 to 5 of 5

Thread: Unable to retrieve security context from within Spring-Jersey

  1. Sep 23rd, 2010, 10:09 AM #1
    NigelVT
    NigelVT is offline Junior Member
    Join Date
    Nov 2009
    Location
    UK
    Posts
    11

    Cool Unable to retrieve security context from within Spring-Jersey

    Hello all,

    I am trying to retrieve a security context within my spring-jersey bean, however I keep getting Null authentication. When I run the same command from within my spring application it correctly retrieves the current logged in users security context.

    The configuration of spring-jersey requires creating a separate servlet to the main spring application, thus the web.xml has two servlet's - one for spring app, second for jersey rest api.

    Assuming the problem is related to this, I tried setting the security context sharing mode to global, however I still unable to get the context information from within Jersey.

    Code:
    SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_GLOBAL)
    Any help with this would be greatly appreciated!

    Many thanks,
    Nigel
  2. Sep 23rd, 2010, 10:44 AM #2
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,834

    Default

    Are you authenticated to the Jersey portion? To authenticate you are most likely passing some sort of credentials in the request (i.e. username/password as basic authentication). My guess is that the web browser is maintaining a JSESSIONID cookie to keep you authenticated and the REST portion has no notion of this cookie.
    Rob Winch
    Twitter @rob_winch
    Spring Security Lead
    Spring by Pivotal
  3. Sep 23rd, 2010, 11:40 AM #3
    NigelVT
    NigelVT is offline Junior Member
    Join Date
    Nov 2009
    Location
    UK
    Posts
    11

    Default

    I can see your point about session cookies, I am able to retrieve session cookies from my Jersey code using @Context HttpServletRequest req, then retrieving session from there. However SecurityContextHolder is session independent from what I understand (?).
  4. Sep 23rd, 2010, 10:44 PM #4
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,834

    Default

    You may want to read how the SecurityContextHolder is populated. By default it is held within session, so it is directly tied to the session. If you don't authenticate in some manner (i.e. providing a valid JSESSIONID cookie, basic auth credentials, etc) you cannot be authenticated.
    Rob Winch
    Twitter @rob_winch
    Spring Security Lead
    Spring by Pivotal
  5. Sep 24th, 2010, 03:56 AM #5
    NigelVT
    NigelVT is offline Junior Member
    Join Date
    Nov 2009
    Location
    UK
    Posts
    11

    Default

    Thank you for the link.

    Interesting it seems the SecurityContextHolder while itself is stored in ThredLocal see http://static.springsource.org/sprin...w.html#d0e1511, for authenticated users it's populated from the session attributes by Spring Security filters (src: http://stackoverflow.com/questions/3...omment-4003641).

    This clue helped solve the problem, checking how my security filters were configured, I found this line in my spring security configuration

    Code:
    <security:intercept-url pattern="/api/**" filters="none" />
    This line effectively disables all spring security filters, removing this fixed the problem.

    Many thanks for your help
    Last edited by NigelVT; Sep 24th, 2010 at 04:05 AM.
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules