{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 闹够了就滚 的问题《I don't know what SecurityContextHolder strate》','https://www.manongdao.com/q-1086681.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I use such code for authentication:
@PreAuthorize("isAnonymous()")
@RequestMapping(value = "/login", method = RequestMethod.POST)
public String doLogin(HttpServletRequest request) {
try {
Authentication req = new UsernamePasswordAuthenticationToken(request.getParameter("name"),
request.getParameter("password"));
Authentication result = authenticationManager.authenticate(req);
SecurityContextHolder.getContext().setAuthentication(result);
logger.debug("Success login");
logger.debug(SecurityContextHolder.getContext().getAuthentication());
return "index";
} catch (AuthenticationException e) {
e.printStackTrace();
logger.debug("ACHTUNG! Success failed");
return "index";
}
}
I can log in, it works. I see not-null Authentication object in logs. Then I try to browse some secured page like this:
@PreAuthorize("hasRole('user')")
@RequestMapping(value = "/user", method = RequestMethod.GET)
public String user(ModelMap modelMap) {
modelMap.addAttribute("user", SecurityContextHolder.getContext().getAuthentication().getCredentials().toString());
return "index";
}
And it throws NullPointerException because of the getAuthentication(). This occurs when I use SecurityContextHolder.MODE_INHERITABLETHREADLOCAL and SecurityContextHolder.MODE_INHERITABLETHREADLOCAL unlike using of SecurityContextHolder.MODE_GLOBAL.
What am I doing wrong? I don't need MODE_GLOBAL-behavior of SecurityContextHolder.
UPD: Sometimes problem occurs, sometimes doesn't in the same session.
Make absolutely sure that the Security Filter is running each time in your request by logging:
Do not. Do not replace the SecurityContextHolderStrategy unless you absolutely know what your doing. It has to do with finding the SecurityContext based on ThreadLocal. So unless your a very weird Servlet Container the default is almost always correct.
You also need to make an interceptor for your request path. The @PreAuthorize only applies to method calls http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html which is not what you want.
Instead you want something like the following in your security application context: