(SOLVED) My Authentication does not persist after successfully logging in.

upbeat-viper · October 21, 2023, 4:31pm

In essence I can successfully log in from the login and enter my main view, but then if I reload the page, or go to another view that that user has permission to, I am returned to the login. When I tested something strange happens, the first time I enter the main view I print the current user in the console and it works fine, but I print the same thing in any other event and it already tells me AnonymousUser.

I have attached two txt, one with my security class that extends VaadinWebSecurity and the other with the login method that I use in my login view. I use a DaoAuthenticationProvider as a provider.
SecurityConfig.txt (1.55 KB)
login_method.txt (557 Bytes)

quirky-zebra · October 21, 2023, 5:03pm

Ensure that your daoAuthProvider returns an authenticated user with authorities / roles, otherwise it won’t work.

upbeat-viper · October 21, 2023, 7:03pm

Oh thank you very much first of all for answering me so quickly, forgive my skills, I’m new to Spring and Vaadin. In my User class that implements UserDetails I have this configured:

@Override
publicCollection<? extends GrantedAuthority > getAuthorities() {
return Arrays.asList(role);
}

But I’m not sure how to do what you suggest…

quirky-zebra · October 21, 2023, 7:20pm

if you are new to this, the spring security docs should get you pretty far

https://docs.spring.io/spring-security/reference/servlet/authentication/architecture.html

https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/dao-authentication-provider.html

upbeat-viper · October 21, 2023, 9:09pm

Thank you very much for this documentation, I read it carefully and it seems that all my configuration is fine. This behavior drives me crazy because it is very uncomfortable that the client has to log in continuously.

P.S: I even changed the SecurityContextHolder strategy to global, so that regardless of the thread of execution the same security context is shared since my application is a monolithic application, but nothing, the same problem. I do not know what else to do.

marcoc_753 · October 21, 2023, 9:19pm

Are your views annotated with security annotations?

upbeat-viper · October 21, 2023, 9:31pm

Hi Marcos, yes for example, the MainView:

upbeat-viper · October 21, 2023, 9:31pm

@PageTitle(value = “Home”)
@Route(value = “”)
@RolesAllowed(value = {“ROLE_USER”, “ROLE_ADMIN”})
public class MainView extends VerticalLayout

marcoc_753 · October 21, 2023, 9:36pm

Did you tried to increase log level of spring security?

logging.level.org.springframework.security=TRACE

marcoc_753 · October 21, 2023, 9:37pm

It may help to debug the problem

marcoc_753 · October 21, 2023, 9:42pm

And also com.vaadin.flow.server.auth=DEBUG

upbeat-viper · October 21, 2023, 11:37pm

Thanks buddy, I’ll try to debug the way you tell me

Jean-Christophe.1 · October 22, 2023, 4:37am

What’s the package of the RoleAllowed annotation, if you are using Vaadin 24 you should use the Jakarta package.

upbeat-viper · October 23, 2023, 10:59pm

Yes man, I use Vaadin 24 and Jakarta package

upbeat-viper · October 23, 2023, 11:02pm

I also use Java 17.0.2 in this project

upbeat-viper · October 24, 2023, 5:46pm

Analyzing the Spring Security traces I have these debugs once I log in supposedly successfully:

-Did not find SecurityContext in HttpSession D5D78853E6928479F26EF52246F0B4CE using the SPRING_SECURITY_CONTEXT session attribute

-Created SecurityContextImpl [Null authentication]

-Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=D5D78853E6928479F26EF52246F0B4CE], Granted Authorities= [ROLE_ANONYMOUS]]

I don’t understand the reason for this, could it be that the authentication method using DAO is no longer fully supported?

quirky-zebra · October 24, 2023, 5:51pm

Did you check that your DAO implementation really works? Like returning a proper user password authentication with roles?

upbeat-viper · October 24, 2023, 9:19pm

Hello again Knoobie, well yes, look I have these debugs in the constructor of my main view. That is, as soon as I log in everything works fine:

System.out.println(SecurityContextHolder.getContext().getAuthentication().getName());

System.out.println(SecurityContextHolder.getContext().getAuthentication().getCredentials().toString());

System.out.println(SecurityContextHolder.getContext().getAuthentication().getAuthorities());

And this is an example of what it prints for a given user:

Lucy
Lucy
[ROLE_USER]

The problem is that if I do this same debug in any other event, even without leaving that view, it already becomes AnonymousUser.

So, it’s all very strange, right?

quirky-zebra · October 25, 2023, 4:30am

instead of your dao authentication, you can try this auth code from the spring docs to see if that makes any difference

SecurityContext context = SecurityContextHolder.createEmptyContext();
Authentication authentication =
new TestingAuthenticationToken(“username”, “password”, “ROLE_USER”);
context.setAuthentication(authentication);

SecurityContextHolder.setContext(context);

charming-frog · October 25, 2023, 11:24am

@upbeat-viper check you browser cookies are enabled. try another browser. It’s looks like a cookie problem