Spring MVC to Spring Boot - Issue with Spring security XML entries

Question

We have an existing Spring MVC project running on below stack -

Spring webmvc 5.3.20
Spring security 5.6.4

Spring security filter chain is configured as below in web.xml

<filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
    </filter-mapping>

Also have below listener configured in web.xml -

<listener>
        <listener-class>
            org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
    </listener>

Below is extract from spring security config XML -

<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-5.6.xsd">

<security:http pattern="/pages/login/xxx.xhtml" security="none"/>

<security:http auto-config="true" use-expressions="true" authentication-manager-ref="userAuthenticationManager">
   <security:intercept-url pattern="/pages/login/xxx.xhtml" access="permitAll" />
   <security:intercept-url pattern="/pages/**" access="isAuthenticated()" />
   <security:form-login........
   <security:session-management.....
   <security:logout......
   <security:csrf disabled="true"/> 
   <security:headers disabled="true"/>
</security:http>

For converting to Spring Boot, I am using version 2.7.1 which pulls 5.7.2 of spring security. I am trying to re-use the same spring security config XML in spring boot after changing the XSD version from 5.6 to 5.7.

@SpringBootApplication
@ImportResource("classpath:spring-security-config.xml")

ISSUE:

I get below error while trying to access /pages/login/xxx.xhtml -

org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:336)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:200)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:113)

As per the security config xml there are two entries mentioned for xxx.xhtml -

<security:http pattern="/pages/login/xxx.xhtml" security="none"/>

and

<security:intercept-url pattern="/pages/login/xxx.xhtml" access="permitAll" />

I am not sure why we have two entries in the first place but this used to work fine in the Spring MVC version. When I remove the first entry (with security="none"), it works fine.

Could anyone please help advise why there is this difference in behavior b/w the MVC and boot versions? Also is there any valid reason why both entries may be needed?

Regards
Jacob

Spring MVC to Spring Boot - Issue with Spring security XML entries

0 Answers0