Login success handler should be called in proper context Describe the bug If it is called login success handler it is not ensured RequestContextHolder so exception could be called if there is any bean that it is using it. java.lang.IllegalStateException: No thread-bound request found: Are you referring to request attributes outside of an actual web request, or processing a request outside of the originally receiving thread? If you are actually operating within a web request and still receive this message, your code is probably running outside of DispatcherServlet: In this case, use RequestContextListener or RequestContextFilter to expose the current request. at org.springframework.web.context.request.RequestContextHolder.currentRequestAttributes(RequestContextHolder.java:131) ... at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.successfulAuthentication(AbstractAuthenticationProcessingFilter.java:326) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:240) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) at org.springfaramework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1594) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ... To Reproduce org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer.successHandler(org.springframework.security.web.authentication.AuthenticationSuccessHandler) that set/use lambda that calls other bean or just org.springframework.web.context.request.RequestContextHolder.currentRequestAttributes(). Expected behavior To enclosed any call of onAuthenticationSuccess() to be properly set org.springframework.web.context.request.RequestContextHolder. Sample
Comment From: netbeansuser2019
Reply to comment to @rwinch #8419 cite: "You need to ensure you have RequestContextFilter setup before Spring Security is invoked in order to use RequestContextHolder." It seems that you do not understand a prior issue so I have open new one to be really and properly investigated. I am addressing : org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.configure(org.springframework.security.config.annotation.web.builders.HttpSecurity) http.formLogin().successHandler() So if it is such thing needed then it should be ensured by spring itself to be by default setup that way to ensure that context is there.
Comment From: netbeansuser2019
Ref #8449 rwinch comment ...please provide a complete and minimal sample...
Sorry to say but if you want help you find a way if you don't you try to find obstacles.
So navigate to https://start.spring.io/ and select
Gradle Project Language Java Spring Boot 2.2.7 Packaging Jar Java 11 Dependencies Spring Web
And put into:
@Component public class MyAppBeans implements org.springframework.context.ApplicationContextAware {
private static final java.util.concurrent.atomic.AtomicReference<org.springframework.context.ApplicationContext> CONTEXT = new AtomicReference<>();
@Override
public void setApplicationContext(org.springframework.context.ApplicationContext context) throws org.springframework.beans.BeansException {
CONTEXT.compareAndSet(null, context);
}
@Bean
public static someBean() {
return new MyBean();
}
@Bean
public static org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter webSecurityConfigurerAdapter() {
return new MyWebSecurityConfigurerAdapter() {};
}
public static abstract class MyWebSecurityConfigurerAdapter extends org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter{
@Override
protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception {
http.formLogin()
.successHandler((r, rr, c)-> java.util.Optional.ofNullable(CONTEXT.get())
.map((o)->o.getBean(MyBean.class))
.ifPresent((o)->o.doAction())
);
}
}
public static class MyBean {
public void doAction() {
var reqAttr = org.springframework.web.context.request.RequestContextHolder.currentRequestAttributes(); //throws exception
}
}
}
Comment From: netbeansuser2019
And such MyBean in example it could outside of one project or even 3rdparty source or even several level so one bean call other bean ... so
Comment From: rwinch
Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add some more details if you feel this is a genuine bug.
Comment From: netbeansuser2019
It is totally bug or if you (Spring team) take it as feature then it is enhancement. In no way it is question.