Spring security - SecurityContext.authentication null in taglib and jsp but ok in controller

Question

I've been struggling with this issue for a little while now. Found several posts about it but none solved my problem. It will probably have something to do with the fact that a SecurityContext is boud to a specific Thread but even then I do not know how to solve it:

Consider following code to retrieve the user that was logged in:

SecurityContextHolder.getContext().getAuthentication().getPrincipal()

Running this code in a controller would return (correctly) the user logged in. Running this code from a taglib or jsp throws NPE (authentication = null). Also the spring tag does not function (presumably for the same reason).

Extract from web.xml:

    <filter>
    <filter-name>AcegiFilter</filter-name>
    <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
    <init-param>
        <param-name>targetClass</param-name>
        <param-value>org.acegisecurity.util.FilterChainProxy</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>AcegiFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Extract from spring security config file:

    <bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
    <property name="filterInvocationDefinitionSource">
        <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON 
            PATTERN_TYPE_APACHE_ANT
            /**=httpSessionIntegrationFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
        </value>
    </property>
</bean>
    <bean id="filterSecurityInterceptor"
    class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="alwaysReauthenticate" value="true" />
    <property name="objectDefinitionSource">
        <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON 
            PATTERN_TYPE_APACHE_ANT
            /myaccount.htm=ROLE_CUSTOMER
        </value>
    </property>
</bean>

Answer 1

RESOLVED

the problem arose from the filter sequence. The PageFilter (sitemesh) was invoked before the spring security filter and because of this the security context was not yet available in the jsp. Changing the order of the filters in web.xml (security filter first) fixed the issue.

Answer 2

This may seem like an obvious question, but have you forced the user to log in (ie authenticate) at any point prior to them accessing the page /myaccount.htm ? I didn't see any mappings to a login page requiring anonymous access in your object definition source which is why I ask. If the user can access /myaccount.htm without authenticating, then no principal would have been created in the security context by the time they've accessed the page, hence your NullPointerException. Also, are you using form based authentication ? HTTP BASIC authentication ? Some other type supported by Acegi ?