Why does @AuthenticationPrincipal return the Authentication instead of the principal object?

Question

I want to retrieve the current user in my controller methods with the @AuthenticationPrincipal annotation. The docs state the following:

Annotation that binds a method parameter or method return value to the Authentication.getPrincipal().

But in fact I get the Authentication object instead of Authentication.getPrincipal() .

This is my simple controller method:

@RequestMapping("/")
public @ResponseBody String index(@AuthenticationPrincipal final WindowsAuthenticationToken user) {
    return String.format("Welcome to the home page, %s!", user.getName());
}

WindowsAuthenticationToken implements Authentication . In this implementation getPrincipal returns a WindowsPrincipal .

The controller method above works, but when I change the arguments type to WindowsPrincipal and try to access the website, I get the following error page:

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.

Tue Mar 03 15:13:52 CET 2015
There was an unexpected error (type=Internal Server Error, status=500).
argument type mismatch HandlerMethod details: Controller [pkg.HomeController] Method [public java.lang.String pkg.HomeController.index(waffle.servlet.WindowsPrincipal)] Resolved arguments: [0] [type=waffle.spring.WindowsAuthenticationToken] [value=waffle.spring.WindowsAuthenticationToken@121a2581]

This is my configuration file:

package pkg;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;

import waffle.servlet.spi.BasicSecurityFilterProvider;
import waffle.servlet.spi.NegotiateSecurityFilterProvider;
import waffle.servlet.spi.SecurityFilterProvider;
import waffle.servlet.spi.SecurityFilterProviderCollection;
import waffle.spring.NegotiateSecurityFilter;
import waffle.spring.NegotiateSecurityFilterEntryPoint;
import waffle.windows.auth.impl.WindowsAuthProviderImpl;

@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private NegotiateSecurityFilterEntryPoint negotiateSecurityFilterEntryPoint;

    @Autowired
    private NegotiateSecurityFilter waffleNegotiateSecurityFilter;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.exceptionHandling().authenticationEntryPoint(negotiateSecurityFilterEntryPoint).and()
                .addFilterBefore(waffleNegotiateSecurityFilter, BasicAuthenticationFilter.class).authorizeRequests()
                .anyRequest().fullyAuthenticated();
    }

    @Bean
    public WindowsAuthProviderImpl waffleAuthProvider() {
        return new WindowsAuthProviderImpl();
    }

    @Bean
    public NegotiateSecurityFilterProvider negotiateSecurityFilterProvider(
            final WindowsAuthProviderImpl waffleAuthProvider) {
        return new NegotiateSecurityFilterProvider(waffleAuthProvider);
    }

    @Bean
    public BasicSecurityFilterProvider basicSecurityFilterProvider(final WindowsAuthProviderImpl waffleAuthProvider) {
        return new BasicSecurityFilterProvider(waffleAuthProvider);
    }

    @Bean
    public SecurityFilterProviderCollection waffleSecurityFilterProviderCollection(
            final NegotiateSecurityFilterProvider negotiateSecurityFilterProvider,
            final BasicSecurityFilterProvider basicSecurityFilterProvider) {
        final SecurityFilterProvider[] providers = { negotiateSecurityFilterProvider, basicSecurityFilterProvider };

        return new SecurityFilterProviderCollection(providers);
    }

    @Bean
    public NegotiateSecurityFilterEntryPoint negotiateSecurityFilterEntryPoint(
            final SecurityFilterProviderCollection waffleSecurityFilterProviderCollection) {
        final NegotiateSecurityFilterEntryPoint entryPoint = new NegotiateSecurityFilterEntryPoint();

        entryPoint.setProvider(waffleSecurityFilterProviderCollection);

        return entryPoint;
    }

    @Bean
    public NegotiateSecurityFilter waffleNegotiateSecurityFilter(
            final SecurityFilterProviderCollection waffleSecurityFilterProviderCollection) {
        final NegotiateSecurityFilter filter = new NegotiateSecurityFilter();

        filter.setProvider(waffleSecurityFilterProviderCollection);

        return filter;
    }

}

Why is the behaviour different from how it should be?

Answer 1

My principal object did not implement UserDetails . Because WindowsPrincipal is a class of an external library I could not make any changes to it. In the end I created a new filter that wraps the WindowsPrincipal in a class that implements UserDetails . Now I get the correct principal object using @AuthenticationPrincipal .

Answer 2

It is because your WindowsPrincipal implements Principal . Remove the implements clause and it will work again. I had the same problem and this resolved it.