-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication not propagated correctly after migrating to SB3 #12877
Comments
Issue is still occuring with 3.0.5. Tried @Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
// or @EnableMethodSecurity I also use a RoleHierarchy bean @Bean
public RoleHierarchy roleHierarchy() {
RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
List<Role> roles = Arrays.asList(Role.values());
Collections.reverse(roles);
String hierarchy = roles.stream().map(Role::toString).collect(Collectors.joining(" > "));
roleHierarchy.setHierarchy(hierarchy);
return roleHierarchy;
}
@Bean
public MethodSecurityExpressionHandler methodSecurityExpressionHandler(RoleHierarchy roleHierarchy) {
DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
expressionHandler.setRoleHierarchy(roleHierarchy);
return expressionHandler;
} And the error :
Also, the debug log looks like this :
|
@hqrd were you able to resolve this? Having this same issue. |
No, I tried many things but always facing another error, or I have to re-implement too many things to make it work. So I paused my SB3 migration for now. |
In case anyone else has the same issue, removing the following line fixed the problem for me.
I'm still using If I use |
i'm also in the same boat, doing SB3 migration. yes this fixes the issue (removing)- without removing, if I restart the app once after the first start, then also works without issues. |
This appeared in our case as well, and is blocking us from upgrading to SB3. We have a Quartz job base class which sets a system type authentication before running: @Override
public void execute(JobExecutionContext context) throws JobExecutionException {
try {
Authentication authentication = SecurityUtils.getSystemUserAuthentication();
SecurityContextHolder.getContext().setAuthentication(authentication);
executeJob(context);
} finally {
SecurityContextHolder.clearContext();
}
}
public abstract void executeJob(JobExecutionContext context); All of our jobs inherit this, but since upgrading to spring security @PreAuthorize("hasAuthority('ROLE_SYSTEM')")
@Transactional(readOnly = true)
public List<Foo> thisIsCalledByAJob() {
} Removing |
This seems to be the same issue as discussed in #13866 |
Due to how early method interceptors are loaded during startup it's reasonable to consider scenarios where applications are changing the global security context holder strategy during startup. Closes spring-projectsgh-12877
Hello,
I'm trying to migrate from Spring boot 2 to 3 and having an issue I can't seem to solve, despite having tried multiple solutions.
My problem:
I use
@EnableMethodSecurity
to use the@PreAuthorize
annotation. But when calling any endpoint which is secured with@PreAuthorize
, I get a 401 with the errorAuthenticationCredentialsNotFoundException
. This used to work in Spring boot 2.My code:
My filterChain looks like that:
The
convert()
method is correctly invoked and returns anAbstractAuthenticationToken
. But for some reason, in theObservationAuthorizationManager
, theAuthentication
is not found (it passes once at the same line, with the Authentication correctly set, the second one then returns AuthenticationCredentialsNotFoundException`)Any help appreciated if this isn't an issue from spring-security 😄
The text was updated successfully, but these errors were encountered: