tags:

views:

90

answers:

2
Q: 

Unable to retrieve security context from within Spring-Jersey

Hello all,

I am trying to retrieve a security context within my spring-jersey bean, however I keep getting Null authentication. When I run the same command from within my spring application it correctly retrieves the current logged in users security context.

The configuration of spring-jersey requires creating a separate servlet to the main spring application, thus the web.xml has two servlet's - one for spring app, second for jersey rest api.

Assuming the problem is related to this, I tried setting the security context sharing mode to global, however I still unable to get the context information from within Jersey.

SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_GLOBAL)

Any help with this would be greatly appreciated!

Many thanks, Nigel

+1  A: 

Perhaps user is simply not authenticated, because your Jersey requests don't have a session cookie and therefore are not associated with the authenticated user's session?

You may check it by enabling anonymous authentication in Spring Security - you should get anonymous authentication instead of null if the guess is right.

axtavt  2010-09-23 15:53:11
I have anonymous authentication enabled, like you suggested, I would have expected the configured user to show up, but it doesn't in Jersey. However when I am not authenticated in my spring app, the configured user is show instead of null!I can see your point about session cookies, I am able to retrieve session cookies from my Jersey code using @Context HttpServletRequest req, then retrieving session from there. However SecurityContextHolder is session independent from what I understand (?).
Nigel_V_Thomas  2010-09-23 16:35:19
@Nigel: Yes, it's session independent, but for authenticated users it's populated from the session attributes by Spring Security filters. So, are you Jersey requests processed by the Spring Security filters?
axtavt  2010-09-23 16:41:42
Thank you for the comment. This clue helped solve my problem, checking how my security filters were configured, I found this line in my spring security configuration <pre> <security:intercept-url pattern="/api/**" filters="none" /> </pre>Removing this fixed the problem, which effectively disables all spring security filters! Many thanks for your help :)
Nigel_V_Thomas  2010-09-24 08:58:04
A: 

@axtavt Thank you for the comment. This clue helped solve my problem, checking how my security filters were configured, I found this line in my spring security configuration 

<security:intercept-url pattern="/api/**" filters="none" />

This line effectively disables all spring security filters, removing this fixed the problem.

Many thanks for your help :)

Nigel_V_Thomas  2010-09-24 09:01:37

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java