After login successfully, isUserInRole method of HttpServletRequest class is returning false. It was returning true prior to Spring Security version upgrade to 4.1.3.
spring-security-core-4.1.3, spring-security-web-4.1.3, and spring-security-config-4.1.3 jars are present in the class-path
Spring-Security.xml
...
<spring:bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
</spring:bean>
<spring:bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter"/>
<spring:bean id="webExpressionVoter" class="org.springframework.security.web.access.expression.WebExpressionVoter" />
<spring:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<spring:constructor-arg>
<spring:list>
<spring:ref bean="roleVoter"/>
<spring:ref bean="authenticatedVoter"/>
<spring:ref bean="webExpressionVoter"/>
</spring:list>
</spring:constructor-arg>
</spring:bean>
<security:http access-decision-manager-ref="accessDecisionManager" use-expressions="true">
<security:intercept-url pattern="/login.jsp" access="hasAuthority('ROLE_ANONYMOUS')" />
<security:intercept-url pattern="/index*" access="hasAuthority('ROLE_USER')"/>
<security:form-login login-page="/login.jsp"
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/accessDenied.jsp" />
<security:logout invalidate-session="true" delete-cookies="JSESSIONID"/>
<security:csrf disabled="true"/>
</security:http>
<security:authentication-manager alias="secAuthManager">
<security:authentication-provider ref="securityProvider" />
</security:authentication-manager>
<spring:bean id="securityProvider" class="com.SecurityProvider"/>
...
class SecurityProvider
public class SecurityProvider implements AuthenticationProvider {
#Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
...
List<GrantedAuthority> grantedAuthorities = ...
return new UsernamePasswordAuthenticationToken(user, password, grantedAuthorities);
}
#Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
If I replaces 4.1.3 security jars with 3.2.9 version and remove <security:csrf disabled="true"/> from Spring-Security.xml then it works.
The issue got resolved after adding ROLE_ prefix for each GrantedAuthority in List<GrantedAuthority> grantedAuthorities.
Related
I have a problem of switchuser in spring. I am new for switchuser and not getting the right way to solve this.
Here is my code:
Spring-Security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <http pattern="/index" security='none' />
<http pattern="/passwordrecovery" security='none' />
<beans:bean id="customAuthenticationSuccessHandler" class="com.ds4u.project.handler.CustomAuthenticationSuccessHandler"/>
<http auto-config="true" use-expressions="true"
authentication-manager-ref="authenticationManager">
<headers>
<cache-control />
</headers>
<custom-filter position="SWITCH_USER_FILTER" ref="switchUserProcessingFilter" />
<!-- role based URL protection -->
<intercept-url pattern="/admin/**" access= "hasRole('ROLE_ADMIN','ROLE_PREVIOUS_ADMINISTRATOR')" />
<intercept-url pattern="/user/**" access= "hasAnyRole('ROLE_USER','ROLE_ADMIN','ROLE_POWER_USER','ROLE_PATIENT')" />
<intercept-url pattern="/patient/**" access= "hasAnyRole('ROLE_USER','ROLE_ADMIN','ROLE_POWER_USER','ROLE_PATIENT')" />
<intercept-url pattern="/welcome/**" access= "hasAnyRole('ROLE_ADMIN','ROLE_NEW_PATIENT')" />
<intercept-url pattern="/poweruser/power**" access= "hasAnyRole('ROLE_ADMIN','ROLE_POWER_USER','ROLE_PROVIDER')" />
<intercept-url pattern="/provider/**" access= "hasAnyRole('ROLE_ADMIN','ROLE_POWER_USER','ROLE_PROVIDER')" />
<intercept-url pattern="/switchUser" access="hasAnyRole('ADMIN', 'ROLE_PREVIOUS_ADMINISTRATOR')"/>
<!-- It will handle user login authentication -->
<form-login login-page="/login" authentication-success-handler-ref="customAuthenticationSuccessHandler"
authentication-failure-url="/loginerror"/>
<logout logout-success-url="/" logout-url="/jlogout" delete-cookies="JSESSIONID"/>
<!-- csrf prtoection configuration -->
<csrf disabled="true" />
<!-- unauthorized access handler -->
<access-denied-handler error-page="/accessdenied" />
</http>
<beans:bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
<beans:property name="userDetailsService" ref="com.ds4u.project.service.UserDetailServiceImpl"/>
<beans:property name="switchUserUrl" value="/admin/impersonate"/>
<beans:property name="targetUrl" value="/admin/adminProvider"/>
<beans:property name="switchFailureUrl" value="/admin/switchUser"/>
<beans:property name="successHandler" ref="authenticationManager" />
</beans:bean>
<authentication-manager id="authenticationManager">
<authentication-provider>
<password-encoder ref="encoder"/>
<jdbc-user-service data-source-ref="DatabaseName"
users-by-username-query="
select UserName,Password, IsEnable from user where UserName = ? and IsEnable in(1,4)"
authorities-by-username-query=" select u.username, ur.authority from user u,
authorities ur where u.authorityId = ur.id and u.username =? " />
</authentication-provider>
</authentication-manager>
<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="10" />
</beans:bean></beans:beans>
What will be the swithuserurl, targetUrl, switchFailureUrl, successHandler in switchuserprocessingfilter bean?
My Web.XML is.
<filter><filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter><filter-name>switchUserProcessingFilter</filter-name>
<filter-class>
org.springframework.security.web.authentication.switchuser.SwitchUserFilter
</filter-class>
</filter>
<filter-mapping><filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping><filter-name>switchUserProcessingFilter</filter-name>
<url-pattern>/"what can be put here?"</url-pattern>
</filter-mapping>
In web.xml what will be the filterMapping for switchUserProcessingFilter filter name?
My CustomAuthenticationSuccessHandler code is---
public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler{
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication) throws IOException,
ServletException {
HttpSession session = request.getSession();
/* Set some session variables */
User authUser = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
session.setAttribute("uname", authUser.getUsername());
session.setAttribute("auhtorities", authUser.getAuthorities());
/* Set target url to redirect */
String targetUrl = determineTargetUrl(authentication);
redirectStrategy.sendRedirect(request, response, targetUrl);
}
protected String determineTargetUrl(Authentication authentication){
Set<String> authorities = AuthorityUtils.authorityListToSet(authentication.getAuthorities());
if(authorities.contains("ROLE_USER")){
return "/user/userhome";
}else if(authorities.contains("ROLE_ADMIN")){
return "/admin/home";
}else if(authorities.contains("ROLE_POWER_USER")){
return "/poweruser/poweruserhome";
}
else if(authorities.contains("ROLE_PATIENT")){
return "/patient/home";
}
else if(authorities.contains("ROLE_PROVIDER")){
return "/provider/home";
}
else if(authorities.contains("ROLE_NEW_PATIENT")){
return "/welcome/home";
}
return "accessdenial.do";
}
public RedirectStrategy getRedirectStrategy() {
return redirectStrategy;
}
public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
this.redirectStrategy = redirectStrategy;
}
}
What will be the code in userdetailsservice class as it reference in switchUserProcessingFilter bean in security xml?
When I was running this code then it gives me the error like:
Error creating bean with name
'org.springframework.security.filterChains': Cannot resolve reference
to bean
'org.springframework.security.web.DefaultSecurityFilterChain#2'
I copied SWITCHUSERFILTER from Google and somewhere but it is not processing and is giving errors.
I am currently working on a java based invoice app.
What I need is , to auth a user with multiple Roles, e.g Peter should have role ROLE_SETTING,ROLE_REPORT,ROLE_QUOTE, while Anne only has one role ROLE_SETTING etc...
Here is my spring-security-config.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<http auto-config="true">
<access-denied-handler error-page="/403page" />
<intercept-url pattern="/makebill*" access="ROLE_ADMIN,ROLE_MAKEBILL" />
<intercept-url pattern="/report*" access="ROLE_ADMIN,ROLE_REPORT" />
<intercept-url pattern="/stock*" access="ROLE_ADMIN,ROLE_STOCK" />
<intercept-url pattern="/customer*" access="ROLE_ADMIN,ROLE_CUSTOMER" />
<!-- <intercept-url pattern="/setting*" access="ROLE_ADMIN,ROLE_SETTING" /> -->
<intercept-url pattern="/mainmenu*" access="ROLE_ADMIN,ROLE_MAKEBILL,ROLE_SETTING,ROLE_CUSTOMER,ROLE_REPORT,ROLE_STOCK" />
<form-login
login-page='/login' username-parameter="username"
password-parameter="password" default-target-url="/mainmenu"
authentication-failure-url="/login?authfailed" />
<logout logout-success-url="/login?logout" />
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service
data-source-ref="dataSource"
users-by-username-query="select username,password, enabled from person where username=?"
authorities-by-username-query="select username, role from person, role where username =? " />
</authentication-provider>
</authentication-manager>
</beans:beans>
the authentication-manager currently working fine with just one role, what i mean is...when the sql query authorities-by-username-query="select username, role from person, role where username =? " runs, if the returned value is just one role, e.g ROLE_REPORT, the application works fine, but if have a record in db like, ROLE_REPORT,ROLE_SETTING,ROLE_CUSTOMER , when the query retrieves this value, the application will return me 404 error, it seems I won't be able to grant a user with multiple roles.
Can anyone please point me out what I have done wrong.
Thanks.
I found a solution myself, implemented my own UserDetails, here are the code
#Service("assembler")
public class Assembler {
#Transactional(readOnly = true)
User buildUserFromUserEntity(Person person) {
String username = person.getUsername();
String password = person.getPassword();
boolean enabled = true;
List<SimpleGrantedAuthority> authorities = new ArrayList<SimpleGrantedAuthority>();
String[] authStrings = person.getRole().split(",");
for(String authString : authStrings) {
System.out.println("all auth roles: " + authString);
authorities.add(new SimpleGrantedAuthority(authString));
}
User user = new User(username, password, enabled,
true, true, true, authorities);
return user;
}
}
#Service("userDetailsService")
public class UserDetailsServiceImpl implements UserDetailsService {
#Autowired private PersonService personService;
#Autowired private Assembler assembler;
#Transactional(readOnly = true)
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException {
UserDetails userDetails = null;
Person person = null;
List<Person> listPeople = personService.listPeople();
for (Person p: listPeople) {
if (p.getUsername().equals(username)) {
person = p;
}
}
if (person == null)
throw new UsernameNotFoundException("user not found");
return assembler.buildUserFromUserEntity(person);
}
}
and here is the spring-security-config.xml
<http auto-config="true">
<access-denied-handler error-page="/403page" />
<intercept-url pattern="/makebill*" access="ROLE_ADMIN,ROLE_MAKEBILL" />
<intercept-url pattern="/report*" access="ROLE_ADMIN,ROLE_REPORT" />
<intercept-url pattern="/stock*" access="ROLE_ADMIN,ROLE_STOCK" />
<intercept-url pattern="/customer*" access="ROLE_ADMIN,ROLE_CUSTOMER" />
<intercept-url pattern="/setting*" access="ROLE_ADMIN,ROLE_SETTING" />
<intercept-url pattern="/mainmenu*" access="ROLE_ADMIN,ROLE_MAKEBILL,ROLE_SETTING,ROLE_CUSTOMER,ROLE_REPORT,ROLE_STOCK" />
<form-login
login-page='/login' username-parameter="username"
password-parameter="password" default-target-url="/mainmenu"
authentication-failure-url="/login?authfailed" />
<logout logout-success-url="/login?logout" />
</http>
<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>
<beans:bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="daoAuthenticationProvider" />
</beans:list>
</beans:property>
</beans:bean>
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
</authentication-provider>
</authentication-manager>
I am now able to assign multiple roles to a single user perfectly.
Thanks for reading :)
How do I fire my method on authentication success?
I wanted to update my database column 'last login date'. Looked around on google but still can't understand how it should be done.
Here is my spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd"
xmlns:security="http://www.springframework.org/schema/security">
<beans:bean id="dataSource1" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<beans:property name="driverClassName" value="com.mysql.jdbc.Driver"/>
<beans:property name="url" value="jdbc:mysql://localhost:3306/myDB"/>
<beans:property name="username" value="root"/>
<beans:property name="password" value="root"/>
</beans:bean>
<!-- login page are exempted from security-->
<security:http pattern="/login" security="none"/>
<security:http auto-config="true">
<intercept-url pattern="/page1" access="ROLE_USER_ADMIN,ROLE_ADMIN,ROLE_PAGE1" />
<intercept-url pattern="/page2" access="ROLE_USER_ADMIN,ROLE_ADMIN,ROLE_PAGE2" />
<intercept-url pattern="/page3" access="ROLE_USER_ADMIN,ROLE_ADMIN,ROLE_PAGE3" />
<intercept-url pattern="/*" access="ROLE_USER_ADMIN,ROLE_ACCOUNT" /> <!--/** all url -->
<security:session-management>
<security:concurrency-control
max-sessions="2"
expired-url="/login" />
</security:session-management>
<!-- access deny for non privileged user -->
<access-denied-handler error-page="/access-denied" />
<!-- Logout -->
<logout logout-success-url="/login?logout" />
</security:http>
<beans:bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<!-- After login, return to the last visited page -->
<beans:property name="useReferer" value="true" />
</beans:bean>
<beans:bean id="authenticationSuccessHandlerWithoutReferer" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<!-- After login, stay to the same page -->
<beans:property name="useReferer" value="false" />
</beans:bean>
<beans:bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"/>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource1"
users-by-username-query="query-for-username-and-password"
authorities-by-username-query="query-for-username-enabled-authority" />
<password-encoder hash="md5"/>
</authentication-provider>
</authentication-manager>
I am new to Spring Security. Hope someone could help me out.
EDIT
#Component
public class MyAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
#Autowired
AppUserDAO appUserDAO;
#Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
String a = df.format(new Date());
System.out.println(authentication.getName()+"### "+a);
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
String username = auth.getPrincipal().toString();
appUserDAO.updateLastLoginAndIp(a, username);
}
}
You can override authenticationSuccessHandler with any custom implementation you wanted to perform. Here you want to update user login date or some other similar activities
public class CustomAuthenticationSuccessHandler extends
SavedRequestAwareAuthenticationSuccessHandler {
#Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response,
Authentication authentication) throws IOException,ServletException {
super.onAuthenticationSuccess(request, response, authentication);
//Now add your custom logic to update database
}
}
Now you need to update authenticationSuccessHandler confiuguration in xml file as shown below.
<beans:bean id="authenticationSuccessHandler" class="yourpackage.CustomAuthenticationSuccessHandler">
<beans:property name="useReferer" value="true" />
</beans:bean>
Optionally,
<beans:bean id="authenticationSuccessHandlerWithoutReferer" class="yourpackage.CustomAuthenticationSuccessHandler">
<beans:property name="useReferer" value="false" />
</beans:bean>
I trying to implement custom authorization based on spring security.
Here is the config.xml:
<global-method-security pre-post-annotations="enabled" />
<http use-expressions="true">
<form-login login-page="/wellcome/" login-processing-url="/login" default-target-url="/"
username-parameter="email" password-parameter="password" />
<remember-me key="skyhandling" token-validity-seconds="-1" />
<logout invalidate-session="true" logout-success-url="/" logout-url="/logout"/>
<intercept-url pattern="/administration/**" access="authenticated"/>
<intercept-url pattern="/wellcome/" access="permitAll"/>
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/css/**" access="permitAll"/>
<intercept-url pattern="/images/**" access="permitAll"/>
<intercept-url pattern="/javascript/**" access="permitAll"/>
</http>
<beans:bean id="authenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>
<beans:bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="authenticationProvider" />
</beans:list>
</beans:property>
</beans:bean>
<beans:bean class="com.test.service.UserDetailsExtendedService" id="userDetailsService" />
<beans:bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"
id="passwordEncoder" />
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
User details service:
#Service("userDetailsService")
#SuppressWarnings("deprecation")
public class UserDetailsExtendedService implements UserDetailsService {
#Autowired
private UsersDAO dao;
/**
*
* #param user
* #return
*/
private User prepare(com.test.User user) {
boolean enabled = user.getState().equals(UserState.Active);
Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
for (UserRole r: user.getRoles()) {
authorities.add(new GrantedAuthorityImpl(r.getName()));
}
return new UserDetailsExtended(user.getEmail(), user.getPassword(), user.getNickname(), enabled,
enabled, enabled, enabled, authorities);
}
/**
*
* #param email
* #return
*/
#Transactional(readOnly = true)
public User loadUserByUsername(final String email)
throws UsernameNotFoundException, DataAccessException {
com.test.User user = dao.getByEmail(email);
if (user == null)
throw new UsernameNotFoundException(email);
return prepare(user);
}
}
Everything works fine. But when I add
#Autowired
private UserDetailsExtendedService useDetailsService;
into Controller class the applicaton starts to fail with:
org.springframework.beans.factory.NoSuchBeanDefinitionException: No matching bean of type [com.test.service.UserDetailsExtendedService] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {#org.springframework.beans.factory.annotation.Autowired(required=true)}
What I missed? Thank you
UPD#1:
<context:annotation-config />
<context:component-scan base-package="com.test.service" />
<bean id="usersDao" class="com.test.dao.UsersDAO" />
<bean id="eventsLogDao" class="com.test.dao.EventsLogDAO" />
<bean id="employeesDao" class="com.test.dao.EmployeesDAO" />
<bean id="dictionariesDao" class="com.test.dao.DictionariesDAO" />
In your configuration you have a com.ejl.skyhandling.service.UserDetailsExtendedService but
in your bean you are trying to access com.test.service.UserDetailsExtendedService which is obviously another type.
Please check your imports.
Since you're qualifying #Service with value "userDetailsService" make sure the #Autowired is
#Autowired
private UserDetailsExtendedService userDetailsService;
You currently are missing the r in the variable name -> useDetailsService
I'm able to use the below to store a user in the SecurityContext and I get a valid Authentcation object (says im authenticated and has user_role attached) but then I still get routed to my /auth/login.html page. I stepped the code below and it is returning the "/registered/home.html" to JSF but for some reason when Spring applies the intercept rule to /registered/* it must see it as being an unauthenticated request. Any ideas?
#Named
#Scope("request")
public class SignUpDetail extends BaseAction{
#Inject
private SignUpDetailBean signUpDetailBean;
#Inject
private UserManager userManager;
#Inject #Named("am")
protected AuthenticationManager authenticationManager;
public String login(){
if(signUpDetailBean.getEmail() != null){
Users currentUser = userManager.getUser(signUpDetailBean.getEmail());
authenticateUserAndSetSession(currentUser, (HttpServletRequest) FacesUtils.getExternalContext().getRequest());
return "/registered/home.html";
}else{
return "/auth/login.html";
}
}
private void authenticateUserAndSetSession(Users user,
HttpServletRequest request)
{
UserDetails details = userManager.loadUserByUsername(user.getUsername());
UsernamePasswordAuthenticationToken usernameAndPassword =
new UsernamePasswordAuthenticationToken(
user.getUsername(), "pwd", details.getAuthorities());
// Authenticate, just to be sure
Authentication auth = authenticationManager.authenticate(usernameAndPassword);
// Place the new Authentication object in the security context.
SecurityContextHolder.getContext().setAuthentication(auth);
}
<context:annotation-config />
<context:component-scan base-package="dc" />
<global-method-security />
<http security="none" pattern="/javax.faces.resource/**" />
<http security="none" pattern="/services/rest-api/1.0/**" />
<http security="none" pattern="/preregistered/*" />
<http access-denied-page="/auth/denied.html">
<intercept-url
pattern="/**/*.xhtml"
access="ROLE_NONE_GETS_ACCESS" />
<intercept-url
pattern="/auth/**"
access="ROLE_ANONYMOUS,ROLE_USER" />
<intercept-url
pattern="/auth/*"
access="ROLE_ANONYMOUS" />
<intercept-url
pattern="/registered/*"
access="ROLE_USER" />
<intercept-url
pattern="/*"
access="ROLE_ANONYMOUS" />
<form-login
login-processing-url="/j_spring_security_check.html"
login-page="/auth/login.html"
default-target-url="/registered/home.html"
authentication-failure-url="/auth/login.html" />
<logout invalidate-session="true"
logout-success-url="/"
logout-url="/auth/logout.html"/>
<anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
<remember-me user-service-ref="userManager" key="dfdf"/>
</http>
<!-- Configure the authentication provider -->
<authentication-manager alias="am">
<authentication-provider user-service-ref="userManager">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
Store the context object in session since you have set that particular url http security to none
...
HttpSession session = request.getSession();
...
SecurityContext context = SecurityContextHolder.getContext();
context.setAuthentication(auth);
session.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, context);