4

I want to use method level security on my GWT application. I'm trying to use Spring Security 3.1, as I found a working example here, but it doesn't use form-login. After reading this answer the first method call successfully obtains the SecurityContext, but then clears it before the next call:

[org.springframework.security.web.context.HttpSessionSecurityContextRepository] - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@6fe9f089: Authentication: org.example.MyAppName.server.auth.MyAppNameUserAuthentication@6fe9f089'
...
[org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor] - Authorization successful
...
[org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
...
[org.springframework.security.web.context.HttpSessionSecurityContextRepository] - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
[org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
...
[org.springframework.security.web.context.HttpSessionSecurityContextRepository] - HttpSession returned null object for SPRING_SECURITY_CONTEXT

The second call happens straight after the first and just after the user logs in.

Is it because I followed the other answer and removed <http pattern="/MyAppName/**" security="none" /> and added <intercept-url pattern="/MyAppName/**" access="permitAll()" />?

My filters are as follows:

<http pattern="/favicon.ico" security="none" />

<http access-decision-manager-ref="accessDecisionManager" use-expressions="true" auto-config="false" entry-point-ref="LoginUrlAuthenticationEntryPoint">
  <form-login login-page="/Login.html" always-use-default-target="true" default-target-url="/Main.html?gwt.codesvr=127.0.0.1:9997" />
  <intercept-url pattern="/Login.html" access="permitAll()" />
  <intercept-url pattern="/Login2.html" access="permitAll()" />
  <intercept-url pattern="/MyAppName/**" access="permitAll()" />
  <intercept-url pattern="/**" access="isAuthenticated()" />
  <logout delete-cookies="JSESSIONID" logout-success-url="/Login.html" />
  <remember-me token-validity-seconds="86400" key="key" user-service-ref="userDetailsService" />
</http>

Following the example I obtained I use AspectJ for the global method security, but would not use it if I could get that working:

<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" mode="aspectj" proxy-target-class="true" >
  <expression-handler ref="expressionHandler"/>
</global-method-security>

Thank you for taking the time to read this

Please let me know if more detail is needed.

Community
  • 1
  • 1
WhiteKnight
  • 4,938
  • 5
  • 37
  • 41
  • 2
    I think you need to trim it way more down to something manageable, not many will bother reading and wading through all that text to try to figure out what the problem might be. – Lasse V. Karlsen Jul 11 '11 at 22:18
  • Thank you for your comment. I've tried to removed the logs of 2 of the 3 successful calls, as they were probably redundant. – WhiteKnight Jul 12 '11 at 07:49

1 Answers1

0

This problem has been solved.

The last part of the solution was to remove the request to make SecurityContextHolder global.

If you are having the same problem might find this post helpful.

WhiteKnight
  • 4,938
  • 5
  • 37
  • 41
  • 1
    How did you actually solve the problem? I'm having the same problem. I went through the link but it didn't help. – Tiny May 23 '13 at 22:35
  • @Tiny While trying to get two factor authentication working, I'd set SecurityContextHolder to be global, so removing that fixed the problem for me, but there may have been many things causing the problem. Also I didn't hear back from Luke on why that would have caused the problem that I experienced. – WhiteKnight May 26 '13 at 14:41