Develop Reference

Spring security: authentication context available from controller but not from service layer

I am adding authentication to my Spring MVC HTTP API.
I have setup a trivial authentication: the X-AUTH-TOKEN HTTP header contains the username.
I am using #PreAuthorize to do security checks.
Everything works when security is implemented at the controller layer.
However, when I try to add #PreAuthorize(...) at the service layer,
it fails with AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext.
It's like the security context is lost when calling the service.
The TokenAuthentication.kt file contains the whole auth process:
class TokenAuthentication(
private val user: User,
private val token: String,
): Authentication {
override fun getName(): String = user.id
override fun getAuthorities(): MutableCollection<out GrantedAuthority> = mutableListOf()
override fun getCredentials(): Any = token
override fun getDetails(): Any = user
override fun getPrincipal(): Any = user.id
override fun isAuthenticated(): Boolean = true
override fun setAuthenticated(isAuthenticated: Boolean) {
}
}
class TokenAuthenticationFilter(
private val userService: UserService,
): OncePerRequestFilter() {
private fun getAuthentication(request: HttpServletRequest): Authentication? {
val auth = request.getHeader("X-AUTH-TOKEN") ?: return null
val user: User
try {
user = userService.get(auth)
} catch (_: NoSuchElementException) {
return null
}
return TokenAuthentication(user, auth)
}
override fun doFilterInternal(
request: HttpServletRequest,
response: HttpServletResponse,
filterChain: FilterChain,
) {
val auth = getAuthentication(request)
println("AUTHENTICATED WITH USER: ${auth?.name}")
SecurityContextHolder.getContext().authentication = auth
filterChain.doFilter(request, response)
SecurityContextHolder.getContext().authentication = null
}
}
The Configuration.kt configures Spring security to enable #PreAuthorize:
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(
prePostEnabled = true,
securedEnabled = true,
jsr250Enabled = true,
)
class WebSecurityConfiguration(
private val userService: UserService,
): WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity?) {
if (http == null)
return
SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL)
http
.addFilterBefore(
TokenAuthenticationFilter(userService),
UsernamePasswordAuthenticationFilter::class.java,
)
}
}
The SecurityContextHolder.setStrategyName(...) is a failed attempt to solve my problem.
Working code (#PreAuthorize at controller layer):
#RestController
#RequestMapping("/users")
class UserController(
private val userMapper: UserMapper,
private val userService: UserService,
...
) {
#GetMapping("/{uid}")
#PreAuthorize("authentication.name == #uid")
fun getUser(#PathVariable uid: String): ResponseEntity<UserDto> =
ResponseEntity.ok(userMapper.toDto(userService.get(uid)))
}
Non-working code (#PreAuthorize at service layer):
#Service
class UserService(private val repository: UserRepository) {
#PreAuthorize("authentication.name == #id")
fun get(id: String): User {
println("USER SERVICE THREAD: ${Thread.currentThread().getId()}")
println("Security: ${SecurityContextHolder.getContext()}")
println("Security: ${SecurityContextHolder.getContext().authentication}")
println("Security: ${SecurityContextHolder.getContext().authentication?.name}")
return repository.findByIdOrNull(id)
?: throw NoSuchElementException("user not found: $id")
}
}
How do I make it so #PreAuthorize works from the service layer?
Thank you
Logs when #PreAuthorize is at the controller layer:
2022-08-03 10:48:04.084 INFO 12179 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
2022-08-03 10:48:04.085 INFO 12179 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2022-08-03 10:48:04.085 DEBUG 12179 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Detected StandardServletMultipartResolver
2022-08-03 10:48:04.085 DEBUG 12179 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Detected AcceptHeaderLocaleResolver
2022-08-03 10:48:04.085 DEBUG 12179 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Detected FixedThemeResolver
2022-08-03 10:48:04.090 DEBUG 12179 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Detected org.springframework.web.servlet.view.DefaultRequestToViewNameTranslator#7bd3e67d
2022-08-03 10:48:04.093 DEBUG 12179 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Detected org.springframework.web.servlet.support.SessionFlashMapManager#ddffdcd
2022-08-03 10:48:04.094 DEBUG 12179 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : enableLoggingRequestDetails='true': request parameters and headers will be shown which may lead to unsafe logging of potentially sensitive data
2022-08-03 10:48:04.094 INFO 12179 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 9 ms
2022-08-03 10:48:04.141 DEBUG 12179 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Securing GET /users/foo
2022-08-03 10:48:04.149 DEBUG 12179 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : Retrieved SecurityContextImpl [Null authentication]
2022-08-03 10:48:04.157 DEBUG 12179 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
USER SERVICE THREAD: 117
Security: SecurityContextImpl [Null authentication]
Security: null
Security: null
2022-08-03 10:48:04.256 DEBUG 12179 --- [nio-8080-exec-1] o.s.orm.jpa.JpaTransactionManager : Creating new transaction with name [org.springframework.data.jpa.repository.support.SimpleJpaRepository.findById]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly
2022-08-03 10:48:04.257 DEBUG 12179 --- [nio-8080-exec-1] o.s.orm.jpa.JpaTransactionManager : Opened new EntityManager [SessionImpl(2065262541<open>)] for JPA transaction
2022-08-03 10:48:04.268 DEBUG 12179 --- [nio-8080-exec-1] o.s.jdbc.datasource.DataSourceUtils : Setting JDBC Connection [HikariProxyConnection#1452472521 wrapping org.mariadb.jdbc.MariaDbConnection#2c090939] read-only
2022-08-03 10:48:04.276 DEBUG 12179 --- [nio-8080-exec-1] o.s.orm.jpa.JpaTransactionManager : Exposing JPA transaction as JDBC [org.springframework.orm.jpa.vendor.HibernateJpaDialect$HibernateConnectionHandle#4acfeef6]
2022-08-03 10:48:04.469 DEBUG 12179 --- [nio-8080-exec-1] o.s.orm.jpa.JpaTransactionManager : Initiating transaction commit
2022-08-03 10:48:04.470 DEBUG 12179 --- [nio-8080-exec-1] o.s.orm.jpa.JpaTransactionManager : Committing JPA transaction on EntityManager [SessionImpl(2065262541<open>)]
2022-08-03 10:48:04.475 DEBUG 12179 --- [nio-8080-exec-1] o.s.jdbc.datasource.DataSourceUtils : Resetting read-only flag of JDBC Connection [HikariProxyConnection#1452472521 wrapping org.mariadb.jdbc.MariaDbConnection#2c090939]
2022-08-03 10:48:04.476 DEBUG 12179 --- [nio-8080-exec-1] o.s.orm.jpa.JpaTransactionManager : Closing JPA EntityManager [SessionImpl(2065262541<open>)] after transaction
AUTHENTICATED WITH USER: foo
THREAD ID: 117
2022-08-03 10:48:04.494 DEBUG 12179 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Secured GET /users/foo
2022-08-03 10:48:04.508 DEBUG 12179 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : GET "/users/foo", parameters={}
2022-08-03 10:48:04.545 DEBUG 12179 --- [nio-8080-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.foo.controller.UserController#getUser(String)
2022-08-03 10:48:04.549 DEBUG 12179 --- [nio-8080-exec-1] o.j.s.OpenEntityManagerInViewInterceptor : Opening JPA EntityManager in OpenEntityManagerInViewInterceptor
2022-08-03 10:48:04.660 DEBUG 12179 --- [nio-8080-exec-1] o.s.s.a.i.a.MethodSecurityInterceptor : Authorized ReflectiveMethodInvocation: public org.springframework.http.ResponseEntity org.foo.controller.UserController.getUser(java.lang.String); target is of class [org.foo.controller.UserController] with attributes [[authorize: 'authentication.name == #uid', filter: 'null', filterTarget: 'null']]
USER SERVICE THREAD: 117
Security: SecurityContextImpl [Authentication=org.foo.security.TokenAuthentication#342a2d68]
Security: org.foo.security.TokenAuthentication#342a2d68
Security: foo
2022-08-03 10:48:04.671 DEBUG 12179 --- [nio-8080-exec-1] o.s.orm.jpa.JpaTransactionManager : Found thread-bound EntityManager [SessionImpl(1531969803<open>)] for JPA transaction
2022-08-03 10:48:04.671 DEBUG 12179 --- [nio-8080-exec-1] o.s.orm.jpa.JpaTransactionManager : Creating new transaction with name [org.springframework.data.jpa.repository.support.SimpleJpaRepository.findById]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly
2022-08-03 10:48:04.671 DEBUG 12179 --- [nio-8080-exec-1] o.s.jdbc.datasource.DataSourceUtils : Setting JDBC Connection [HikariProxyConnection#977246828 wrapping org.mariadb.jdbc.MariaDbConnection#2c090939] read-only
2022-08-03 10:48:04.671 DEBUG 12179 --- [nio-8080-exec-1] o.s.orm.jpa.JpaTransactionManager : Exposing JPA transaction as JDBC [org.springframework.orm.jpa.vendor.HibernateJpaDialect$HibernateConnectionHandle#5f1bb12e]
2022-08-03 10:48:04.674 DEBUG 12179 --- [nio-8080-exec-1] o.s.orm.jpa.JpaTransactionManager : Initiating transaction commit
2022-08-03 10:48:04.675 DEBUG 12179 --- [nio-8080-exec-1] o.s.orm.jpa.JpaTransactionManager : Committing JPA transaction on EntityManager [SessionImpl(1531969803<open>)]
2022-08-03 10:48:04.677 DEBUG 12179 --- [nio-8080-exec-1] o.s.jdbc.datasource.DataSourceUtils : Resetting read-only flag of JDBC Connection [HikariProxyConnection#977246828 wrapping org.mariadb.jdbc.MariaDbConnection#2c090939]
2022-08-03 10:48:04.677 DEBUG 12179 --- [nio-8080-exec-1] o.s.orm.jpa.JpaTransactionManager : Not closing pre-bound JPA EntityManager after transaction
2022-08-03 10:48:04.762 DEBUG 12179 --- [nio-8080-exec-1] o.s.w.s.m.m.a.HttpEntityMethodProcessor : Using 'application/json', given [*/*] and supported [application/json, application/*+json, application/json, application/*+json]
2022-08-03 10:48:04.774 DEBUG 12179 --- [nio-8080-exec-1] o.s.w.s.m.m.a.HttpEntityMethodProcessor : Writing [UserDto(id=foo, mail=foo#example.com)]
2022-08-03 10:48:04.797 DEBUG 12179 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : Stored SecurityContextImpl [Authentication=org.foo.security.TokenAuthentication#342a2d68] to HttpSession [org.apache.catalina.session.StandardSessionFacade#4643bb4]
2022-08-03 10:48:04.801 DEBUG 12179 --- [nio-8080-exec-1] o.j.s.OpenEntityManagerInViewInterceptor : Closing JPA EntityManager in OpenEntityManagerInViewInterceptor
2022-08-03 10:48:04.802 DEBUG 12179 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Completed 200 OK
2022-08-03 10:48:04.803 DEBUG 12179 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2022-08-03 10:48:04.803 DEBUG 12179 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
Logs when #PreAuthorize is at the service layer:
2022-08-03 10:35:44.242 INFO 11476 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
2022-08-03 10:35:44.243 INFO 11476 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2022-08-03 10:35:44.244 DEBUG 11476 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Detected StandardServletMultipartResolver
2022-08-03 10:35:44.245 DEBUG 11476 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Detected AcceptHeaderLocaleResolver
2022-08-03 10:35:44.245 DEBUG 11476 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Detected FixedThemeResolver
2022-08-03 10:35:44.253 DEBUG 11476 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Detected org.springframework.web.servlet.view.DefaultRequestToViewNameTranslator#689e0f14
2022-08-03 10:35:44.255 DEBUG 11476 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Detected org.springframework.web.servlet.support.SessionFlashMapManager#3ad0d92
2022-08-03 10:35:44.255 DEBUG 11476 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : enableLoggingRequestDetails='true': request parameters and headers will be shown which may lead to unsafe logging of potentially sensitive data
2022-08-03 10:35:44.255 INFO 11476 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 11 ms
2022-08-03 10:35:44.293 DEBUG 11476 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Securing GET /users/foo
2022-08-03 10:35:44.307 DEBUG 11476 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : Retrieved SecurityContextImpl [Null authentication]
2022-08-03 10:35:44.311 DEBUG 11476 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-08-03 10:35:44.330 DEBUG 11476 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2022-08-03 10:35:44.330 DEBUG 11476 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2022-08-03 10:35:44.345 ERROR 11476 --- [nio-8080-exec-1] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:336) ~[spring-security-core-5.6.3.jar:5.6.3]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:200) ~[spring-security-core-5.6.3.jar:5.6.3]
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:58) ~[spring-security-core-5.6.3.jar:5.6.3]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.19.jar:5.3.19]
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:763) ~[spring-aop-5.3.19.jar:5.3.19]
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:708) ~[spring-aop-5.3.19.jar:5.3.19]
at org.foo.service.UserService$$EnhancerBySpringCGLIB$$15f563de.get(<generated>) ~[main/:na]
at org.foo.security.TokenAuthenticationFilter.getAuthentication(TokenAuthentication.kt:50) ~[main/:na]
at org.foo.security.TokenAuthenticationFilter.doFilterInternal(TokenAuthentication.kt:63) ~[main/:na]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.19.jar:5.3.19]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.3.jar:5.6.3]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:103) ~[spring-security-web-5.6.3.jar:5.6.3]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:89) ~[spring-security-web-5.6.3.jar:5.6.3]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.3.jar:5.6.3]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) ~[spring-security-web-5.6.3.jar:5.6.3]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.19.jar:5.3.19]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.3.jar:5.6.3]
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-5.6.3.jar:5.6.3]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-5.6.3.jar:5.6.3]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.19.jar:5.3.19]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.3.jar:5.6.3]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110) ~[spring-security-web-5.6.3.jar:5.6.3]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80) ~[spring-security-web-5.6.3.jar:5.6.3]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.3.jar:5.6.3]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55) ~[spring-security-web-5.6.3.jar:5.6.3]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.19.jar:5.3.19]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.3.jar:5.6.3]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:211) ~[spring-security-web-5.6.3.jar:5.6.3]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) ~[spring-security-web-5.6.3.jar:5.6.3]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) ~[spring-web-5.3.19.jar:5.3.19]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) ~[spring-web-5.3.19.jar:5.3.19]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.3.19.jar:5.3.19]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.19.jar:5.3.19]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.3.19.jar:5.3.19]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.19.jar:5.3.19]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.3.19.jar:5.3.19]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.19.jar:5.3.19]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at java.base/java.lang.Thread.run(Thread.java:829) ~[na:na]
2022-08-03 10:35:44.357 DEBUG 11476 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Securing GET /error
2022-08-03 10:35:44.358 DEBUG 11476 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : Retrieved SecurityContextImpl [Null authentication]
2022-08-03 10:35:44.358 DEBUG 11476 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-08-03 10:35:44.367 DEBUG 11476 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2022-08-03 10:35:44.370 DEBUG 11476 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Secured GET /error
2022-08-03 10:35:44.377 DEBUG 11476 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : "ERROR" dispatch for GET "/error", parameters={}
2022-08-03 10:35:44.412 DEBUG 11476 --- [nio-8080-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2022-08-03 10:35:44.414 DEBUG 11476 --- [nio-8080-exec-1] o.j.s.OpenEntityManagerInViewInterceptor : Opening JPA EntityManager in OpenEntityManagerInViewInterceptor
2022-08-03 10:35:44.508 DEBUG 11476 --- [nio-8080-exec-1] o.s.w.s.m.m.a.HttpEntityMethodProcessor : Using 'application/json', given [*/*] and supported [application/json, application/*+json, application/json, application/*+json]
2022-08-03 10:35:44.511 DEBUG 11476 --- [nio-8080-exec-1] o.s.w.s.m.m.a.HttpEntityMethodProcessor : Writing [{timestamp=Wed Aug 03 10:35:44 CEST 2022, status=500, error=Internal Server Error, trace=org.springf (truncated)...]
2022-08-03 10:35:44.751 DEBUG 11476 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : Did not store anonymous SecurityContext
2022-08-03 10:35:44.764 DEBUG 11476 --- [nio-8080-exec-1] o.j.s.OpenEntityManagerInViewInterceptor : Closing JPA EntityManager in OpenEntityManagerInViewInterceptor
2022-08-03 10:35:44.766 DEBUG 11476 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Exiting from "ERROR" dispatch, status 500
2022-08-03 10:35:44.773 DEBUG 11476 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : Did not store anonymous SecurityContext
2022-08-03 10:35:44.773 DEBUG 11476 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request

Spring Security applying HttpSecurity filter before building user principal

I have a springboot application that is using Keycloak to handle JWT authentication. If I use #PreAuthorize on my controller method, everything works as expected, but the URL antMatcher pattern based HttpSecurity is not. From what I can tell, Spring is applying the security filter BEFORE building the user principal. In the logs, I see it testing against Anonymous, even though a valid Bearer token was passed, and I'm able to see the AuthenticationPrincipal inside the controller method.
Basically, HttpSecurity is running its rules against Anonymous, even though later a valid Principal is created and can be used by #PreAuthorize checks.
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
#Autowired
public void configureGlobal(
AuthenticationManagerBuilder auth) throws Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider
= keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(
new SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
#Bean
public KeycloakConfigResolver KeycloakConfigResolver() {
return new KeycloakConfigResolver() {
#Override
public KeycloakDeployment resolve(HttpFacade.Request request) {
KeycloakDeployment deployment = null;
AdapterConfig adapterConfig = new AdapterConfig();
adapterConfig.setAuthServerUrl(System.getProperty("keycloak.auth-server-url"));
adapterConfig.setRealm(System.getProperty("keycloak.realm"));
adapterConfig.setResource(System.getProperty("keycloak.resource"));
// adapterConfig.setUseResourceRoleMappings(true);
adapterConfig.setSslRequired("external");
adapterConfig.setPublicClient(true);
deployment = KeycloakDeploymentBuilder.build(adapterConfig);
return deployment;
}
};
}
#Bean
#Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(
new SessionRegistryImpl());
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().configurationSource(request -> new CorsConfiguration().applyPermitDefaultValues())
.and().csrf().disable()
.authorizeRequests()
.antMatchers("/api/public/*").permitAll()
.antMatchers("/api/admin/*").hasRole("admin")
.antMatchers("/api/*").authenticated()
;
}
}
The spring security logs look like
2020-11-28 10:00:45.659 DEBUG 25655 --- [nio-8180-exec-1] o.s.security.web.FilterChainProxy : /api/admin/condition at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2020-11-28 10:00:45.659 DEBUG 25655 --- [nio-8180-exec-1] o.s.security.web.FilterChainProxy : /api/admin/condition at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2020-11-28 10:00:45.660 DEBUG 25655 --- [nio-8180-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2020-11-28 10:00:45.660 DEBUG 25655 --- [nio-8180-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2020-11-28 10:00:45.662 DEBUG 25655 --- [nio-8180-exec-1] o.s.security.web.FilterChainProxy : /api/admin/medical-condition at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2020-11-28 10:00:45.663 DEBUG 25655 --- [nio-8180-exec-1] o.s.security.web.FilterChainProxy : /api/admin/medical-condition at position 4 of 11 in additional filter chain; firing Filter: 'CorsFilter'
2020-11-28 10:00:45.664 DEBUG 25655 --- [nio-8180-exec-1] o.s.security.web.FilterChainProxy : /api/admin/medical-condition at position 5 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2020-11-28 10:00:45.664 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
2020-11-28 10:00:45.664 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /api/admin/condition' doesn't match 'GET /logout'
2020-11-28 10:00:45.664 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
2020-11-28 10:00:45.664 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/admin/condition'; against '/logout'
2020-11-28 10:00:45.664 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
2020-11-28 10:00:45.664 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /api/admin/condition' doesn't match 'PUT /logout'
2020-11-28 10:00:45.664 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
2020-11-28 10:00:45.665 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /api/admin/condition' doesn't match 'DELETE /logout'
2020-11-28 10:00:45.665 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2020-11-28 10:00:45.665 DEBUG 25655 --- [nio-8180-exec-1] o.s.security.web.FilterChainProxy : /api/admin/condition at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2020-11-28 10:00:45.665 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.w.s.HttpSessionRequestCache : saved request doesn't match
2020-11-28 10:00:45.665 DEBUG 25655 --- [nio-8180-exec-1] o.s.security.web.FilterChainProxy : /api/admin/condition at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2020-11-28 10:00:45.666 DEBUG 25655 --- [nio-8180-exec-1] o.s.security.web.FilterChainProxy : /api/admin/condition at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2020-11-28 10:00:45.667 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#2aa3a4a: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2020-11-28 10:00:45.667 DEBUG 25655 --- [nio-8180-exec-1] o.s.security.web.FilterChainProxy : /api/admin/medical-condition at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2020-11-28 10:00:45.668 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.w.session.SessionManagementFilter : Requested session ID 8C6524CDA3CD92F69B885542B2E5DF1C is invalid.
2020-11-28 10:00:45.668 DEBUG 25655 --- [nio-8180-exec-1] o.s.security.web.FilterChainProxy : /api/admin/condition at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2020-11-28 10:00:45.668 DEBUG 25655 --- [nio-8180-exec-1] o.s.security.web.FilterChainProxy : /api/admin/condition at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2020-11-28 10:00:45.669 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/admin/condition'; against '/api/public/*'
2020-11-28 10:00:45.669 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/admin/condition'; against '/api/admin/*'
2020-11-28 10:00:45.669 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/admin/condition; Attributes: [hasRole('ROLE_admin')]
2020-11-28 10:00:45.669 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#2aa3a4a: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2020-11-28 10:00:45.673 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#4e7d07d7, returned: -1
2020-11-28 10:00:45.679 DEBUG 25655 --- [nio-8180-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point

Before you configure your own specific configuration, you need to call the Keycloak-configuration
#Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http); // <----
http.... //
}

The configure method needs to called first and better option user principal would be to add an interceptor rather than filters..and please add super.configure(http);
Thanks!

Spring Boot 2 + Spring Security + Login Form + Session Redis not working

I'm trying to use Spring Boot 2 + Spring Security + Session Redis but for some reason after login the page is redirect to / but got access denied then page is back to login, anyone knows how to solve that please?
Following piece of code.
Security Config
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers(WHITELIST).permitAll()
.anyRequest().hasRole("ADMIN")
.and()
.formLogin()
.and()
.logout();
}
Spring Boot Config
spring:
application:
name: eureka-server
session:
store-type: redis
Stacktrace
2019-09-29 18:43:23.578 INFO 29922 --- [nio-8761-exec-2] Spring Security Debugger :
2019-09-30 21:27:15.053 DEBUG 28916 --- [nio-8761-exec-3] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=2019-09-30T20:27:15.051Z, principal=admin#gmail.com, type=AUTHENTICATION_SUCCESS, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null}]
2019-09-30 21:27:15.054 DEBUG 28916 --- [nio-8761-exec-3] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy#4910afdf
2019-09-30 21:27:15.055 DEBUG 28916 --- [nio-8761-exec-3] o.s.s.w.h.S.SESSION_LOGGER : No session found by id: Caching result for getSession(false) for this HttpServletRequest.
2019-09-30 21:27:15.055 DEBUG 28916 --- [nio-8761-exec-3] w.a.UsernamePasswordAuthenticationFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#4893c999: Principal: Authentication(id=5d8d299d42eba40001932c0f, email=admin#gmail.com, password={bcrypt}$2a$10$DNbJo.ktPvjiVbsZdKEmDeC27R3y4RW/XZ1WsCSjPNmEmIf9JozNi, fullName=Admin dos Santos, enabled=true, authorities=[Authority(role=ROLE_ADMIN)]); Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: Authority(role=ROLE_ADMIN)
2019-09-30 21:27:15.057 DEBUG 28916 --- [nio-8761-exec-3] o.s.s.w.h.S.SESSION_LOGGER : No session found by id: Caching result for getSession(false) for this HttpServletRequest.
2019-09-30 21:27:15.057 DEBUG 28916 --- [nio-8761-exec-3] RequestAwareAuthenticationSuccessHandler : Using default Url: /
2019-09-30 21:27:15.057 DEBUG 28916 --- [nio-8761-exec-3] o.s.s.web.DefaultRedirectStrategy : Redirecting to '/'
2019-09-30 21:27:15.057 DEBUG 28916 --- [nio-8761-exec-3] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#2f60713f
2019-09-30 21:27:15.058 DEBUG 28916 --- [nio-8761-exec-3] o.s.s.w.h.S.SESSION_LOGGER : No session found by id: Caching result for getSession(false) for this HttpServletRequest.
2019-09-30 21:27:15.058 DEBUG 28916 --- [nio-8761-exec-3] w.c.HttpSessionSecurityContextRepository : HttpSession being created as SecurityContext is non-default
2019-09-30 21:27:15.058 DEBUG 28916 --- [nio-8761-exec-3] o.s.s.w.h.S.SESSION_LOGGER : No session found by id: Caching result for getSession(false) for this HttpServletRequest.
2019-09-30 21:27:15.058 DEBUG 28916 --- [nio-8761-exec-3] o.s.s.w.h.S.SESSION_LOGGER : No session found by id: Caching result for getSession(false) for this HttpServletRequest.
2019-09-30 21:27:15.059 DEBUG 28916 --- [nio-8761-exec-3] o.s.s.w.h.S.SESSION_LOGGER : A new session was created. To help you troubleshoot where the session was created we provided a StackTrace (this is not an error). You can prevent this from appearing by disabling DEBUG logging for org.springframework.session.web.http.SessionRepositoryFilter.SESSION_LOGGER
************************************************************
Request received for GET '/':
org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper#fc73db7
servletPath:/
pathInfo:null
headers:
host: localhost:8761
connection: keep-alive
cache-control: max-age=0
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
sec-fetch-mode: navigate
sec-fetch-user: ?1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site: same-origin
referer: http://localhost:8761/login
accept-encoding: gzip, deflate, br
accept-language: en-IE,en;q=0.9,pt-BR;q=0.8,pt;q=0.7,en-US;q=0.6
cookie: io=udDSi_WRWSnc1P5rAAAB; JSESSIONID=711725AFFC0C8C60E5A099A72EF2F420
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
UsernamePasswordAuthenticationFilter
DefaultLoginPageGeneratingFilter
DefaultLogoutPageGeneratingFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
2019-09-29 18:43:23.579 DEBUG 29922 --- [nio-8761-exec-2] o.s.security.web.FilterChainProxy : / at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2019-09-29 18:43:23.579 DEBUG 29922 --- [nio-8761-exec-2] o.s.security.web.FilterChainProxy : / at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2019-09-29 18:43:23.580 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.h.S.SESSION_LOGGER : No session found by id: Caching result for getSession(false) for this HttpServletRequest.
2019-09-29 18:43:23.580 DEBUG 29922 --- [nio-8761-exec-2] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2019-09-29 18:43:23.580 DEBUG 29922 --- [nio-8761-exec-2] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2019-09-29 18:43:23.580 DEBUG 29922 --- [nio-8761-exec-2] o.s.security.web.FilterChainProxy : / at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2019-09-29 18:43:23.580 DEBUG 29922 --- [nio-8761-exec-2] o.s.security.web.FilterChainProxy : / at position 4 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2019-09-29 18:43:23.580 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
2019-09-29 18:43:23.580 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/logout'
2019-09-29 18:43:23.580 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
2019-09-29 18:43:23.580 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /' doesn't match 'POST /logout'
2019-09-29 18:43:23.580 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
2019-09-29 18:43:23.580 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /' doesn't match 'PUT /logout'
2019-09-29 18:43:23.580 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
2019-09-29 18:43:23.581 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /' doesn't match 'DELETE /logout'
2019-09-29 18:43:23.581 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2019-09-29 18:43:23.581 DEBUG 29922 --- [nio-8761-exec-2] o.s.security.web.FilterChainProxy : / at position 5 of 13 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2019-09-29 18:43:23.581 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /' doesn't match 'POST /login'
2019-09-29 18:43:23.581 DEBUG 29922 --- [nio-8761-exec-2] o.s.security.web.FilterChainProxy : / at position 6 of 13 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
2019-09-29 18:43:23.581 DEBUG 29922 --- [nio-8761-exec-2] o.s.security.web.FilterChainProxy : / at position 7 of 13 in additional filter chain; firing Filter: 'DefaultLogoutPageGeneratingFilter'
2019-09-29 18:43:23.581 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/logout'
2019-09-29 18:43:23.581 DEBUG 29922 --- [nio-8761-exec-2] o.s.security.web.FilterChainProxy : / at position 8 of 13 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2019-09-29 18:43:23.581 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.h.S.SESSION_LOGGER : No session found by id: Caching result for getSession(false) for this HttpServletRequest.
2019-09-29 18:43:23.581 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.s.HttpSessionRequestCache : saved request doesn't match
2019-09-29 18:43:23.582 DEBUG 29922 --- [nio-8761-exec-2] o.s.security.web.FilterChainProxy : / at position 9 of 13 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2019-09-29 18:43:23.583 DEBUG 29922 --- [nio-8761-exec-2] o.s.security.web.FilterChainProxy : / at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2019-09-29 18:43:23.583 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.h.S.SESSION_LOGGER : No session found by id: Caching result for getSession(false) for this HttpServletRequest.
2019-09-29 18:43:23.583 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#8360265a: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2019-09-29 18:43:23.583 DEBUG 29922 --- [nio-8761-exec-2] o.s.security.web.FilterChainProxy : / at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-09-29 18:43:23.583 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.h.S.SESSION_LOGGER : No session found by id: Caching result for getSession(false) for this HttpServletRequest.
2019-09-29 18:43:23.583 DEBUG 29922 --- [nio-8761-exec-2] o.s.security.web.FilterChainProxy : / at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-09-29 18:43:23.583 DEBUG 29922 --- [nio-8761-exec-2] o.s.security.web.FilterChainProxy : / at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-09-29 18:43:23.584 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/eureka/apps/**'
2019-09-29 18:43:23.584 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/logout'
2019-09-29 18:43:23.584 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/actuator/**'
2019-09-29 18:43:23.584 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/v1/agent/self'
2019-09-29 18:43:23.584 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/eureka/peerreplication/batch/**'
2019-09-29 18:43:23.584 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/v1/catalog/services'
2019-09-29 18:43:23.584 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/v1/catalog/service/**'
2019-09-29 18:43:23.584 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/**/*.js'
2019-09-29 18:43:23.584 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/**/*.css'
2019-09-29 18:43:23.584 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/**/*.html'
2019-09-29 18:43:23.584 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/favicon.ico'
2019-09-29 18:43:23.584 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /; Attributes: [hasRole('ROLE_ADMIN')]
2019-09-29 18:43:23.584 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#8360265a: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2019-09-29 18:43:23.586 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#5a1e2d1b, returned: -1
2019-09-29 18:43:23.587 DEBUG 29922 --- [nio-8761-exec-2] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=2019-09-29T17:43:23.586Z, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null, type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
2019-09-29 18:43:23.588 DEBUG 29922 --- [nio-8761-exec-2] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
pom.xml
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-data-redis</artifactId>
</dependency>
<dependency>
<groupId>io.lettuce</groupId>
<artifactId>lettuce-core</artifactId>
</dependency>
I've tried to follow example of documentation but got same issue - https://docs.spring.io/spring-session/docs/current/reference/html5/guides/boot-redis.html
PS: Using Docker

Fixed the issue adding a Custom CookieSerializer.
#Bean
public CookieSerializer cookieSerializer() {
DefaultCookieSerializer serializer = new DefaultCookieSerializer();
serializer.setCookieName("SESSIONID");
serializer.setCookiePath("/");
serializer.setDomainNamePattern("^.+?\\.(\\w+\\.[a-z]+)$");
return serializer;
}

Swagger2 ui not accessbile

I am using Swagger in a Spring boot application,
I somehow can access most of Swagger's endpoints such as /v2/api-docs, /swagger-resources but I can't figure out why /swagger-ui.html is not accessible.
I am using these dependencies:
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger-ui</artifactId>
</dependency>
here is my Swagger Config class:
#Configuration
#EnableSwagger2
public class SwaggerConfig {
#Bean
public Docket api() {
return new Docket(DocumentationType.SWAGGER_2)
.select()
.apis(RequestHandlerSelectors.basePackage("app.controllers"))
.paths(PathSelectors.any())
.build();
}
}
Here is the interesting part of the log:
2017-12-27 14:12:09.896 DEBUG 10212 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /springfox/swagger-ui.html at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2017-12-27 14:12:09.896 DEBUG 10212 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /springfox/swagger-ui.html at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/springfox/swagger-ui.html'; against '/'
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/springfox/swagger-ui.html'; against '/v2/api-docs'
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/springfox/swagger-ui.html'; against '/configuration/ui'
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/springfox/swagger-ui.html'; against '/swagger-resources'
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/springfox/swagger-ui.html'; against '/configuration/security'
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/springfox/swagger-ui.html'; against '/swagger-ui.html'
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/springfox/swagger-ui.html'; against '/webjars/**'
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /springfox/swagger-ui.html' doesn't match 'POST /login
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /springfox/swagger-ui.html; Attributes: [authenticated]
2017-12-27 14:12:09.897 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#8f3b828e: Principal: 0001; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_ADMIN, ROLE_USER
2017-12-27 14:12:09.903 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#45d0a23, returned: 1
2017-12-27 14:12:09.903 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2017-12-27 14:12:09.903 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2017-12-27 14:12:09.903 DEBUG 10212 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /springfox/swagger-ui.html reached end of additional filter chain; proceeding with original chain
2017-12-27 14:12:09.904 DEBUG 10212 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : DispatcherServlet with name 'dispatcherServlet' processing GET request for [/springfox/swagger-ui.html]
2017-12-27 14:12:09.906 DEBUG 10212 --- [nio-8080-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Looking up handler method for path /springfox/swagger-ui.html
2017-12-27 14:12:09.919 DEBUG 10212 --- [nio-8080-exec-1] .m.m.a.ExceptionHandlerExceptionResolver : Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'GET' not supported
2017-12-27 14:12:09.920 DEBUG 10212 --- [nio-8080-exec-1] .w.s.m.a.ResponseStatusExceptionResolver : Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'GET' not supported
2017-12-27 14:12:09.920 DEBUG 10212 --- [nio-8080-exec-1] .w.s.m.s.DefaultHandlerExceptionResolver : Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'GET' not supported
2017-12-27 14:12:09.920 WARN 10212 --- [nio-8080-exec-1] o.s.web.servlet.PageNotFound : Request method 'GET' not supported
2017-12-27 14:12:09.921 DEBUG 10212 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : SecurityContext 'org.springframework.security.core.context.SecurityContextImpl#8f3b828e: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#8f3b828e: Principal: 0001; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_ADMIN, ROLE_USER' stored to HttpSession: 'org.apache.catalina.session.StandardSessionFacade#3bcccd7c
2017-12-27 14:12:09.921 DEBUG 10212 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
2017-12-27 14:12:09.921 DEBUG 10212 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Successfully completed request
2017-12-27 14:12:09.922 DEBUG 10212 --- [nio-8080-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'delegatingApplicationListener'
2017-12-27 14:12:09.923 DEBUG 10212 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2017-12-27 14:12:09.923 DEBUG 10212 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2017-12-27 14:12:09.923 DEBUG 10212 --- [nio-8080-exec-1] o.s.b.w.f.OrderedRequestContextFilter : Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade#203209de
2017-12-27 14:12:09.923 DEBUG 10212 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost] : Processing ErrorPage[errorCode=0, location=/error]
2017-12-27 14:12:09.928 DEBUG 10212 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : DispatcherServlet with name 'dispatcherServlet' processing GET request for [/error]
2017-12-27 14:12:09.928 DEBUG 10212 --- [nio-8080-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Looking up handler method for path /error
2017-12-27 14:12:09.930 DEBUG 10212 --- [nio-8080-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Returning handler method [public org.springframework.http.ResponseEntity io.xhub.secusid.exception.SecusidErrorHandler.error(javax.servlet.http.HttpServletRequest)]
2017-12-27 14:12:09.930 DEBUG 10212 --- [nio-8080-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'secusidErrorHandler'
2017-12-27 14:12:09.930 DEBUG 10212 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Last-Modified value for [/error] is: -1
2017-12-27 14:12:09.943 DEBUG 10212 --- [nio-8080-exec-1] i.x.s.exception.SecusidErrorHandler : Request method 'GET' not supported
org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'GET' not supported

Try adding a class like this
#Configuration
public class WebMvcConfiguration extends WebMvcConfigurationSupport {
#Override
public void addResourceHandlers(final ResourceHandlerRegistry registry) {
// Make Swagger meta-data available via <baseURL>/v2/api-docs/
registry.addResourceHandler("/webjars/**").addResourceLocations("classpath:/META-INF/resources/webjars/");
// Make Swagger UI available via <baseURL>/swagger-ui.html
registry.addResourceHandler("/**").addResourceLocations("classpath:/META-INF/resources/");
}
}

Spring SAML Access is denied after one minute

I've implemented SAML2 authentication in webapplication.
Everything works fine at the beginning. User logins and can use application but after one minute he gets 401 and whole page reloads.
It
What can be the reason ? It's connected to SAML ticket NotOnOrAfter atribute ?
How can i fix this issue and disable this reload and reauthentication ?
In logs I can see:
7:13:55.271 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7]
o.s.s.w.a.i.FilterSecurityInterceptor : Secure object:
FilterInvocation: URL: /sw.js; Attributes: [authenticated] 2017-02-11
17:13:55.271 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7]
o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated:
org.springframework.security.authentication.AnonymousAuthenticationToken#9055e4a6:
Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated:
true; Details:
org.springframework.security.web.authentication.WebAuthenticationDetails#957e:
RemoteIpAddress: 127.0.0.1; SessionId:
3A25B5C297F7BCF47C70ACA09D03EEC6; Granted Authorities: ROLE_ANONYMOUS
2017-02-11 17:13:55.271 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-7] o.s.s.access.vote.AffirmativeBased
: Voter:
org.springframework.security.web.access.expression.WebExpressionVoter#4e54fa5d,
returned: -1 2017-02-11 17:13:55.271 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-7] o.s.s.w.a.ExceptionTranslationFilter
: Access is denied (user is anonymous); redirecting to authentication
entry point
org.springframework.security.access.AccessDeniedException: Access is
denied at
org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)
at
org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:115)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.saml.SAMLLogoutProcessingFilter.processLogout(SAMLLogoutProcessingFilter.java:206)
at
org.springframework.security.saml.SAMLLogoutProcessingFilter.doFilter(SAMLLogoutProcessingFilter.java:104)
2017-02-11 17:13:55.291 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-7] o.s.s.w.s.HttpSessionRequestCache
: DefaultSavedRequest added to Session:
DefaultSavedRequest[https://somesite/saml/SSO/sw.js] 2017-02-11
17:13:55.291 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7]
o.s.s.w.a.ExceptionTranslationFilter : Calling Authentication
entry point. 2017-02-11 17:13:55.306 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-7]
o.s.s.s.context.SAMLContextProviderImpl : No IDP specified, using
default MINEIDP 2017-02-11 17:13:55.307 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-7] o.s.security.saml.util.SAMLUtil
: Index for AssertionConsumerService not specified, returning default
2017-02-11 17:13:55.308 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-7] o.s.security.saml.SAMLEntryPoint
: Processing SSO using WebSSO profile 2017-02-11 17:13:55.308 DEBUG
29368 --- [http-nio-127.0.0.1-5814-exec-7]
o.s.s.saml.websso.WebSSOProfileImpl : Using default consumer
service with binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
2017-02-11 17:13:55.308 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-7] o.s.security.saml.util.SLF4JLogChute
: ResourceManager : found /templates/saml2-post-binding.vm with loader
org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader
2017-02-11 17:13:55.308 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-7] o.s.security.saml.util.SLF4JLogChute
: ResourceManager : found /templates/add-html-head-content.vm with
loader
org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader
2017-02-11 17:13:55.308 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-7] o.s.security.saml.util.SLF4JLogChute
: ResourceManager : found /templates/add-html-body-content.vm with
loader
org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader
2017-02-11 17:13:55.308 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-7]
o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header
since it did not match the requestMatcher
org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#66d6b7bc
2017-02-11 17:13:55.308 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-7]
w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or
contents are anonymous - context will not be stored in HttpSession.
2017-02-11 17:13:55.308 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-7] o.s.s.saml.storage.HttpSessionStorage
: Storing message a2h65aag15ccg2d837386cch748e34h to session
3A25B5C297F7BCF47C70ACA09D03EEC6 2017-02-11 17:13:55.308 INFO 29368
--- [http-nio-127.0.0.1-5814-exec-7] o.s.security.saml.log.SAMLDefaultLogger :
AuthNRequest;SUCCESS;127.0.0.1;https://somesite.. 2017-02-11
17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7]
s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now
cleared, as request processing completed 2017-02-11 17:13:55.308 DEBUG
29368 --- [http-nio-127.0.0.1-5814-exec-7]
o.s.b.w.f.OrderedRequestContextFilter : Cleared thread-bound
request context: org.apache.catalina.connector.RequestFacade#7bfe8944
2017-02-11 17:13:56.527 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-3] o.s.b.w.f.OrderedRequestContextFilter
: Bound request context to thread:
org.apache.catalina.connector.RequestFacade#7bfe8944 2017-02-11
17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3]
o.s.security.web.FilterChainProxy : /saml/SSO at position 1 of
16 in additional filter chain; firing Filter:
'WebAsyncManagerIntegrationFilter' 2017-02-11 17:13:56.527 DEBUG 29368
--- [http-nio-127.0.0.1-5814-exec-3] o.s.security.web.FilterChainProxy : /saml/SSO at position 2 of 16 in additional filter chain; firing
Filter: 'SecurityContextPersistenceFilter' 2017-02-11 17:13:56.527
DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3]
w.c.HttpSessionSecurityContextRepository : HttpSession returned null
object for SPRING_SECURITY_CONTEXT 2017-02-11 17:13:56.527 DEBUG 29368
--- [http-nio-127.0.0.1-5814-exec-3] w.c.HttpSessionSecurityContextRepository : No SecurityContext was
available from the HttpSession:
org.apache.catalina.session.StandardSessionFacade#491a27d7. A new one
will be created. 2017-02-11 17:13:56.527 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-3] o.s.security.web.FilterChainProxy
: /saml/SSO at position 3 of 16 in additional filter chain; firing
Filter: 'HeaderWriterFilter' 2017-02-11 17:13:56.527 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-3] o.s.security.web.FilterChainProxy
: /saml/SSO at position 4 of 16 in additional filter chain; firing
Filter: 'SAMLLogoutFilter' 2017-02-11 17:13:56.527 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-3] o.s.security.web.FilterChainProxy
: /saml/SSO at position 5 of 16 in additional filter chain; firing
Filter: 'MetadataGeneratorFilter' 2017-02-11 17:13:56.527 DEBUG 29368
--- [http-nio-127.0.0.1-5814-exec-3] o.s.security.web.FilterChainProxy : /saml/SSO at position 6 of 16 in additional filter chain; firing
Filter: 'MetadataDisplayFilter' 2017-02-11 17:13:56.542 DEBUG 29368
--- [http-nio-127.0.0.1-5814-exec-3] o.s.security.web.FilterChainProxy : /saml/SSO at position 7 of 16 in additional filter chain; firing
Filter: 'XhrSamlEntryPoint' 2017-02-11 17:13:56.542 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-3] o.s.security.web.FilterChainProxy
: /saml/SSO at position 8 of 16 in additional filter chain; firing
Filter: 'SAMLProcessingFilter' 2017-02-11 17:13:56.542 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-3]
o.s.security.saml.SAMLProcessingFilter : Request is to process
authentication 2017-02-11 17:13:56.542 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-3]
o.s.security.saml.SAMLProcessingFilter : Attempting SAML2
authentication using profile
urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser 2017-02-11
17:13:56.542 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3]
o.s.s.saml.processor.SAMLProcessorImpl : Retrieving message using
binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 2017-02-11
17:13:56.558 INFO 29368 --- [http-nio-127.0.0.1-5814-exec-3]
colMessageXMLSignatureSecurityPolicyRule : SAML protocol message was
not signed, skipping XML signature processing 2017-02-11 17:13:56.558
DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3]
o.s.security.saml.util.SAMLUtil : Found endpoint
org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl#5e73661d
for request URL https://somesite/saml/SSO based on location attribute
in metadata 2017-02-11 17:13:56.558 DEBUG 29368 ---
[http-nio-127.0.0.1-5814-exec-3] o.s.s.authentication.ProviderManager
: Authentication attempt using
org.springframework.security.saml.SAMLAuthenticationProvider
2017-02-11 17:13:56.558 INFO 29368 ---
[http-nio-127.0.0.1-5814-exec-3]
c.p.k.s.CustomWebSSOProfileConsumerImpl : Signature vaildation
omitted. 2017-02-11 17:13:56.558 INFO 29368 ---
[http-nio-127.0.0.1-5814-exec-3]
o.s.security.saml.log.SAMLDefaultLogger :
AuthNResponse;SUCCESS;127.0.0.1;https://somesite;;

this Showed me the way. The reason was that in saml token there was 'NotOnOrAfter' attribute. In 'SAMLAuthenticationProvider' method 'authenticate' was creating 'ExpiringUsernameAuthenticationToken' which validity is based upon 'NotOnOrAfter'. What i did was to override 'getExpirationDate' method and extended token validity to expected time.