1

We are using Spring-boot 2.0.5 with JWT Token

SecurityContextHolder.getContext().getAuthentication().getPrincipal() returning String (Username) in place of CustomUserDetails Object which is implemented UserDetails class in WAR file only.

This issue only replicates occasionally most of the time the code is working perfectly

The below mention is the only custom filter we are using and it is called after FilterSecurityInterceptor Filter

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
        throws IOException, ServletException {
    CustomHttpServletRequestWrapper request = new CustomHttpServletRequestWrapper((HttpServletRequest) req);
    if(request!=null && request.getHeader("Authorization")!=null && request.getHeader("Authorization").length()>7) {

        CustomUserDetails user = (CustomUserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
}
}

It should be returning user detail object

user3315763
  • 11
  • 6
  • Does this answer your question? [Spring security returns String as principal instead of UserDetails on failed login?](https://stackoverflow.com/questions/17453200/spring-security-returns-string-as-principal-instead-of-userdetails-on-failed-log) – Emile Nov 23 '19 at 23:38
  • It depends on configuration, in our case we were using DefaultUserAuthenticationConverter in AuthorizationServerEndpointsConfigurer and it relies on UserDetailsService for getting the UserDetails if it is not set you will get a string i.e. username instead of UserDetail object. – madan Apr 24 '20 at 03:39

2 Answers2

0

Not enough information to provide you any answers, it will be good to know:

  • what instance returns from SecurityContextHolder.getContext().getAuthentication()?
  • what is list of security filters you have and where is your custom one located?
  • when does this happen? you must to know steps to reproduce it
Pianov
  • 1,533
  • 9
  • 16
  • what instance returns from SecurityContextHolder.getContext().getAuthentication()? -----it return SecurityContext what is list of security filters you have and where is your custom one located? -----Custom security filter is only filter as mention above -----it is executed after FilterSecurityInterceptor when does this happen? you must to know steps to reproduce it ----- whenever tried to call a authorize endpoint – user3315763 Apr 05 '19 at 11:23
  • re #1 SecurityContext comes from getContext() but what instance of Authentication is? – Pianov Apr 05 '19 at 15:41
  • re #2 can you share some logic from your custom filter? – Pianov Apr 05 '19 at 15:42
0

in our case, there were two Bean with the same name which was causing the issue

user3315763
  • 11
  • 6