I am using Java Spring Security and I am unable to set the principal after REST call with principal. I need to set the principal against the HasRole check for every endpoint, but unfortunately the principal is null during stateless calls. How can I set the principal to validate the various roles?
Asked
Active
Viewed 827 times
0
-
what do you mean by "stateless" calls? no call is stateless internally in fact REST implies State Transfer. maybe this is the answer you need? http://stackoverflow.com/a/29685203/206466 – xenoterracide Jul 06 '15 at 21:31
-
1@xenoterracide maybe he means the session-managment policy set to stateless, but this is just a guess. A bit more code, especially the `UserDetailsService`, the `AuthenticationProvider` as well as the overall SpringSecurity config and a short sample of the role-usage would be helpful. – Roman Vottner Jul 06 '15 at 21:32
-
Are you sure your Provider is setting the Authentication object correctly in every request? – Dani Jul 06 '15 at 21:42
-
Apologies for the misleading question. I cannot seem to be able to pass the principal argument with every request. As a result, i am not able to have direct access to it. I am only able to get it during login like this: request.getAttribure(principal) The principal does not persist during api calls. However, it comes automatically during the login process. – Marcelo Salvador Jul 06 '15 at 22:43
-
It is still unclear how you have defined your spring security in case of REST calls. Usually you have something like `http.authorizeRequests().antMatchers("/api/...").authenticated().and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().httpBasic().and().csrf().disabled();` to configure SpringSecurity for REST. Here, the user is authenticated via the `Authorization` HTTP Header field contained within the request, which if available results in a lookup of the user via the `UserDetailsService` – Roman Vottner Jul 07 '15 at 09:53