spring security weird behaivior

Question

I am testing with spring security and MongoDB so I build a custom UserDetailService using MongoDB and I got it working but suddenly it started throwing an exception, I tried to solve the problem but I couldn't so I revert my code to a prior state before implementing the custom UserDetailService and it started working again, I re-implemented the UserDetailService and the exact same thing happened, it just stop working without even changing anything just stop and restart tomcat.

Here is my web.xml

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="3.0"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee   http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name />
<listener>
    <listener-class>
        org.springframework.web.context.request.RequestContextListener
    </listener-class>
</listener>
<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>
<filter>
    <description>
        generated-spring-security-session-integration-filter
    </description>
    <filter-name>
        SpringSecuritySessionIntegrationFilter
    </filter-name>
    <filter-class>
        org.springframework.security.web.context.SecurityContextPersistenceFilter
    </filter-class>
</filter>
<filter>
    <description>generated-sitemesh-filter</description>
    <filter-name>Sitemesh Filter</filter-name>
    <filter-class>
        com.opensymphony.module.sitemesh.filter.PageFilter
    </filter-class>
</filter>
<filter>
    <description>generated-spring-security-filter</description>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>
        org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
</filter>
<filter-mapping>
    <filter-name>
        SpringSecuritySessionIntegrationFilter
    </filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>Sitemesh Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
    <description>generated-servlet</description>
    <servlet-name>MongoSecurity Servlet</servlet-name>
    <servlet-class>
        org.springframework.web.servlet.DispatcherServlet
    </servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            classpath:MongoSecurity-web-context.xml
        </param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet>
    <description>generated-resources-servlet</description>
    <servlet-name>Resource Servlet</servlet-name>
    <servlet-class>
        org.springframework.js.resource.ResourceServlet
    </servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>Resource Servlet</servlet-name>
    <url-pattern>/resources/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>MongoSecurity Servlet</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

and the exception I'm getting:

java.lang.ClassCastException: org.springframework.security.web.firewall.FirewalledResponse cannot be cast to org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper
org.springframework.security.web.context.HttpSessionSecurityContextRepository.saveContext(HttpSessionSecurityContextRepository.java:99)
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:87)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:139)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:65)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:129)
com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:77)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)

Here is my security-context.xml:

<http auto-config="true">
    <intercept-url pattern="/pages/login.jsp" />
    <intercept-url access="ROLE_ADMIN" pattern="/secure/**" />
    <form-login authentication-failure-url="/pages/login.jsp?login_error=true" login-page="/pages/login.jsp" />
<logout invalidate-session="true" logout-success-url="/pages/logout-redirect.jsp" />
    <remember-me key="formsRMKey" user-service-ref="userDetailsService" />
</http>
<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="userDetailsService">
        <password-encoder hash="sha" />
    </authentication-provider>
</authentication-manager>
<beans:bean id="userDetailsService" class="com.realestate.service.MongoUserDetailService" />

and the implementation of MongoUserDetailService:

public UserDetails loadUserByUsername(String username)
        throws UsernameNotFoundException {
    UserAccount user = userDao.findByUsername(username);
    if(user == null){
        return null;
    }
    return new User(user.getUsername(), user.getPassword(), true, true, true, true, getGrantedAuthorities(user.getRoles()));
}

public static List<SimpleGrantedAuthority> getGrantedAuthorities(List<Role> roles) {
    List<SimpleGrantedAuthority> authorities = new ArrayList<SimpleGrantedAuthority>();
    for (Role role : roles) {
        authorities.add(new SimpleGrantedAuthority(role.getName()));
    }
    return authorities;
}

any help would be much appreciated.

Answer 1

I've had similar issue, and removing SecurityContextPersistenceFilter from web.xml solved my problem. http-config element creates filter chain with it's own SecurityContextPersistenceFilter, so explicitly declared filter gets out of order. By the way, you have some other Spring Security Filters present in your web.xml, so maybe you'll need to remove not only this filter to get things working. Please refer to Spring Security Core Filters Documentation to get info about Spring Security filters that are registred by default.