Spring Boot 1.4: Principal must not be null exception

Question

I am having the following issue since the release of Spring boot 1.4 I have a custom Authentication Provider that manages the parsing of JWT tokens for Spring Security. Basically, I would throw a BadCredentialsException when the token was invalid or expired. I also have a AutenticationEntryPoint that reformats the message with a Unauthorized HttpServlet Response in JSON

@Override
public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException
{
    httpServletResponse.setContentType("application/json");
    httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    httpServletResponse.getOutputStream().println("{ \"error\": \"" + e.getMessage() + "\" }");

}

Here is the filter that manages the exception of the Authentication Provider

@Override
protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException

{

    String authToken = httpServletRequest.getHeader("Authorization");



    JwtToken token = new JwtToken(authToken);
    try
    {
        Authentication auth = authenticationManager.authenticate(token);
        SecurityContextHolder.getContext().setAuthentication(auth);
        filterChain.doFilter(httpServletRequest, httpServletResponse);

    }
    catch(AuthenticationException ae)
    {
        SecurityContextHolder.clearContext();
        unauthorizedHandler.commence(httpServletRequest, httpServletResponse, ae);
    }

This was working fine in Spring Boot 1.3.6 Now I am getting the following error

java.lang.IllegalArgumentException: Principal must not be null Stack trace:

java.lang.IllegalArgumentException: Principal must not be null
at org.springframework.util.Assert.notNull(Assert.java:115) ~[spring-core-4.3.2.RELEASE.jar:4.3.2.RELEASE]
at org.springframework.boot.actuate.audit.AuditEvent.<init>(AuditEvent.java:83) ~[spring-boot-actuator-1.4.0.RELEASE.jar:1.4.0.RELEASE]
at org.springframework.boot.actuate.audit.AuditEvent.<init>(AuditEvent.java:59) ~[spring-boot-actuator-1.4.0.RELEASE.jar:1.4.0.RELEASE]
at org.springframework.boot.actuate.security.AuthenticationAuditListener.onAuthenticationFailureEvent(AuthenticationAuditListener.java:67) ~[spring-boot-actuator-1.4.0.RELEASE.jar:1.4.0.RELEASE]
at org.springframework.boot.actuate.security.AuthenticationAuditListener.onApplicationEvent(AuthenticationAuditListener.java:50) ~[spring-boot-actuator-1.4.0.RELEASE.jar:1.4.0.RELEASE]
at org.springframework.boot.actuate.security.AuthenticationAuditListener.onApplicationEvent(AuthenticationAuditListener.java:34) ~[spring-boot-actuator-1.4.0.RELEASE.jar:1.4.0.RELEASE]
at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:166) ~[spring-context-4.3.2.RELEASE.jar:4.3.2.RELEASE]
at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:138) ~[spring-context-4.3.2.RELEASE.jar:4.3.2.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:382) ~[spring-context-4.3.2.RELEASE.jar:4.3.2.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:336) ~[spring-context-4.3.2.RELEASE.jar:4.3.2.RELEASE]
at org.springframework.security.authentication.DefaultAuthenticationEventPublisher.publishAuthenticationFailure(DefaultAuthenticationEventPublisher.java:124) ~[spring-security-core-4.1.1.RELEASE.jar:4.1.1.RELEASE]
at org.springframework.security.authentication.ProviderManager.prepareException(ProviderManager.java:240) ~[spring-security-core-4.1.1.RELEASE.jar:4.1.1.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:233) ~[spring-security-core-4.1.1.RELEASE.jar:4.1.1.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) ~[spring-security-core-4.1.1.RELEASE.jar:4.1.1.RELEASE]
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:454) ~[spring-security-config-4.1.1.RELEASE.jar:4.1.1.RELEASE]
at com.icentia.tracking.security.JwtFilter.doFilterInternal(JwtFilter.java:49) ~[classes/:na]

This is coming from Spring Boot Actuator. If I remove it, it is working as before?!?

There seem to be a bug listed here, although not the same: https://github.com/spring-projects/spring-boot/issues/6447

I want to have Actuator in production, any workaround I could use for this?

Thank you

Answer 1

Make sure the getName() method from the Principal interface returns a non null value in your JwtToken class.