SwitchUserFilter not working in Spring Security 6

[RobertBleyl]

Describe the bug
When using Spring Security 6 (via the Spring Boot 3 BOM) the SwitchUserFilter is not working anymore. The currently logged in user is redirected to the SwitchUserUrl (that is configured in the SwitchUserFilter), but the user is not switched.

The attached log file shows the following line:
"Failed to find original user"

To Reproduce

• Have a Spring Boot 3 project with Spring Security
• Define a SwitchUserFilter bean in a configuration class:

	@Bean
	public SwitchUserFilter switchUserFilter() {
		SwitchUserFilter filter = new SwitchUserFilter();
		filter.setUserDetailsService(userDetailsService);
		filter.setUsernameParameter("username");
		filter.setSwitchUserUrl("/admin/switch_user");
		filter.setExitUserUrl("/admin/switch_user_exit");
		filter.setTargetUrl("/");
		return filter;
	}

• Use this bean in a SecurityFilterChain:

.addFilterAfter(switchUserFilter(), AuthorizationFilter.class)

• Login as an admin user and try to switch to a different user

Expected behavior
The user performing the switch should be logged in as the selected user.

Sample
While I don't have a minimal example, I have an open source project that reproduces the issue. The relevant config is here:
https://gitlab.com/skrupeltng/skrupel-tng/-/blob/issue-531_spring_boot_3/src/main/java/org/skrupeltng/config/SecurityConfig.java

The javadoc of the SwitchUserFilter still states:
"Note that the filter must come after the FilterSecurityInteceptor in the chain"
However, FilterSecurityIntercepter is deprecated. The deprecation text says one should use AuthorizationFilter, so I used this.
Using the AuthorizationFilter was in fact working when using Spring Boot 2.7 and Spring Security 5.8.
Maybe we have to put the SwitchUserFilter before/after a different Filter now?

switch_user.log

[mdeinum]

Not sure if it is related but when defining a filter in Spring Boot as an @Bean it will be picked up by Spring Boot and automatically registered in the filter-chain. When using Spring Security this will lead to the filter being accessed twice. When defining a Filter as an @Bean for Spring Security make sure you are also adding an FilterRegistrationBean for said filter and mark it is setEnabled(false); to prevent the registration of this filter in the regular filter chain.

[marcusdacoregio]

Hi @RobertBleyl, thanks for the report.

I think that the SwitchUserFilter is not explicitly saving the security context in the SecurityContextRepository.

Can you add the following configuration and see if it solves the problem? If so, that confirms my suspicion.

public SecurityFilterChain filterChain(HttpSecurity http) {
	http
		// ...
		.securityContext((securityContext) -> securityContext
			.requireExplicitSave(false)
		);
	return http.build();
}

[RobertBleyl]

Not sure if it is related but when defining a filter in Spring Boot as an @Bean it will be picked up by Spring Boot and automatically registered in the filter-chain. When using Spring Security this will lead to the filter being accessed twice. When defining a Filter as an @Bean for Spring Security make sure you are also adding an FilterRegistrationBean for said filter and mark it is setEnabled(false); to prevent the registration of this filter in the regular filter chain.

Thank you for your reply!
I am trying to get this to work using the FilterRegistrationBean but I am unsure about the proper use. This is what I am trying:

@Bean
public FilterRegistrationBean<SwitchUserFilter> switchUserFilterRegistration() {
  FilterRegistrationBean<SwitchUserFilter> registration = new FilterRegistrationBean<>();
  registration.setFilter(switchUserFilter());
  registration.addUrlPatterns("/admin/switch_user");
  registration.setName("switchUserFilter");
  registration.setOrder(1);
  return registration;
}

public SwitchUserFilter switchUserFilter() {
  SwitchUserFilter filter = new SwitchUserFilter();
  filter.setUserDetailsService(userDetailsService);
  filter.setUsernameParameter("username");
  filter.setSwitchUserUrl("/admin/switch_user");
  filter.setExitUserUrl("/admin/switch_user_exit");
  filter.setTargetUrl("/");
  return filter;
}

But when trying to perform a user switch an exception is thrown:

java.lang.NullPointerException: Cannot invoke "org.springframework.security.web.authentication.AuthenticationSuccessHandler.onAuthenticationSuccess(jakarta.servlet.http.HttpServletRequest, jakarta.servlet.http.HttpServletResponse, org.springframework.security.core.Authentication)" because "this.successHandler" is null
	at org.springframework.security.web.authentication.switchuser.SwitchUserFilter.doFilter(SwitchUserFilter.java:187) ~[spring-security-web-6.0.1.jar:6.0.1]

I am either doing it wrong or the SwitchUserFilter is not meant to be used with a FilterRegistrationBean? :)

[RobertBleyl]

Hi @RobertBleyl, thanks for the report.

I think that the SwitchUserFilter is not explicitly saving the security context in the SecurityContextRepository.

Can you add the following configuration and see if it solves the problem? If so, that confirms my suspicion.

public SecurityFilterChain filterChain(HttpSecurity http) {
	http
		// ...
		.securityContext((securityContext) -> securityContext
			.requireExplicitSave(false)
		);
	return http.build();
}

Thank you for your response! I tried it and it unfortunately did not fix the problem. For transparency, this is what the filter chain looked like:

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
  http.authorizeHttpRequests()
	  .requestMatchers("/", "/error", "/favicon.ico", "/sitemap.xml", "/logo.png", "/dist/**", "/images/**", "/factions/**",
		  "/webfonts/**", "/login", "/credits", "/init-setup", "/register", "/register-successfull", "/legal", "/data-privacy",
		  "/activate-account/**", "/activation-failure/**", "/reset-password/**", "/infos/**", "/guest-account/**", "/admin/switch_user_exit")
	  .permitAll()
	  .requestMatchers("/admin/**", "/debug/**").access(new WebExpressionAuthorizationManager("hasRole('%s')".formatted(Roles.ADMIN)))
	  .requestMatchers("/**").access(new WebExpressionAuthorizationManager("not( hasRole('%s') ) and hasAnyRole('%s', '%s')".formatted(Roles.AI, Roles.ADMIN, Roles.PLAYER)))
	  .and()
	  .csrf()
	  .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
	  .and()
	  .securityContext(c -> c.requireExplicitSave(true))
	  .addFilterAfter(switchUserFilter(), AuthorizationFilter.class)
	  .formLogin()
	  .loginPage("/login").failureHandler(handleAuthenticationFailure()).defaultSuccessUrl("/my-games")
	  .and().rememberMe().key("skrupel-tng-remember-me")
	  .and().logout().logoutSuccessUrl("/").permitAll();
  
  return http.build();
}

[marcusdacoregio]

@RobertBleyl, I think you should do requireExplicitSave(false) instead of requireExplicitSave(true), can you confirm that?

[mdeinum]

You need to disable it, not enable it!

@Bean
public FilterRegistrationBean<SwitchUserFilter> switchUserFilterRegistration(SwitchUserFilter switchUserFilter) {
  FilterRegistrationBean<SwitchUserFilter> registration = new FilterRegistrationBean<>(switchUserFilter);
  registration.setEnabled(false);
  return registration;
}

You need to disable it so it won't be added to the regular filter chain, if it would it would execute twice and also far too early in the process.

[RobertBleyl]

@RobertBleyl, I think you should do requireExplicitSave(false) instead of requireExplicitSave(true), can you confirm that?

Oh wow, my bad! Using false does indeed work! Thank you!
I am not clear yet on whether or not this is intended behavior and using requireExplicitSave(false) is required now when using the SwitchUserFilter, or if this is considered a bug. In other words: should I close this issue now? :)

[RobertBleyl]

You need to disable it, not enable it!

@Bean
public FilterRegistrationBean<SwitchUserFilter> switchUserFilterRegistration(SwitchUserFilter switchUserFilter) {
  FilterRegistrationBean<SwitchUserFilter> registration = new FilterRegistrationBean<>(switchUserFilter);
  registration.setEnabled(false);
  return registration;
}

You need to disable it so it won't be added to the regular filter chain, if it would it would execute twice and also far too early in the process.

It does appear that requireExplicitSave(false) solves the issue and the usage of FilterRegistrationBean is not required here.

[mdeinum]

Well you want to prevent this filter from being executed twice, so it is always a good idea to add it for filters that are meant only for the security filter chain.

[RobertBleyl]

I just noticed that when trying to access a URL that is not the defaultSuccessUrl and you are not logged in, then you are redirected to the URL you requested before the login (as expected), but additionally now these log warnings appear:

2023-01-09T17:48:32.836+01:00  WARN 25933 --- [nio-8081-exec-9] w.c.HttpSessionSecurityContextRepository : Failed to create a session, as response has been committed. Unable to store SecurityContext.

I guess this has something to do with requireExplicitSave(false)?

I also added the FilterRegistrationBean, this does not change anything in my case apparently.