Login success handler should be called in proper context Describe the bug If it is called login success handler it is not ensured RequestContextHolder so exception could be called if there is any bean that it is using it. java.lang.IllegalStateException: No thread-bound request found: Are you referring to request attributes outside of an actual web request, or processing a request outside of the originally receiving thread? If you are actually operating within a web request and still receive this message, your code is probably running outside of DispatcherServlet: In this case, use RequestContextListener or RequestContextFilter to expose the current request. at org.springframework.web.context.request.RequestContextHolder.currentRequestAttributes(RequestContextHolder.java:131) ... at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.successfulAuthentication(AbstractAuthenticationProcessingFilter.java:326) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:240) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) at org.springfaramework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1594) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ... To Reproduce org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer.successHandler(org.springframework.security.web.authentication.AuthenticationSuccessHandler) that set/use lambda that calls other bean or just org.springframework.web.context.request.RequestContextHolder.currentRequestAttributes(). Expected behavior To enclosed any call of onAuthenticationSuccess() to be properly set org.springframework.web.context.request.RequestContextHolder. Sample
Reply to comment to @rwinch #8419 cite: "You need to ensure you have RequestContextFilter setup before Spring Security is invoked in order to use RequestContextHolder." It seems that you do not understand a prior issue so I have open new one to be really and properly investigated. I am addressing : org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.configure(org.springframework.security.config.annotation.web.builders.HttpSecurity) http.formLogin().successHandler() So if it is such thing needed then it should be ensured by spring itself to be by default setup that way to ensure that context is there.
Ref #8449 rwinch comment
...please provide a complete and minimal sample...
Sorry to say but if you want help you find a way if you don't you try to find obstacles.
So navigate to https://start.spring.io/
and select
Gradle Project
Language Java
Spring Boot 2.2.7
Packaging Jar
Java 11
Dependencies Spring Web
And put into:
@component
public class MyAppBeans implements org.springframework.context.ApplicationContextAware {
private static final java.util.concurrent.atomic.AtomicReference
@Override public void setApplicationContext(org.springframework.context.ApplicationContext context) throws org.springframework.beans.BeansException { CONTEXT.compareAndSet(null, context); }
@Bean public static someBean() { return new MyBean(); }
@Bean public static org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter webSecurityConfigurerAdapter() { return new MyWebSecurityConfigurerAdapter() {}; }
public static abstract class MyWebSecurityConfigurerAdapter extends org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter{
@Override
protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception {
http.formLogin()
.successHandler((r, rr, c)-> java.util.Optional.ofNullable(CONTEXT.get())
.map((o)->o.getBean(MyBean.class))
.ifPresent((o)->o.doAction())
);
}
}
public static class MyBean { public void doAction() { var reqAttr = org.springframework.web.context.request.RequestContextHolder.currentRequestAttributes(); //throws exception } }
And such MyBean in example it could outside of one project or even 3rdparty source or even several level so one bean call other bean ... so
It is totally bug or if you (Spring team) take it as feature then it is enhancement. In no way it is question (e.g. for "Stack Overflow"). As HttpSecurity configuration has to be always of Spring Framework responsibility not an each and every software developer e.g. to do any dirty fixes. But if it is hard to understand by "Spring team", sorry to say, but I have doubt about "Spring team" professionality.
Comment From: rwinch
Please do not post duplicate issues https://github.com/spring-projects/spring-security/issues/8568
As indicated on the previous ticket, it does not look like you are using RequestContext correctly. If you need, help please ask on stackoverflow. You may post a link to stackoverflow on the original issue to help others find your question.
Comment From: netbeansuser2019
Please do not post duplicate issues #8568
As indicated on the previous ticket, it does not look like you are using RequestContext correctly. If you need, help please ask on stackoverflow. You may post a link to stackoverflow on the original issue to help others find your question.
If I do not use it well, then you probably do not know Spring Security that well as you should to evaluate issues like this.