Spring Security Invalid CSRF token found - spring

I have an Angular front end with Spring MVC + Spring Security backend and I'm getting the following error in my log:
DEBUG csrf.CsrfFilter Invalid CSRF token found for https://localhost:8443/rest/logout
To set up Spring Security with Angular I followed the Spring Boot tutorial below and made it fit to my application, which is already written in Spring MVC and Spring Security not Spring Boot: https://spring.io/guides/tutorials/spring-security-and-angular-js/
Here's the relevant files:
web.xml
<web-app version="3.1"
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<!-- Log4j configuration loading -->
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/classes/log4j.xml</param-value>
</context-param>
<!-- Bootstrapping context loading -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/gravytrack-servlet.xml
/WEB-INF/gravytrack-services.xml
/WEB-INF/gravytrack-security.xml
</param-value>
</context-param>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>gravytrack.root</param-value>
</context-param>
<!-- session management listener -->
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<session-config>
<!-- session times out if no activities for 30 minutes -->
<session-timeout>30</session-timeout>
</session-config>
<servlet>
<servlet-name>gravytrack</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>gravytrack</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
<!--<servlet-mapping>-->
<!--<servlet-name>gravytrack</servlet-name>-->
<!--<url-pattern>*.*</url-pattern>-->
<!--</servlet-mapping>-->
<!-- Security entry point -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/rest/*</url-pattern>
</filter-mapping>
<error-page>
<error-code>404</error-code>
<location>/404.html</location>
</error-page>
<welcome-file-list>
<welcome-file>
index.html
</welcome-file>
</welcome-file-list>
</web-app>
gravytrack-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<global-method-security pre-post-annotations="enabled"
secured-annotations="enabled"/>
<http auto-config="false" use-expressions="true">
<intercept-url pattern="/rest/**" requires-channel="https"/>
<access-denied-handler error-page="/"/>
<http-basic entry-point-ref="gtBasicAuthenticationEntryPoint"/>
<custom-filter ref="csrfHeaderFilter" after="CSRF_FILTER"/>
<csrf token-repository-ref="csrfTokenRepository" />
<logout logout-url="/rest/logout" logout-success-url="/rest/login?logout" invalidate-session="true" delete-cookies="JSESSIONID"/>
</http>
<beans:bean id="csrfTokenRepository" class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository">
<beans:property name="headerName" value="X-XSRF-TOKEN" />
</beans:bean>
<beans:bean class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" id="passwordEncoder" />
<authentication-manager alias="authenticationManager">
<authentication-provider>
<!--<password-encoder ref="passwordEncoder"/>-->
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT EMAIL as USERNAME, PASSWORD, ENABLED FROM USER_ACCOUNT WHERE EMAIL = ?"
authorities-by-username-query="SELECT EMAIL as USERNAME, AUTHORITY FROM USER_AUTHORITY WHERE EMAIL = ?"/>
<!--<user-service>-->
<!--<user name="admin#admin.com" password="admin" authorities="ROLE_USER"/>-->
<!--</user-service>-->
</authentication-provider>
</authentication-manager>
</beans:beans>
CsrfHeaderFilter.java
#Service("csrfHeaderFilter")
public class CsrfHeaderFilter extends OncePerRequestFilter {
#Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie==null || token!=null && !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/rest");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
}
I when I make a http post call to /rest/logout I receive a 403 Forbidden error in the browser along with the CSRF error in the log that I posted above.
If I host my Angular app as static content on the dispatcher servlet and (in the web.xml) change the url pattern from /rest/* to / along with the Spring Security entry point to /* then it works. The CSRF token passes through the filter fine and nothing goes wrong.
This makes me believe that by changing dispatcher servlet url pattern and the security entry point to /rest/* it messes with the CSRF cookies in some way but I don't know how.
Any help would be greatly appreciated.

I have also faced that "Invalid CSRF token found" error in Spring.
It was strange for me because host and port was not changed in my requests (only paths).
I'll try to debug the reason some day, meanwhile this temporary disabling of csrf can help you, be aware it may reduce security of your app:
protected void configure(HttpSecurity http) throws Exception {
http.
// ............
.csrf().disable();
}

Related

Spring 4.2.1 RestController tried to return template instead return JSON

I tried to create a Spring Rest Controller, based on this example i create a controller like this.
DeveloperRestController.java
#RestController
public class DeveloperRestController {
#RequestMapping("/developer/list")
public Developer index() {
Developer developer = new Developer("Developername", "developer#yahoo.com");
return developer;
}
}
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<filter>
<filter-name>sitemesh</filter-name>
<filter-class>org.sitemesh.config.ConfigurableSiteMeshFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>sitemesh</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener> <!--Here we specify about the DispatcherServlet class in the Web Deployment Descriptor-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/dispatcher-servlet.xml</param-value>
</context-param>
</web-app>
dispatcher-servlet.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=" http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.2.xsd">
<context:component-scan base-package="com.developerdata.controller" />
<context:annotation-config />
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/jsp/" />
<property name="suffix" value=".jsp" />
</bean>
</beans>
But it shows 404 page not found, seems that spring tried to load a template...
Result:
Error 404 /WEB-INF/jsp/developer/list.jsp
what should i do?
Seems like you have a configuration issue. The sample you are basing yours on is spring boot based. So it handles the configuration for you. To get yours working you will need to add jackson to the classpath. If you are using maven then:
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.6.2</version>
</dependency>
Then you need to alter your spring config to include:
<mvc:annotation-driven />
From the spring documentation:
The above registers a RequestMappingHandlerMapping, a
RequestMappingHandlerAdapter, and an ExceptionHandlerExceptionResolver
(among others) in support of processing requests with annotated
controller methods using annotations such as #RequestMapping,
#ExceptionHandler, and others.
This also then enables the MappingJackson2HttpMessageConverter if jackson 2 is in your classpath.
References:
http://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/#mvc-config-enable
https://spring.io/guides/gs/rest-service/
http://www.mkyong.com/spring-mvc/spring-3-mvc-and-json-example/ (This one seems more appropriate for you to get started based on your problem)
With #ResponseBody, Spring will handle the JSON you need. Jackson
library is required too.
#RestController
public class DeveloperRestController {
#RequestMapping("/developer/list")
public #ResponseBody Developer index() {
Developer developer = new Developer("Developername", "developer#yahoo.com");
return developer;
}
}

Cann't call authenticate method of spring security for login REST service

I want to check username and password in authenticationProvider but dont know why i cann't get call to authenticate method. I am implementing REST login service through spring security. my web.xml is
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>WEB-INF/applicationContext.xml
WEB-INF/spring-security.xml</param-value>
</context-param>
<!-- Spring Security Filter -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<servlet>
<servlet-name>jersey-serlvet</servlet-name>
<servlet-class>
com.sun.jersey.spi.spring.container.servlet.SpringServlet
</servlet-class>
<init-param>
<param-name>
com.sun.jersey.config.property.packages
</param-name>
<param-value>com.zymr.ojo.action</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>jersey-serlvet</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>jsp/login.jsp</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
and spring-security.xml is as below...
<context:component-scan base-package="com.zymr.ojo" />
<security:global-method-security pre-post-annotations="enabled" secured- annotations="enabled" />
<!-- Security configuration for REST services. -->
<security:http use-expressions="true" entry-point-ref="restEntryPoint" create- session="always">
<!-- <security:http-basic/> -->
<security:intercept-url pattern="/rest/question/**" access="isAuthenticated()"/>
<!-- <security:intercept-url pattern="/rest/login/userLogin" access="permitAll"/> -->
<security:form-login login-processing-url="/rest/login/userLogin" username-parameter="admin" password-parameter="password"/>
</security:http>
<!-- Authentication manager. -->
<security:authentication-manager >
<security:authentication-provider user-service-ref="authProvider" >
</security:authentication-provider>
</security:authentication-manager>
<!-- Entry point for REST service. -->
<bean id="restEntryPoint" class="com.zymr.ojo.security.RestAuthenticationEntryPoint" />
<!-- A handler for successful REST service authentication. -->
<bean id="authSuccessHandler" class="com.zymr.ojo.security.RestAuthenticationSuccessHandler"></bean>
<bean id="authProvider" class="com.zymr.ojo.security.RestAuthenticationProvider" ></bean>
and RESTAuthenticationProvider class is
#Component public class
RestAuthenticationProvider implements AuthenticationProvider,
UserDetailsService{
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
System.out.println("in authProvider");
String username = authentication.getName();
String password = (String) authentication.getCredentials();
if(username != null && password != null){
System.out.println(username+ " "+ password);
}
return null;
}
public boolean supports(Class<?> authentication) {
// TODO Auto-generated method stub
return false;
}
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {
System.out.println(username);
return null;
}
}
The problem is with the supports(..) method that always returns false. Your entry point should provide the user a way to populate an instance of Authentication and this will be given to the authenticate method if the supports method returns true.
Please refer to the following link. This link specified adding UsernamePasswordAuthenticationFilter. I tried this but it is not calling the login.html form.
http://www.networkedassets.com/configuring-spring-security-for-a-restful-web-services/

Creating secure pages in Spring

I am creating a website using Spring and want all pages under the folder "/admin" to be secure. However don't really know where to start and only have one complicated example to go on.
At work, we store the details in a database but I was hoping it could be more simple than that, maybe stored in context.xml or something? I am confronted with this page:
web.xml:
<security-constraint>
<display-name>admin pages</display-name>
<web-resource-collection>
<web-resource-name>Administration Pages</web-resource-name>
<description/>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>userAdmin</role-name>
</auth-constraint>
<!-- <user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>-->
</security-constraint>
and in tomcat-users.xml I have the following password information:
<user password="password" roles="tomcat,role1,manager-script,manager-gui,admin,manager" username="user"/>
But when I try and access the page /admin/adminindex.htm, I get a forbidden error:
Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
Ideally I would like to store user details in the database but can't progress with either at the moment.
I would look into Spring Security, which offers a plethora of options for securing websites (including DB-backed or JNDI-backed security). The tutorial may prove a good starting point.
This is how I secure applications using Spring Security, here is the web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-servlet.xml
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-servlet.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/myapp/*</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
spring-security.xml
<security:http auto-config="true" use-expressions="true" access-denied-page="/" create-session="never" disable-url-rewriting="true">
<security:intercept-url pattern="/myapp/auth/login" access="permitAll" />
<security:intercept-url pattern="/myapp/main/**" access="hasRole('ROLE_USER')" />
<security:form-login login-page="/" authentication-failure-url="/myapp/auth/login?error=true" default-target-url="/myapp/main/default"/>
<security:logout invalidate-session="true" logout-success-url="/myapp/auth/login" logout-url="/myapp/auth/logout" />
</security:http>
In order to authenticate using a Database you can use an Authentication Manager like this in spring-security.xml
<security:authentication-manager>
<security:authentication-provider user-service-ref="userService">
<security:password-encoder ref="passwordEncoder" />
</security:authentication-provider>
</security:authentication-manager>
Where "userService" is a service you define that has access to the Database, your service must implement org.springframework.security.core.userdetails.UserDetailsService and write the method
public UserDetails loadUserByUsername(String userName)
throws UsernameNotFoundException, DataAccessException {
UserDetails user = null;
try {
// Replace loadUserFromDB with your Data access method to pull the user and encrypted password from the database
Users u = loadUserFromDB(userName);
if(u != null)
user = new User(u.getEmail(), u.getPassword().toLowerCase(), true, true, true, true, getAuthorities(0));
} catch (Exception e) {
e.printStackTrace();
}
return user;
}
Spring security will use this method to secure your pages. Make sure to include this method:
public Collection<GrantedAuthority> getAuthorities(Integer access) {
// Create a list of grants for this user
List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(1);
authList.add(new GrantedAuthorityImpl("ROLE_USER"));
authList.add(new GrantedAuthorityImpl("ROLE_ANONYMOUS"));
return authList;
}
I would start with this: http://docs.spring.io/autorepo/docs/spring-security/3.0.x/reference/springsecurity.html You can also check out this project that already has the basic code to start using Spring Security
https://github.com/pgardunoc/spring-security

Getting redirect to the authentication failure url when trying to authenticate with Spring Security + Spring MVC

I am having troubles implementing Spring Security along with Spring MVC and Hibernate.
When I give the credentials and validate the form, it goes to the following URL:
http: //localhost:8080/test/login_error.htm;jsessionid=9BE14BCXXXXXXXXXXXXXXXX
So it redirects me to the login_error.htm page that I have configured in my spring-security.xml. It looks like a session has been created so the problems occurs after that.
I did try to debug to find out more and here is the deal:
Since UserDetailsService is configured as my authenticationProvider in my spring-security.xml, it goes into the findByUserName method in the UserDetailsServiceImpl class:
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException {
UserEntity userEntity = dao.findByName(username);
if (userEntity == null)
throw new UsernameNotFoundException("user not found");
return (UserDetails)assembler.buildUserFromUserEntity(userEntity);
}
When it goes to the return, the user is properly loaded, so the connection to the DB has been made and the user has been found, no issue on that side. I can't figure out where the problem is.
Here is the UserEntityDAOImpl class that I am using:
#Repository("userEntityDao")
public class UserEntityDAOImpl implements UserEntityDAO {
private SessionFactory sessionFactory;
#Autowired
public void setSessionFactory(SessionFactory sessionFactory) {
this.sessionFactory = sessionFactory;
}
public void addUser(UserEntity user) {
sessionFactory.getCurrentSession().save(user);
}
public UserEntity findByName(String username) {
Session session = sessionFactory.getCurrentSession();
UserEntity user = (UserEntity)session.createQuery("select u from UserEntity u where u.username = '" + username + "'").uniqueResult();
return user;
}
...others methods like activate, listUsers, etc...
Edit:
#Service("assembler")
public class Assembler {
#Transactional(readOnly = true)
User buildUserFromUserEntity(UserEntity userEntity) {
String username = userEntity.getUsername();
String password = userEntity.getPassword();
boolean enabled = userEntity.getActive();
boolean accountNonExpired = userEntity.getActive();
boolean credentialsNonExpired = userEntity.getActive();
boolean accountNonLocked = userEntity.getActive();
Collection<SimpleGrantedAuthority> authorities = new ArrayList<SimpleGrantedAuthority>();
for (SecurityRoleEntity role : userEntity.getSecurityRoleCollection()) {
authorities.add(new SimpleGrantedAuthority(role.getName()));
}
User user = new User(username, password, enabled,
accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
return user;
}
}
It is retrieving the roles properly from the DB (ROLE_Admin in my case).
Here is my spring-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/resources/**" security="none"/>
<http auto-config='true' use-expressions='true'>
<intercept-url pattern="/login*" access="isAnonymous()" />
<intercept-url pattern="/secure/**" access="hasRole('ROLE_Admin')" />
<logout logout-success-url="/home.htm" />
<form-login login-page="/login.htm" login-processing-url="/j_spring_security_check"
authentication-failure-url="/login_error.htm" default-target-url="/home.htm"
always-use-default-target="true" />
</http>
<beans:bean id="com.daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" />
</beans:bean>
<beans:bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="com.daoAuthenticationProvider" />
</beans:list>
</beans:property>
</beans:bean>
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="plaintext" />
</authentication-provider>
</authentication-manager>
</beans:beans>
Here is the web.xml:
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>Spring MVC Application</display-name>
<!-- Spring MVC -->
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</servlet> -->
<!-- This listener creates the root application Context -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
I suspect your user doesn't have the required permissions (i.e. Authorities) set. Enable Spring Security debug logging. What does
assembler.buildUserFromUserEntity(userEntity);
do? What do you see if in the loadUserByUsername method before returning you print UserDetails-getAuthorities() to the console?

getPrincipal() return null after successful login

I am using multiple http elements [with different patterns] in my spring security configuration. Each points to a separate authentication manager. I am able to login successfully for all http elements. However , after successful login, the Principal object returned is null. Please help me.
The contents of spring security are as follows
<http pattern="teacher/login*" authentication-manager-
ref="teacherAuthenticationManager">
<intercept-url pattern="teacher/login*" access="ROLE_TEACHER" />
<http-basic`enter code here` />
</http>
<http pattern="student/login*" authentication-manager-
ref="studentAuthenticationManager">
<intercept-url pattern="student/login*" access="ROLE_STUDENT" />
<http-basic />
</http>
<authentication-manager alias="teacherAuthenticationManager">
<authentication-provider>
<!-- <password-encoder hash="md5"/>-->
<jdbc-user-service data-source-ref="dataSources"
users-by-username-query="
select username,password,true
from Teacher where username=?"
authorities-by-username-query="
select username,'ROLE_TEACHER' from Teacher where username=?" />
</authentication-provider>
</authentication-manager>
<authentication-manager alias="studentAuthenticationManager">
<authentication-provider>
<!-- <password-encoder hash="md5"/>-->
<jdbc-user-service data-source-ref="dataSources"
users-by-username-query="
select username,password,true
from Student where username=?"
authorities-by-username-query="
select username,'ROLE_STUDENT' from Student where username=?" />
</authentication-provider>
</authentication-manager>
Web.xml is as follows
<display-name>Spring Web MVC Application</display-name>
<welcome-file-list>
<welcome-file>/index.html</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/mvc-dispatcher-servlet.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
Controller code
#RequestMapping(value = "/teacher/login", method = RequestMethod.GET)
public #ResponseBody MethodResponse teacherlogin( Principal principal) {
System.out.println("Welcome Teacher");
MethodResponse methodResponse = new MethodResponse();
try {
//org.springframework.security.core.userdetails.User user = (org.springframework.security.core.userdetails.User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
System.out.println("Is Principal Null:"+Boolean.valueOf(principal==null));
final String name = principal.getName();
String sql="Select * from Teacher where UserName=?";
Teacher teacher = jdbcTemplate.queryForObject(sql,
ParameterizedBeanPropertyRowMapper
.newInstance(Teacher.class),name);
methodResponse.setData(teacher);
//String sql = " Select * from Teacher where TeacherId=?";
/*
List<Teacher> list = jdbcTemplate.query(sql,
ParameterizedBeanPropertyRowMapper
.newInstance(Teacher.class), teacherId);
Teacher[] teachers = list.toArray(new Teacher[] {});
methodResponse.setDataArray(teachers);*/
methodResponse
.setResponseCode(GlobalConstants.SERVICE_STATUS_CODE_SUCCESS);
methodResponse
.setResponseMessage(GlobalConstants.SERVICE_STATUS_MSG_SUCCESS);
} catch (Exception e) {
e.printStackTrace();
methodResponse
.setResponseCode(GlobalConstants.SERVICE_STATUS_CODE_DATABASE_ERROR);
methodResponse.setResponseMessage(e.getMessage());
}
return methodResponse;
}
The servlet is mapped to /rest/* and those URLs are not protected by your filters (so I would expect the principal to be null). Does that explain the behaviour you see?

Resources