spring-security: where did the Principal go?

Question

I've been playing with spring-security for a while and for some reason I'm not able to access the principal in the JSPs even when authentication and authorization are working right.

This is my index.jsp:

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>

<%@ page import="org.springframework.security.core.context.SecurityContextHolder" %>

<a href="forAuthenticated.jsp">for authenticated</a><br/>
<a href="admin/adminUsers.jsp">for admins</a>

<sec:authorize access="! isAuthenticated()">
    not logged in
</sec:authorize>
<sec:authorize access=" isAuthenticated()">
    logged in
</sec:authorize>

Your principal object is....: <sec:authentication property="principal.username" /><br/>
Authentication = <%=SecurityContextHolder.getContext().getAuthentication() %>

<p><a href="j_spring_security_logout">Logout</a></p>

And this is the *-security-xml:

<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
  http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
  http://www.springframework.org/schema/security
  http://www.springframework.org/schema/security/spring-security-3.1.xsd">

  <http pattern="/loggedout.jsp" security="none"/>
  <http pattern="/index.jsp"     security="none"/>
  <http pattern="/login.jsp"     security="none"/>

  <http auto-config="true">
    <intercept-url pattern="/admin/*"      access="ROLE_ADMIN,ROLE_SUPERUSER" />
    <intercept-url pattern="/forAuthenticated.jsp" access="ROLE_USER" />
    <intercept-url pattern="/logoutSuccess*" access="ROLE_ANONYMOUS" />
    <intercept-url pattern="/**"          access="ROLE_USER" />

    <form-login login-page="/login.jsp" 
                authentication-failure-url = "/login.jsp?login_error=1"/>
    <logout logout-success-url="/loggedout.jsp" delete-cookies="JSESSIONID"/>
    <session-management invalid-session-url="/sessionTimeout.htm" />
  </http>

  <global-method-security pre-post-annotations="enabled"/>

  <authentication-manager alias="authenticationManager">
   <authentication-provider>
    <user-service id="userDetailsService">
      <user name="username" password="password" authorities="ROLE_USER, ROLE_ADMIN" />
      <user name="test" password="test" authorities="ROLE_USER" />
    </user-service>
  </authentication-provider>
   </authentication-manager>
</beans:beans>

When I try to access the forAuthenticated.jsp I'm prompted for login. After entering test/test I access the forAuthenticated page, but not the admin/adminUsers.jsp. This is ok, but the problem is that I can't access the principal in the index.jsp. This is what index.jsp prints when logged in as test/test. Note that I can't see the not logged in nor logged in traces:

for authenticated
for admins 
Your principal object is....: 
null

Logout

What am I missing? what should I double-ckeck()?

Answer 1

As Karthikeyan suggests in his comment, the problem is the following line:

<http pattern="/index.jsp" security="none"/>

which effectively causes requests matching the given pattern to be dispatched straight to the handler method skipping the Spring Security filter chain. Not even the SecurityContext gets initialized in this case, so the authentication object won't be available for the <sec:authorize> tag based on which it should make decision whether to reveal the wrapped content (and it obviously won't by default).

The reference doc states it clearly as well:

A request pattern can be mapped to an empty filter chain, by setting this attribute (security) to none. No security will be applied and none of Spring Security's features will be available.

Instead of mapping an empty filter chain, you should simply allow anonymous access:

<sec:intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>