Why does calling the security authentication property `principal.displayName` in a decorator throw an exception?

Question 1

Why does calling the security authentication property `principal.displayName` in a decorator throw an exception?

java spring spring-security decorator sitemesh

apfel · Aug 15, 2010 · Viewed 8.1k times · Source

Answer

Answer

Your request's Authentication object at that point is an instance of the AnonymousAuthenticationToken class, and that class does not have a property called displayName.

Clearly, SpringSecurity believes that the user is not logged. You probably need to

change the access rules so that that JSP can only be viewed when the user is logged in, or
change the JSP so to something like the following (assuming that you are using Spring 3.0.x and you've enabled web security expressions).

<c:set var="displayName">
    <sec:authorize access="isAuthenticated()">
        <sec:authentication property="principal.displayName" />
    </sec:authorize>
</c:set>

References:

Question 2

Is there a reason why calling the security authentication property principal.displayName in a decorator would cause a problem?

I'm setting it as a variable in a sitemesh decorator:

                <c:set var="displayName">
                    <sec:authentication property="principal.displayName" />
                </c:set>

But it generates this exception:

java.lang.RuntimeException: javax.servlet.ServletException: javax.servlet.jsp.JspException: Invalid property 'principal.displayName' o
f bean class [org.springframework.security.authentication.AnonymousAuthenticationToken]: Bean property 'principal.displayName' is not
readable or has an invalid getter method: Does the return type of the getter match the parameter type of the setter?
        at com.opensymphony.sitemesh.webapp.decorator.BaseWebAppDecorator.render(BaseWebAppDecorator.java:39)
        at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:84)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
        at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
        at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
        at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
        at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
        at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
        at com.google.apphosting.utils.jetty.DevAppEngineWebAppContext.handle(DevAppEngineWebAppContext.java:70)
        at org.mortbay.jetty.servlet.Dispatcher.forward(Dispatcher.java:327)
        at org.mortbay.jetty.servlet.Dispatcher.forward(Dispatcher.java:126)
        at org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:195)
        at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:159)
        at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:141)
        at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:90)
        at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:417)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)

Why does calling the security authentication property `principal.displayName` in a decorator throw an exception?

Answer

Related questions