I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an RP to an existing .NET ADFS IDP.
If I subclass `` to authenticate on my desired URL path `myAlaska` I end up with the following log entries when I try to log in: 06-18@09:56:56 INFO [] Spring Security Debugger - ************************************************************ Request received for '/myAlaska': org.apache.catalina.connector.RequestFacade@a2f68b servletPath:/myAlaska pathInfo:null Security filter chain: [ SecurityContextPersistenceFilter MyAlaskaAuthenticationFilter RequestCacheAwareFilter SecurityContextHolderAwareRequestFilter AnonymousAuthenticationFilter SessionManagementFilter ExceptionTranslationFilter FilterSecurityInterceptor ] ************************************************************ 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession currently exists 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created. 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter' 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared: path=/myAlaska, and /j_spring_fediz_security_check 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath Authentication: true 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to process authentication 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging. wa: null wresult: null full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska Method: GET 06-18@09:56:56 DEBUG [] ProviderManager - Authentication attempt using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1dacb29: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct: null Result: null Cert Count: 0 06-18@09:56:56 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting' 06-18@09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null' 06-18@09:56:56 ERROR [] tionAuthenticationProvider - Failed to validate SignIn request org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed at org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93) at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121) at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109) at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62) at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69) at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Unknown Source) 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: The request was invalid or malformed 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@1508a8b 06-18@09:56:56 DEBUG [] thenticationFailureHandler - No failure URL set, sending 401 Unauthorized error 06-18@09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 06-18@09:56:56 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check I get the following error instead: 06-18@10:57:19 INFO [] Spring Security Debugger - ************************************************************ Request received for '/myAlaska': org.apache.catalina.connector.RequestFacade@1cdedd4 servletPath:/myAlaska pathInfo:null Security filter chain: [ SecurityContextPersistenceFilter MyAlaskaAuthenticationFilter RequestCacheAwareFilter SecurityContextHolderAwareRequestFilter AnonymousAuthenticationFilter SessionManagementFilter ExceptionTranslationFilter FilterSecurityInterceptor ] ************************************************************ 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 06-18@10:57:19 DEBUG [] nSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT 06-18@10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@3d3f6f. A new one will be created. 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter' 06-18@10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication = false 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 06-18@10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null (property equals) 06-18@10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null (property equals) 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURI: arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property equals) 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443; arg2=8443 (property equals) 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURL: arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska; arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property equals) 06-18@10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https; arg2=https (property equals) 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverName: arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals) 06-18@10:57:19 DEBUG [] DefaultSavedRequest - contextPath: arg1=/newhirereporting; arg2=/newhirereporting (property equals) 06-18@10:57:19 DEBUG [] DefaultSavedRequest - servletPath: arg1=/myAlaska; arg2=/myAlaska (property equals) 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - Removing DefaultSavedRequest from session if present 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 06-18@10:57:19 DEBUG [] nymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS' 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter' 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/' 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/myalaska' 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()] 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS 06-18@10:57:19 DEBUG [] AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@200930, returned: -1 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69) at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Unknown Source) 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska] 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication entry point. 06-18@10:57:19 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting' 06-18@10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context: org.apache.cxf.fediz.core.config.FederationContext@a302f2 06-18@10:57:19 INFO [] FederationProcessorImpl - Issuer url: https://mydev.alaska.gov/adfs/ls/ 06-18@10:57:19 INFO [] FederationProcessorImpl - WAuth: 06-18@10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null 06-18@10:57:19 INFO [] FederationProcessorImpl - Freshness: null 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/ 06-18@10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP: https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska&wtrealm=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F&wct=2013-06-18T18%3A57%3A19.790Z&pubId=enhr 06-18@10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 06-18@10:57:19 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST. The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP .... In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in. But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well. When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page. It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page. I have spring security configured like so: <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" > <sec:intercept-url pattern="/" access="permitAll"/> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" /> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" /> <sec:session-management session-authentication-strategy-ref="sas"/> </sec:http> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role. Is using ' access="isFullyAuthenticated()" ' appropriate for my use case? Thank you for any help, Tom Burton Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
