CODEWITHSUNDEEP
spring-security
ashishl
ashishl

Reputation: 203

Spring Security 3.1

Could someone help me on this. appreciate your help.

I am using Spring security 3.1 with create-session="stateless" option. Which throwing "InsufficientAuthenticationException" : "Full authentication is required to access this resource" exception of ExceptionTranslationFilter.

I am not able to understand what I am doing wrong and why I am getting this exception . As this exception stated that the credentials are not proper but I can see the credentials are going through request.Still I am getting 401 unauthorized

Fact is that the user is able to login properly & I get the message on console also. But again it is redirecting to login page due to access denied exception.

Here I am putting the code

Spring-Security.xml

<http entry-point-ref="negotiateSecurityFilterEntryPoint"
         create-session="stateless" >
        <intercept-url pattern="/user/loginuser"  access="ROLE_ANONYMOUS"/> 
        <intercept-url pattern="/**" access="ROLE_USER"/>   
         <custom-filter ref="securityContextPersistenceFilter"          after="BASIC_AUTH_FILTER" />
        <custom-filter ref="ldapAuthFilter" position="CAS_FILTER" />                
        <custom-filter ref="databaseAuthFilter" position="FORM_LOGIN_FILTER" />
</http> 


<bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
        <property name='securityContextRepository'>
            <bean class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'>
                <property name='allowSessionCreation' value='false' />
            </bean>
        </property>
    </bean>

Upvotes: 0

Views: 179

Answers (1)

jlumietu
jlumietu

Reputation: 6434

As far as I know, that's exactly what stateless is meant to do.

Once you set create-session parameter as stateless, on every http call the SecurityContextPersistenceFilter won't be even called (by default) or, even if you force it to be called according to your configuration, it won't be any session level security information in the SecurityContextHolder.

This stateless pattern is intended to be used in a Rest style architecture, where authentication and authorization information is sent on every request. Better said, I don't think that stateless session creation pattern should be used unless you are developing a full stateless application

I found a good post about this, Spring Security Session Management, look carefully section 2. When Is The Session Created?

So stateless session creation strategy does not fit to a classic login form pattern.

In your scenario, I guesss that what is happening is that, once the login request is completed and the request is authenticathed, it is probably redirecting to a kind of welcome page using an HTTP 301 or 302 redirect, redirection which again is not carrying authentication info, so ends redirecting again to login page.

If you simply use "ifRequired" as session-creation, or as it is the default value, just don't set it, I bet your login would end successfully and redirect to wherever it should correctly without asking to log in again. And, if you do it like this, avoid setting the SecurityContextPersistenceFilter, it is configured automatically.

Upvotes: 1

Related Questions