My application uses the spring 4.3.4 version and the spring-security 4.2.0 version. Here is the application context
<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy" >
<sec:filter-chain-map request-matcher="ant" >
<sec:filter-chain pattern="/**" filters="requestContextFilter,securityContextFilter,exceptionTranslationFilter,userRoleProcessingFilter" />
</sec:filter-chain-map>
</bean>
<bean id="requestContextFilter" class="org.springframework.web.filter.RequestContextFilter"/>
<bean id="securityContextFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<constructor-arg>
<bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"></bean>
</constructor-arg>
<property name="forceEagerSessionCreation" value="false"/>
</bean>
<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter" >
<constructor-arg>
<bean class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
</constructor-arg>
</bean>
<bean id="userRoleProcessingFilter"
class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="CUSTOM_USER" />
<property name="credentialsRequestHeader" value="CUSTOM_CRED" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="continueFilterChainOnUnsuccessfulAuthentication" value="false" />
<property name="exceptionIfHeaderMissing" value="false"></property>
<property name="checkForPrincipalChanges" value="true"></property>
</bean>
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager" >
<constructor-arg>
<list>
<ref bean="authenticationProvider"/>
</list>
</constructor-arg>
</bean>
<bean id="authenticationProvider" class="com.common.authorization.spring.custom.CustomAuthenticationProvider" >
<property name="preAuthenticatedUserDetailsService">
<bean class="com.common.authorization.spring.custom.CustomUserDetailsService">
</bean>
</property>
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased" >
<property name="allowIfAllAbstainDecisions" value="false"/>
<constructor-arg>
<list>
<bean class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix" value="" />
</bean>
</list>
</constructor-arg>
</bean>
Spring Debug enabled logs:
2021-04-29 07:48:08,647 DEBUG [org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter] (http-nio-8881-exec-441) preAuthenticatedPrincipal = lk998u, trying to authenticate
2021-04-29 07:48:08,647 DEBUG [org.springframework.security.authentication.ProviderManager] (http-nio-8881-exec-441) Authentication attempt using com.common.authorization.spring.custom.CustomAuthenticationProvider
2021-04-29 07:48:08,647 DEBUG [org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter] (http-nio-8881-exec-441) preAuthenticatedPrincipal = lk998u, trying to authenticate
2021-04-29 07:48:08,647 DEBUG [org.springframework.security.authentication.ProviderManager] (http-nio-8881-exec-441) Authentication attempt using com.common.authorization.spring.custom.CustomAuthenticationProvider
2021-04-29 07:48:09,857 DEBUG [org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider] (http-nio-8881-exec-441) PreAuthenticated authentication request: org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken@4cc16d7a: Principal: lk998u; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 135.76.156.208; SessionId: null; Not granted any authorities
2021-04-29 07:48:09,859 DEBUG [org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter] (http-nio-8881-exec-441) Authentication success: org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken@aa4ce65e: Principal: org.springframework.security.core.userdetails.User@c00b83fd: Username: lk998u; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: APP-User; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 135.76.156.208; SessionId: null; Granted Authorities: APP-User
2021-04-29 07:48:09,859 DEBUG [org.springframework.security.web.FilterChainProxy] (http-nio-8881-exec-441) /remoting/SecurityServiceMBean reached end of additional filter chain; proceeding with original chain
2021-04-29 07:48:09,859 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] (http-nio-8881-exec-441) SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@aa4ce65e: Authentication: org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken@aa4ce65e: Principal: org.springframework.security.core.userdetails.User@c00b83fd: Username: lk998u; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: APP-User; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 135.76.156.208; SessionId: null; Granted Authorities: APP-User' stored to HttpSession: 'org.apache.catalina.session.StandardSessionFacade@68a3ef8c
2021-04-29 07:48:09,859 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] (http-nio-8881-exec-441) Chain processed normally
2021-04-29 07:48:09,859 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] (http-nio-8881-exec-441) SecurityContextHolder now cleared, as request processing completed
2021-04-29 07:49:23,987 DEBUG [org.springframework.security.web.FilterChainProxy] (http-nio-8881-exec-425) /remoting/ALService at position 1 of 4 in additional filter chain; firing Filter: 'RequestContextFilter'
2021-04-29 07:49:23,988 DEBUG [org.springframework.security.web.FilterChainProxy] (http-nio-8881-exec-425) /remoting/ALService at position 2 of 4 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2021-04-29 07:49:23,988 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] (http-nio-8881-exec-425) HttpSession returned null object for SPRING_SECURITY_CONTEXT
2021-04-29 07:49:23,988 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] (http-nio-8881-exec-425) No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@68a3ef8c. A new one will be created.
2021-04-29 07:49:23,988 DEBUG [org.springframework.security.web.FilterChainProxy] (http-nio-8881-exec-425) /remoting/ALService at position 3 of 4 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2021-04-29 07:49:23,988 DEBUG [org.springframework.security.web.FilterChainProxy] (http-nio-8881-exec-425) /remoting/ALService at position 4 of 4 in additional filter chain; firing Filter: 'RequestHeaderAuthenticationFilter'
2021-04-29 07:49:23,988 DEBUG [org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter] (http-nio-8881-exec-425) Checking secure context token: null
2021-04-29 07:49:23,988 DEBUG [org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter] (http-nio-8881-exec-425) preAuthenticatedPrincipal = lk998u, trying to authenticate
2021-04-29 07:49:23,988 DEBUG [org.springframework.security.authentication.ProviderManager] (http-nio-8881-exec-425) Authentication attempt using com.common.authorization.spring.custom.CustomAuthenticationProvider
2021-04-29 07:49:23,993 DEBUG [org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider] (http-nio-8881-exec-425) PreAuthenticated authentication request: org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken@4cc16d7a: Principal: lk998u; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 135.76.156.208; SessionId: 9B81D800232E5EECA483264FBFA8E631; Not granted any authorities
2021-04-29 07:49:23,995 DEBUG [org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter] (http-nio-8881-exec-425) Authentication success: org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken@aa4ce65e: Principal: org.springframework.security.core.userdetails.User@c00b83fd: Username: lk998u; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: APP-User; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 135.76.156.208; SessionId: 9B81D800232E5EECA483264FBFA8E631; Granted Authorities: APP-User
2021-04-29 07:49:23,995 DEBUG [org.springframework.security.web.FilterChainProxy] (http-nio-8881-exec-425) /remoting/ALService reached end of additional filter chain; proceeding with original chain
2021-04-29 07:49:25,737 DEBUG [org.springframework.security.web.FilterChainProxy] (http-nio-8881-exec-411) /remoting/ALService at position 1 of 4 in additional filter chain; firing Filter: 'RequestContextFilter'
2021-04-29 07:49:25,737 DEBUG [org.springframework.security.web.FilterChainProxy] (http-nio-8881-exec-411) /remoting/ALService at position 2 of 4 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2021-04-29 07:49:25,737 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] (http-nio-8881-exec-411) Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@155a461f: Authentication: org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken@155a461f: Principal: org.springframework.security.core.userdetails.User@1a0b2e41: Username: controlDaemon; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: APP-User; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@7798: RemoteIpAddress: 135.89.40.166; SessionId: 2C924394683E0C966E8EE305C72DCABA; Granted Authorities: APP-User'
2021-04-29 07:49:25,737 DEBUG [org.springframework.security.web.FilterChainProxy] (http-nio-8881-exec-411) /remoting/ALService at position 3 of 4 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2021-04-29 07:49:25,737 DEBUG [org.springframework.security.web.FilterChainProxy] (http-nio-8881-exec-411) /remoting/ALService at position 4 of 4 in additional filter chain; firing Filter: 'RequestHeaderAuthenticationFilter'
2021-04-29 07:49:25,737 DEBUG [org.springframework.security.web.FilterChainProxy] (http-nio-8881-exec-411) /remoting/ALService at position 3 of 4 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2021-04-29 07:49:25,737 DEBUG [org.springframework.security.web.FilterChainProxy] (http-nio-8881-exec-411) /remoting/ALService at position 4 of 4 in additional filter chain; firing Filter: 'RequestHeaderAuthenticationFilter'
2021-04-29 07:49:25,737 DEBUG [org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter] (http-nio-8881-exec-411) Checking secure context token: org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken@155a461f: Principal: org.springframework.security.core.userdetails.User@1a0b2e41: Username: controlDaemon; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: APP-User; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@7798: RemoteIpAddress: 135.89.40.166; SessionId: 2C924394683E0C966E8EE305C72DCABA; Granted Authorities: APP-User
2021-04-29 07:49:25,737 DEBUG [org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter] (http-nio-8881-exec-411) Pre-authenticated principal has changed to lk998u and will be reauthenticated
2021-04-29 07:49:25,737 DEBUG [org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter] (http-nio-8881-exec-411) Pre-authenticated principal has changed and will be reauthenticated
2021-04-29 07:49:25,737 DEBUG [org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter] (http-nio-8881-exec-411) Invalidating existing session
2021-04-29 07:49:25,738 DEBUG [org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter] (http-nio-8881-exec-411) preAuthenticatedPrincipal = lk998u, trying to authenticate
2021-04-29 07:49:25,738 DEBUG [org.springframework.security.authentication.ProviderManager] (http-nio-8881-exec-411) Authentication attempt using com.common.authorization.spring.custom.CustomAuthenticationProvider
The user is an RSA user and hence the password changes regularly. This authentication failed in the middle of the application. Thanks in advance.
Comment From: palmarisiva
The same issue occurs when spring upgraded to 5.3.1 and spring security to 5.4.1
Comment From: eleftherias
Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.