An Authentication object was not found in the SecurityContext (Spring 2.5.2)

Question

I'm using Spring 2.5.2 and same version of spring security. Issue is, I login through the application and clears my browser cookies and refreshes the page application is redirected to the login page but at the back it throws following exception

DEBUG ExceptionTranslationFilter - Authentication exception occurred; redirecting to authentication entry point org.springframework.security.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext at org.springframework.security.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:342) at org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:254) at org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106) at org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) at org.springframework.security.ui.SessionFixationProtectionFilter.doFilterHttp(SessionFixationProtectionFilter.java:52) at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)

Continue till at java.lang.Thread.run(Unknown Source)

After this exception application is redirected to the login page & after entering the login credentials I have to click my login button twice to enter into the application. After the first click console shows

DEBUG CptLogger - com.capgent.cpt.server.services.auth.LoginAuthenticationProvider Method invoked : additionalAuthenticationChecks isAuthenticated ? :false DEBUG XmlWebApplicationContext - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@1d0d124]: org.springframework.security.event.authentication.AuthenticationSuccessEvent[source=org.springframework.security.providers.UsernamePasswordAuthenticationToken@862413dc: Principal: com.capgent.cpt.server.services.auth.UserDetailsContainer@bc1ebd; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 6693D3BCE880D6339D9D149F44637952; Granted Authorities: ROLE_ADMIN] DEBUG AuthenticationProcessingFilter - Authentication success: org.springframework.security.providers.UsernamePasswordAuthenticationToken@862413dc: Principal: com.capgent.cpt.server.services.auth.UserDetailsContainer@bc1ebd; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 6693D3BCE880D6339D9D149F44637952; Granted Authorities: ROLE_ADMIN DEBUG AuthenticationProcessingFilter - Updated SecurityContextHolder to contain the following Authentication: 'org.springframework.security.providers.UsernamePasswordAuthenticationToken@862413dc: Principal: com.capgent.cpt.server.services.auth.UserDetailsContainer@bc1ebd; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 6693D3BCE880D6339D9D149F44637952; Granted Authorities: ROLE_ADMIN' DEBUG SessionUtils - Invalidating session with Id '6693D3BCE880D6339D9D149F44637952' and migrating attributes. DEBUG SessionUtils - Started new session: E772A0D1441C079B2ACD3698F68AF63C DEBUG AuthenticationProcessingFilter - Redirecting to target URL from HTTP Session (or default): http://localhost:8090/resources/com.capgent.cpt.Main/Main.jsp DEBUG omTokenBasedRemembermeServices - Did not send remember-me cookie (principal did not set parameter '_spring_security_remember_me') DEBUG omTokenBasedRemembermeServices - Remember-me login not requested. DEBUG XmlWebApplicationContext - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@1d0d124]: org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent[source=org.springframework.security.providers.UsernamePasswordAuthenticationToken@862413dc: Principal: com.capgent.cpt.server.services.auth.UserDetailsContainer@bc1ebd; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 6693D3BCE880D6339D9D149F44637952; Granted Authorities: ROLE_ADMIN] DEBUG essionContextIntegrationFilter - SecurityContext stored to HttpSession: 'org.springframework.security.context.SecurityContextImpl@862413dc: Authentication: org.springframework.security.providers.UsernamePasswordAuthenticationToken@862413dc: Principal: com.capgent.cpt.server.services.auth.UserDetailsContainer@bc1ebd; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 6693D3BCE880D6339D9D149F44637952; Granted Authorities: ROLE_ADMIN' DEBUG essionContextIntegrationFilter - SecurityContextHolder now cleared, as request processing completed DEBUG RequestContextFilter - Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade@1d03700 DEBUG nsactionSynchronizationManager - Removed value [org.springframework.orm.hibernate3.SessionHolder@1c9dea3] for key [org.hibernate.impl.SessionFactoryImpl@42c282] from thread [http-8090-Processor25] DEBUG OpenSessionInViewFilter - Closing single Hibernate Session in OpenSessionInViewFilter DEBUG SessionFactoryUtils - Closing Hibernate Session DEBUG ConnectionManager - releasing JDBC connection [ (open PreparedStatements: 0, globally: 0) (open ResultSets: 0, globally: 0)] DEBUG ConnectionManager - transaction completed on session with on_close connection release mode; be sure to close the session to release JDBC resources! DEBUG OpenSessionInViewFilter - Using SessionFactory 'cptSessionFactory' for OpenSessionInViewFilter DEBUG DefaultListableBeanFactory - Returning cached instance of singleton bean 'cptSessionFactory' DEBUG OpenSessionInViewFilter - Opening single Hibernate Session in OpenSessionInViewFilter DEBUG SessionFactoryUtils - Opening Hibernate Session DEBUG SessionImpl - opened session at timestamp: 13938439638 DEBUG nsactionSynchronizationManager - Bound value [org.springframework.orm.hibernate3.SessionHolder@862557] for key [org.hibernate.impl.SessionFactoryImpl@42c282] to thread [http-8090-Processor25] DEBUG RequestContextFilter - Bound request context to thread: org.apache.catalina.connector.RequestFacade@1d03700 DEBUG FilterChainProxy - Converted URL to lowercase, from: '/com.capgent.cpt.main/main.jsp'; to: '/com.capgent.cpt.main/main.jsp' DEBUG FilterChainProxy - Candidate is: '/com.capgent.cpt.main/main.jsp'; pattern is /ssoerror.html*; matched=false DEBUG FilterChainProxy - Converted URL to lowercase, from: '/com.capgent.cpt.main/main.jsp'; to: '/com.capgent.cpt.main/main.jsp' DEBUG FilterChainProxy - Candidate is: '/com.capgent.cpt.main/main.jsp'; pattern is /; matched=true DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 1 of 10 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]' DEBUG essionContextIntegrationFilter - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT to associate with SecurityContextHolder: 'org.springframework.security.context.SecurityContextImpl@862413dc: Authentication: org.springframework.security.providers.UsernamePasswordAuthenticationToken@862413dc: Principal: com.capgent.cpt.server.services.auth.UserDetailsContainer@bc1ebd; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 6693D3BCE880D6339D9D149F44637952; Granted Authorities: ROLE_ADMIN' DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 2 of 10 in additional filter chain; firing Filter: 'com.capgent.cpt.server.services.auth.CantrexSsoProcessingFilter[ order=600; ]' DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 3 of 10 in additional filter chain; firing Filter: 'com.capgent.cpt.server.services.auth.DnbiSsoProcessingFilter[ order=600; ]' DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 4 of 10 in additional filter chain; firing Filter: 'com.capgent.cpt.server.services.auth.OpenIdAuthenticationProcessingFilter[ order=800; ]' DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 5 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]' DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 6 of 10 in additional filter chain; firing Filter: 'org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1100; ]' DEBUG SavedRequest - pathInfo: both null (property equals) DEBUG SavedRequest - queryString: both null (property equals) DEBUG SavedRequest - requestURI: arg1=/resources/com.capgent.cpt.Main/Main.jsp; arg2=/resources/com.capgent.cpt.Main/Main.jsp (property equals) DEBUG SavedRequest - serverPort: arg1=8090; arg2=8090 (property equals) DEBUG SavedRequest - requestURL: arg1=http://localhost:8090/resources/com.capgent.cpt.Main/Main.jsp; arg2=http://localhost:8090/resources/com.capgent.cpt.Main/Main.jsp (property equals) DEBUG SavedRequest - scheme: arg1=http; arg2=http (property equals) DEBUG SavedRequest - serverName: arg1=localhost; arg2=localhost (property equals) DEBUG SavedRequest - contextPath: arg1=/resources; arg2=/resources (property equals) DEBUG SavedRequest - servletPath: arg1=/com.capgent.cpt.Main/Main.jsp; arg2=/com.capgent.cpt.Main/Main.jsp (property equals) DEBUG SavedRequestAwareWrapper - Wrapper replaced; SavedRequest was: SavedRequest[http://localhost:8090/resources/com.capgent.cpt.Main/Main.jsp] DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 7 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.rememberme.RememberMeProcessingFilter[ order=1200; ]' DEBUG RememberMeProcessingFilter - SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.providers.UsernamePasswordAuthenticationToken@862413dc: Principal: com.capgent.cpt.server.services.auth.UserDetailsContainer@bc1ebd; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 6693D3BCE880D6339D9D149F44637952; Granted Authorities: ROLE_ADMIN' DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 8 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.ExceptionTranslationFilter[ order=1400; ]' DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 9 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.SessionFixationProtectionFilter[ order=1600; ]' DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 10 of 10 in additional filter chain; firing Filter: 'org.springframework.security.intercept.web.FilterSecurityInterceptor@11ca33b' DEBUG lterInvocationDefinitionSource - Converted URL to lowercase, from: '/com.capgent.cpt.main/main.jsp'; to: '/com.capgent.cpt.main/main.jsp' DEBUG lterInvocationDefinitionSource - Candidate is: '/com.capgent.cpt.main/main.jsp'; pattern is //*main.jsp; matched=true DEBUG AbstractSecurityInterceptor - Secure object: FilterInvocation: URL: /com.capgent.cpt.Main/Main.jsp; ConfigAttributes: [ROLE_ADMIN] DEBUG AbstractSecurityInterceptor - Previously Authenticated: org.springframework.security.providers.UsernamePasswordAuthenticationToken@862413dc: Principal: com.capgent.cpt.server.services.auth.UserDetailsContainer@bc1ebd; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 6693D3BCE880D6339D9D149F44637952; Granted Authorities: ROLE_ADMIN DEBUG AbstractSecurityInterceptor - Authorization successful DEBUG XmlWebApplicationContext - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@1d0d124]: org.springframework.security.event.authorization.AuthorizedEvent[source=FilterInvocation: URL: /com.capgent.cpt.Main/Main.jsp] DEBUG AbstractSecurityInterceptor - RunAsManager did not change Authentication object DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp reached end of additional filter chain; proceeding with original chain DEBUG JspServlet - JspEngine --> /com.capgent.cpt.Main/Main.jsp DEBUG JspServlet - ServletPath: /com.capgent.cpt.Main/Main.jsp DEBUG JspServlet - PathInfo: null DEBUG JspServlet - RealPath: D:\springworkspace.metadata.plugins\org.eclipse.wst.server.core\tmp3\wtpwebapps\capgentspring\com.capgent.cpt.Main\Main.jsp DEBUG JspServlet - RequestURI: /resources/com.capgent.cpt.Main/Main.jsp DEBUG JspServlet - QueryString: null

Answer 1

Setting the
<form-login login-page="/Login.jsp" authentication-failure-url="/LoginHandler.jsp" always-use-default-target="true" default-target-url="/LoginHandler.jsp"/>

has solved my issue earlier the value was alway-use-default-target="false"

Answer 2

"Issue is, I login through the application and clears my browser cookies and refreshes the page application is redirected to the login page"

Yes.It is the Normal behavior. Because a new session will be started from there since the old session was invalidated/closed.

"but at the back it throws following exception"

Yes.It will, because it tries to revalidate the user info/session when you refresh the page.Since you have already cleared the cookies, it will fail.