Spring Method Level Security fails on second call
I want to use method level security on my GWT application. I'm trying to use Spring Security 3.1, as I found a working example here, but it doesn't use form-login. After reading this answer the first method call successfully obtains the SecurityContext, but then clears it before the next call:
[org.springframework.security.web.context.HttpSessionSecurityContextRepository] - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@6fe9f089: Authentication: org.example.MyAppName.server.auth.MyAppNameUserAuthentication@6fe9f089'
...
[org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor] - Authorization successful
...
[org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
...
[org.springframework.security.web.context.HttpSessionSecurityContextRepository] - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
[org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
...
[org.springframework.security.web.context.HttpSessionSecurityContextRepository] - HttpSession returned null object for SPRING_SECURITY_CONTEXT
The second call happens straight after the first and just after the user logs in.
Is it because I followed the other answer and removed <http pattern="/MyAppName/**" security="none" /> and added <intercept-url pattern="/MyAppName/**" access="permitAll()" />?
My filters are as follows:
<http pattern="/favicon.ico" security="none" />
<http access-decision-manager-ref="accessDecisionManager" use-expressions="true" auto-config="false" entry-point-ref="LoginUrlAuthenticationEntryPoint">
<form-login login-page="/Login.html" always-use-default-target="true" default-target-url="/Main.html?gwt.codesvr=127.0.0.1:9997" />
<intercept-url pattern="/Login.html" access="permitAll()" />
<intercept-url pattern="/Login2.html" access="permitAll()" />
<intercept-url pattern="/MyAppName/**" access="permitAll()" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<logout delete-cookies="JSESSIONID" logout-success-url="/Login.html" />
<remember-me token-validity-seconds="86400" key="key" user-service-ref="userDetailsService" />
</http>
Following the example I obtained I use AspectJ for the global method security, but would not use it if I could get that working:
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" mode="aspectj" proxy-target-class="true" >
<expression-handler ref="expressionHandler"/>
</global-method-security>
Thank you for taking the time to read this
Please let me know if more detail is needed.
Answer
This problem has been solved.
The last part of the solution was to remove the request to make SecurityContextHolder global.
If you are having the same problem might find this post helpful.