There's an open-id implementation of spring security. It goes through a bunch of redirects (302s)
1) client POSTs to the open id endpoint on <myapp>, which typically is a <myapp>/j_spring_openid_security_check 2) the endpoint in 1 responds with a 302 and a redirect to the openid endpoint (www.google.com/<openid-endpoint) with a callback url of the endpoint in 1. 3) after login, the response from the openid provider is a 302 to <myapp>/j_spring_openid_security_check with the proper openid tokens 4) the spring openid endpoint authenticates the tokens, and then issues yet another 302, to a spring security determined page (which is usually the resource that the client was attempting to access before the security intercept, but I've overridden to force to go to <myapp>/auth/success I was actually surprised that the setting of the cookies and the login succeeded. Now I have to figure out why the session didn't take the authentication. I'll switch this topic over to the springsource forums, as this doesn't appear to be a CXF issue. thanks Jeff On Wed, Nov 16, 2011 at 12:17 AM, Sergey Beryozkin <[email protected]> wrote: > Hi, > > > How do you manage the redirection ? Is it an OpenId JSP handler which > redirects to /plutom-ws/rest/auth/success ? This is just a guess but I I'm > assuming that "/plutom-ws/rest/auth/success" is secured by a Spring Security > handler which can not understand what to do with > > JSESSIONID=C149C4F73C95BDAF33E2BED4CCC1D133 in order to retrieve the stored > authenticated info if any... > >> at >> org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:107) >> at >> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:323) >> at >> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:118) >> at >> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:208) >> at >> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223) >> at >> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:166) >> at >> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:113) >> at >> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:184) >> at >> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:112) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:621) >> >> So a bunch of questions: >> 1) I annotated the auth/success endpoint with @SECURED, is this correct? > > that is there in order to enforce RBAC > >> 2) Who's responsible for looking at the cookie, finding the Spring >> stored session, and setting the authentication obect? Do I need an >> interceptor that I didn't add? > > Spring Security filter ?
