Skip to content

SwitchUserFilter fails with IllegalArgumentException (currentAuthentication / source cannot be null) #19418

Description

@ElZorrito

The SwitchUserFilter setup fails when upgrading Spring Boot and Spring Security.
Depending on the version, it throws either an IllegalArgumentException: currentAuthentication cannot be null or IllegalArgumentException: source cannot be null when attempting to trigger the impersonation URL.

@Bean
public SwitchUserFilter switchUserFilter() throws Exception {
    final SwitchUserFilter switchUserFilter = new SwitchUserFilter();
    switchUserFilter.setUserDetailsService(userDetailsService);
    switchUserFilter.setSwitchUserMatcher(PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.GET, SWITCH_USER_URL));
    switchUserFilter.setExitUserMatcher(PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.GET, SWITCH_USER_EXIT_URL));
    switchUserFilter.setTargetUrl("/");
    switchUserFilter.setSwitchFailureUrl(ACCESS_DENIED_URL);
    return switchUserFilter;
}

I configure the filter like that : http.addFilterAfter(switchUserFilter(), AuthorizationFilter.class);

  • spring-boot-starter-parent 4.1.0, spring-security 7.1.0 :
java.lang.IllegalArgumentException: currentAuthentication cannot be null

at org.springframework.util.Assert.notNull(Assert.java:182)

at org.springframework.security.web.authentication.switchuser.SwitchUserFilter.createSwitchUserToken(SwitchUserFilter.java:306)

at org.springframework.security.web.authentication.switchuser.SwitchUserFilter.attemptSwitchUser(SwitchUserFilter.java:243)

at org.springframework.security.web.authentication.switchuser.SwitchUserFilter.doFilter(SwitchUserFilter.java:190)

at org.springframework.security.web.authentication.switchuser.SwitchUserFilter.doFilter(SwitchUserFilter.java:181)

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:385)
  • spring-boot-starter-parent 4.0.7, spring-security 7.0.6 :
java.lang.IllegalArgumentException: source cannot be null

at org.springframework.util.Assert.notNull(Assert.java:182)

at org.springframework.security.web.authentication.switchuser.SwitchUserGrantedAuthority.<init>(SwitchUserGrantedAuthority.java:45)

at org.springframework.security.web.authentication.switchuser.SwitchUserFilter.createSwitchUserToken(SwitchUserFilter.java:306)

at org.springframework.security.web.authentication.switchuser.SwitchUserFilter.attemptSwitchUser(SwitchUserFilter.java:243)

at org.springframework.security.web.authentication.switchuser.SwitchUserFilter.doFilter(SwitchUserFilter.java:190)

at org.springframework.security.web.authentication.switchuser.SwitchUserFilter.doFilter(SwitchUserFilter.java:181)

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:385)

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions