spring-boot spring-security thymeleaf, authentication is null on error views

Created on 8 Apr 2016 · 11Comments · Source: spring-projects/spring-boot

current version spring-boot 1.3.3

We are facing an issue where we are loosing the authentication object in error view.
We fixed that for spring-boot 1.2.8 by registering DispatcherType.ERROR like:

@Bean
public FilterRegistrationBean getSpringSecurityFilterChainBindedToError(
                @Qualifier("springSecurityFilterChain") Filter springSecurityFilterChain) {

        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setFilter(springSecurityFilterChain);
        registration.setDispatcherTypes(EnumSet.allOf(DispatcherType.class));
        return registration;
}

and it worked as suggested here 1048

However when we updated to 1.3.3 and spring security 4 different story it stopped working and dispatcherType sum stayed to 23 for the filterReg bean.

So we've put in app properties: security.filter-dispatcher-types=ASYNC, FORWARD, INCLUDE, REQUEST, ERROR but no success

Then we tried what was suggested in that issue 4505 but it didn't work either actually it is never invoked.

So the last thing we have tried was implementing BeanPostProcessor where we set dispatcher types on postProcessAfterInitialization:

 public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
        System.out.println("Bean ''" + beanName + "'' created : " + bean.toString());
        if (bean instanceof FilterRegistrationBean) {
                FilterRegistrationBean filterReg = (FilterRegistrationBean) bean;
                filterReg.setDispatcherTypes(DispatcherType.REQUEST, DispatcherType.FORWARD, DispatcherType.INCLUDE, DispatcherType.ERROR, DispatcherType.ASYNC);
        } else if (bean instanceof DelegatingFilterProxyRegistrationBean) {
                DelegatingFilterProxyRegistrationBean filterReg = (DelegatingFilterProxyRegistrationBean) bean;
                filterReg.setDispatcherTypes(DispatcherType.REQUEST, DispatcherType.FORWARD, DispatcherType.INCLUDE, DispatcherType.ERROR, DispatcherType.ASYNC);
        }
        return bean;
}

So all dispatcher types are set for the matching beans but yet it isn't working like in 1.2.8 fix.

bug

Source

arbixy

All 11 comments

We were able to overcome the issue with the following workaround:

/** Used to suppress default (BasicErrorController) functionality: By default Spring Boot adds the
 * error path to the list of paths, ignored by Spring Security.
 */
@Controller
public class ErrorController implements org.springframework.boot.autoconfigure.web.ErrorController {

    @Autowired
    @Qualifier("requestMappingHandlerMapping")
    private RequestMappingHandlerMapping handlerMapping;

    @RequestMapping(value = "/error")
    public String error(Model model) {
        System.err.println("Custom error controller!");
        return "/error";
    }

    @Override
    public String getErrorPath() {
        return "/__dummyErrorPath";
    }

}

and security.filter-dispatcher-types=ASYNC, FORWARD, INCLUDE, REQUEST, ERROR seems the best solution in this case

arbixy on 11 Apr 2016

@arbixy Could you please share a small sample project that reproduces the problem? I'd like to try and understand why the behaviour has changed.

wilkinsona on 11 Apr 2016

@wilkinsona OK when possible I shall try to simplify the project reproducing the issue and publish it here.

arbixy on 15 Apr 2016

Hi, I'm having the same problem in a similar setup - not related to Thymeleaf though, more in the lines of what's described in #1048

I just threw together this small project, that reproduces the problem, pretty much as described in this issue.

https://github.com/olle/no-auth-for-you

Perhaps it can help?

olle on 21 Apr 2016

@olle Thanks for the sample project. I'm sure it'll help, but just not with my request to @arbixy. I wanted to see a sample project that demonstrated that configuring the dispatcher type worked in 1.2.8 but didn't work in 1.3.3.

wilkinsona on 21 Apr 2016

@wilkinsona Sorry about that, lost focus after chasing around for an answer. So I just updated my example to include both versions and the option to disable the fix.

BTW: I also noticed that in 1.3.3 the problem seems to only appear together with spring-boot-starter-actuator. Could it be the culprit?

olle on 22 Apr 2016

👍1

Like @olle said the problem is related with spring-boot-starter-actuator in 1.4.0.RELEASE. If I remove it and just add security.filter-dispatcher-types=ASYNC, FORWARD, INCLUDE, REQUEST, ERROR it works just fine.

ptheohar on 29 Aug 2016

👍1

Did anyone find out, which class/configuration in spring-boot-actuator is breaking this?

kutzi on 20 Sep 2016

Had the same problem with spring-boot-starter-actuator 1.3.3.RELEASE like @olle and @ptheohar. I fixed the issue by adding a org.springframework.boot.autoconfigure.web.ErrorController implementation with a dummy error path in order to free up /error path so that it can be handled through the SecurityFilterChain that we had control of. Otherwise, actuator configures ignored paths, and among them /error path from BasicErrorController, in IgnoredPathsWebSecurityConfigurerAdapter which are later used in WebSecurity to create another SecurityFilterChain which hijacks requests with ERROR dispatcher type. I hope i made some sense here.

tetrapaz on 28 Nov 2016

👍1

@wilkinsona This issue should be fixed in 1.5 for someone who has configured their own WebSecurityConfigurerAdapter (similar to what is done in the sample provided by @olle). The ManagementWebSecurityAutoConfiguration no longer adds the error path as an ignored path. I think, given the current security model, it is hard to back-port in 1.4 and it would be better to upgrade to 1.5 for those seeing this issue.