Authentication not propagated correctly after migrating to SB3Β #12877
Description
Hello,
I'm trying to migrate from Spring boot 2 to 3 and having an issue I can't seem to solve, despite having tried multiple solutions.
My problem:
I use @EnableMethodSecurity to use the @PreAuthorize annotation. But when calling any endpoint which is secured with @PreAuthorize, I get a 401 with the error AuthenticationCredentialsNotFoundException. This used to work in Spring boot 2.
My code:
My filterChain looks like that:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.cors()
.and().csrf().disable()
.sessionManagement((sessions) -> sessions
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
)
.authorizeHttpRequests(auth -> {
...
.requestMatchers("/myendpoint/**").fullyAuthenticated()
...
})
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(jwt -> jwt
.decoder(createDecoder())
.jwtAuthenticationConverter(this::convert)
)
);
return http.build();
}The convert() method is correctly invoked and returns an AbstractAuthenticationToken. But for some reason, in the ObservationAuthorizationManager, the Authentication is not found (it passes once at the same line, with the Authentication correctly set, the second one then returns AuthenticationCredentialsNotFoundException`)
Any help appreciated if this isn't an issue from spring-security π