Spring's SecurityContextHolder.getContext().getAuthentication() returns null after RedirectView is used in HTTPS/SSL

Question

I have a typical Spring MVC running on Tomcat. After switching the system to run on HTTPS (everything is working OK under plain HTTP), the login stopped working. The reason

Answer 1

The SecurityContextHolder.getContext().getAuthentication() becoming null after redirect is correct since it is threadbound. But it should be repopulated from the session. Therefore try to keep track of the SPRING_SECURITY_CONTEXT Attribute in the Session. Here is some example code to get an idea:

HttpSession session = request.getSession(true);
System.out.println(session.getAttribute("SPRING_SECURITY_CONTEXT"));

In the Spring Security documentation there is a Part about how HTTPS/HTTP switching can screw up the session perhaps there is a hint to your problem somewhere in there. http://static.springsource.org/spring-security/site/faq.html#d0e223

The above FAQ leads to an examination of how the session is handled in your application. I probably would start looking at the AuthenticationSuccessHandler implementation. (You can post it into your question if you like.)

For more detail on how the security context is handled in web applications see the following: (section 5.4 Authentication in a Web Application): http://static.springsource.org/spring-security/site/docs/3.0.x/reference/technical-overview.html