spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Resolve AuthenticationPrincipal to empty proxy after migration form WebSecurityConfigurerAdapter

Open leonidv opened this issue 2 years ago • 5 comments

Sprint Security 5.7.2.

I have simple method with authentication principal and instead of principal get empty object.

    @GetMapping("/me2")
    fun me2(@AuthenticationPrincipal user: User): User {
        return user
    }


interface IUserInfo {
    val id: UserId
    val email: String
    val externalId: String
    val displayName: String
    val avatar: String
    val subscriptionPlan: SubscriptionPlan
}

interface User : IUserInfo {
    val roles: Set<String>
    val domain: String
        get() = this.email.split('@').last()
}

BasicAuthenticationFilter correctly initializes SecurtyContextHolder with values, but a response of the method contains nulls:

{
    "id": null,
    "displayName": null,
    "externalId": null,
    "avatar": null,
    "email": null,
    "roles": null,
    "subscriptionPlan": null,
    "domain": null
}

The problem occurred after migration from WebSecurityConfigurerAdapter to @Bean SecurityFilterChain. Initial configuration: https://github.com/leonidv/ideaelection/blob/websecuirty-updates/backend/src/main/kotlin/idel/infrastructure/security/WebSecurityConfig.kt

Broken configuration: https://github.com/leonidv/ideaelection/blob/websecuirty-updates/backend/src/main/kotlin/idel/infrastructure/security/WebSecurityConfigBroken.kt

I suppose it's duplicate of https://github.com/spring-projects/spring-security/issues/10930

leonidv avatar Jul 02 '22 13:07 leonidv

What I have discovered. If I use WebMvcConfigurerAdapter is give correct order of HandlerMethodArgumentResolverComposite.argumentResolvers. Screenshot_2022-07-04_21-41-04 When I switch to use @Bean SecurityFIlterChain, I have incorrect order. Screenshot_2022-07-04_21-42-19

I can use custom Argument Resolver, that correct inserted before ProxyingHandlerMethodArgumentResolver

leonidv avatar Jul 04 '22 19:07 leonidv

Thank you for the report. Can you please provide a complete sample on how to reproduce?

rwinch avatar Jul 05 '22 14:07 rwinch

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

spring-projects-issues avatar Jul 12 '22 14:07 spring-projects-issues

You can reproduce the bug with my project, it's opensource. This commit contains broken configuration: https://github.com/leonidv/ideaelection/tree/7f6f47fc150ddb624f8a1e49be7df2d3b210ca15

Before start application you should run https://github.com/leonidv/ideaelection/blob/7f6f47fc150ddb624f8a1e49be7df2d3b210ca15/scripts/postgresql-run.sh (it executes postresql via podman)

leonidv avatar Jul 14 '22 06:07 leonidv

Sorry for being unclear. What I'm looking for is:

A link to a GitHub repository with a minimal, reproducible sample.

As outlined in the issue template you filled out.

I doubt that postgresql is necessary to reproduce this issue.

rwinch avatar Aug 10 '22 16:08 rwinch

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

spring-projects-issues avatar Sep 08 '22 18:09 spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

spring-projects-issues avatar Sep 15 '22 18:09 spring-projects-issues