1

i have a customized form login, which worked using WebSecurityConfigurerAdapter. but after i tried to migrate it using spring security filter chain, i have the problem that my security context forgets the authentication token after successful login and a subsequent redirect.

my config is as follows:

@Configuration
@EnableWebSecurity
public class FormLoginConfig {

    @Autowired
    private MyUserDetailsService userDetailsService;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.csrf(AbstractHttpConfigurer::disable)
            .requestCache(c -> c.requestCache(new CustomRequestCache()))
            .addFilterAt(getFormAuthFilter(), UsernamePasswordAuthenticationFilter.class)
            .authorizeHttpRequests(a -> a.requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
                                         .anyRequest().authenticated()
            )
            .formLogin(l -> l.loginPage("/login").permitAll())
            .headers(h -> h.frameOptions(FrameOptionsConfig::sameOrigin));

        return http.build();
    }

    @Bean
    public AuthenticationSuccessHandler successHandler() {
        return new MyLoginSuccessHandler();
    }

    @Bean
    public MyAuthenticationFilter getFormAuthFilter() throws Exception {
        MyAuthenticationFilter filter = new MyAuthenticationFilter();
        filter.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/login", "POST"));
        filter.setAuthenticationManager(formUserAuthManager());
        filter.setAuthenticationSuccessHandler(successHandler());
        return filter;
    }

    AuthenticationManager formUserAuthManager() {
        return authentication -> authProvider().authenticate(authentication);
    }

    public AuthenticationProvider authProvider() {
        return new MyAuthenticationProvider(passwordEncoder(), userDetailsService);
    }

    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

}

the authentication itself works, i can login and the success handler is called with a valid security context. after the redirect to the secured area the context only has the anonymous user left and i return back to the login form.

i was reading about the same problem from other users but, like in this one, the issue seemed to be the session management, which i didn't use in my config.

now i'm out of ideas and hope someone else can see the issue.

tagtraeumer
  • 1,451
  • 11
  • 19
  • Default Session creation strategy is `IF_REQUIRED` so it's better to explicitly set session strategy to `ALWAYS` in your case – Chetan Ahirrao May 20 '23 at 23:03
  • why do you even have a custom filter? this is most likely cased by https://docs.spring.io/spring-security/reference/migration/servlet/session-management.html but i cant for sure tell because you have not posted all relevant parts of your code for us to be able to reproduce. And you are not the first person asking here about the same problem because of custom written authentication (which is bad practice). This is the first thing written in the migration guide in the spring security documentation that i assume you read before starting your migration. – Toerktumlare May 21 '23 at 11:27
  • @ChetanAhirrao i added a session strategy but it didnt' solve the problem for me – tagtraeumer May 21 '23 at 17:38
  • @Toerktumlare yeah the specific procedure is quite old already and it was implemented because the login was not only username and password but also included a 3rd parameter 'client' – tagtraeumer May 21 '23 at 17:38

0 Answers0