Spring Session - Security Context not found in session after redirect to target url

Question

I am using spring-session with hazelcast and spring-security. I am facing an issue where spring security fails to load security context from httpsession. During authentication I can see security context is set to session in following code:

if (contextChanged(context)||  httpSession.getAttribute(springSecurityContextKey) == null) {
  httpSession.setAttribute(springSecurityContextKey, context);
  if (logger.isDebugEnabled()) {
    logger.debug("SecurityContext '" + context
                + "' stored to HttpSession: '" + httpSession);
    }
}

But after authentication when spring redirects to target url, it fails to get Security Context from session in following code:

Object contextFromSession = httpSession.getAttribute(springSecurityContextKey);

if (contextFromSession == null) {

  if (debug) {
    logger.debug("HttpSession returned null object for SPRING_SECURITY_CONTEXT");
  }
  return null;
}

Any idea what could be wrong here? Security debug log-

w.a.s.SessionFixationProtectionStrategy : Started new session: 2192be54-aee1-4249-98ba-01a65a401830
c.i.i.w.s.LoggingSecurityEventListener   : event=SessionFixationProtectionEvent username=cgrant remoteAddress=0:0:0:0:0:0:0:1 sessionId=c7363d39-28ff-44e3-83a9-d463f2f371e5
w.a.UsernamePasswordAuthenticationFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@5e87c6c5: Principal: org.springframework.security.core.userdetails.
c.i.i.w.s.LoggingSecurityEventListener   : event=InteractiveAuthenticationSuccessEvent username=cgrant remoteAddress=0:0:0:0:0:0:0:1 sessionId=c7363d39-28ff-44e3-83a9-d463f2f371e5
RequestAwareAuthenticationSuccessHandler : Using default Url: /
o.s.s.web.DefaultRedirectStrategy        : Redirecting to '/myapp/'
w.c.HttpSessionSecurityContextRepository : SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@5e87c6c5: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@5e87c6c5: Principal: org.springframework.security.core.userdetails.User@fb03e089: Username: cgrant; .......... stored to HttpSession: 'org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper$HttpSessionWrapper@5d2baa59
s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
o.s.s.w.s.HttpSessionEventPublisher      : Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.springframework.session.web.http.ExpiringSessionHttpSession@287a471f]
.....
.....
o.s.security.web.FilterChainProxy        : / at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
o.s.security.web.FilterChainProxy        : / at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper$HttpSessionWrapper@8d3c315. A new one will be created.
o.s.security.web.FilterChainProxy        : / at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@57f4e063
o.s.security.web.FilterChainProxy        : / at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/'; against '/logout'
o.s.security.web.FilterChainProxy        : / at position 5 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /' doesn't match 'POST /login/auth
o.s.security.web.FilterChainProxy        : / at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
o.s.security.web.FilterChainProxy        : / at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
o.s.security.web.FilterChainProxy        : / at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
o.s.s.w.a.AnonymousAuthenticationFilter  : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa843a8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd3270: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 2192be54-aee1-4249-98ba-01a65a401830; Granted Authorities: ROLE_ANONYMOUS'
o.s.security.web.FilterChainProxy        : / at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
o.s.security.web.FilterChainProxy        : / at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
o.s.security.web.FilterChainProxy        : / at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
.....
.....
o.s.s.w.a.i.FilterSecurityInterceptor    : Secure object: FilterInvocation: URL: /; Attributes: [authenticated]
o.s.s.w.a.i.FilterSecurityInterceptor    : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa843a8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd3270: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 2192be54-aee1-4249-98ba-01a65a401830; Granted Authorities: ROLE_ANONYMOUS
o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@1023c8f1, returned: -1
o.s.s.w.a.ExceptionTranslationFilter     : Access is denied (user is anonymous); redirecting to authentication entry point

Answer 1

for Chrome you can see the cookie settings at Settings --> Content Settings --> Cookies --> Allow sites to save and read cookie data (recommended)

Answer 2

I found the actual cause of this issue. I was using Spring-session-1.2.2 and hazelcast-3.5.4. Spring-session was failing to save session after migration. I don't know if it is hazelcast issue or spring-session issue. Just for testing purpose i used MapSessionRepository with @EnableSpringHttpSession and everything worked fine. It was painful experience while debugging spring-session library, Based on my experience I'll suggest before using any storage for session replication first test with MapSessionRepository this will ensure your application configuration works with spring-session, later moved to use third party session repository.

Answer 3

After successful authentication, Spring Security destroys the previous session and creates a new one with authentication set to true.

Therefore, Context Object you had put into Session before authentication will not be available after authentication because previous session would be destroyed.

This Strategy is known as Session Fixation. You can Read Here more about this.

Therefore, If you want to get Context after authentication, then use:

Object contextObject = org.springframework.security.core.context.SecurityContextHolder.getContext();

Spring Security Chain Filter in web.xml:

    <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>REQUEST</dispatcher>
      <dispatcher>FORWARD</dispatcher>
    </filter-mapping>