Hi Tom
>>>
If I subclass `` to authenticate on my desired URL path `myAlaska`
>>>
Which class do you want to subclass?
>>>
MyAlaskaAuthProvider
>>>
What kind of AuthProvider is this?
>>>
If I remove the additional Authentication checks so it only checks on
/j_spring_fediz_security_check
>>>
Can you point me in your configuration what you mean?
>>>
The first error tells me there was a problem with the sign In request-response,
it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other
parameters. It's also a GET request and NOT a POST.
>>>
This is kind of strange. Did you really get redirected to the IDP? Could you
share the browser traffic (httpfox, findbugs, etc).
>>>
The second error is a redirect loop that /myAlaska -> redirects to the IDP ->
redirects back to myAlaska -> redirects back to the IDP ....
In my production applications people will normally just his / ->redirect to IDP
-> / (or /welcome) and they're logged in.
But I want to support someone directly navigating to /someOtherPage -> redirect
to IDP -> /someOtherPage as well.
When I look into the logs, it appears that the return request from the sign in
page is a plain GET redirect to my desired results page.
It looks like Fediz wants a POST redirect with some desired parameters set like
wa=wsignin1.0 and seeing as its not finding that information
It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>>>
This is per WS-Federation spec. The SAML assertion is sent in the wresult
parameter. Fediz works with ADFS but keep in mind that ADFS uses an older
WS-Trust and SAML 1.1 assertion which is supported by Fediz as well.
>>>
I have spring security configured like so:
<sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
<sec:intercept-url pattern="/" access="permitAll"/>
<sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
<sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
<sec:session-management session-authentication-strategy-ref="sas"/>
</sec:http>
The examples look like you expect a role with the SAML Token. I want to treat
ALL accounts from ADFS with the same role.
Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>>>
The following definintion requires that you're authenticated (without the
requirement for any roles):
<sec:intercept-url pattern="/secure/fedservlet" access="isAuthenticated()"/>
There is an example available for spring security. Here is the spring security
documentation of it:
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml?view=markup
HTH
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Burton, Tom F (DOR) [[email protected]]
Sent: 18 June 2013 21:15
To: [email protected]
Subject: FEDIZ Authentication problems
I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an RP
to an existing .NET ADFS IDP.
If I subclass `` to authenticate on my desired URL path `myAlaska`
I end up with the following log entries when I try to log in:
06-18@09:56:56 INFO [] Spring Security Debugger -
************************************************************
Request received for '/myAlaska':
org.apache.catalina.connector.RequestFacade@a2f68b
servletPath:/myAlaska
pathInfo:null
Security filter chain: [
SecurityContextPersistenceFilter
MyAlaskaAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 of
8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06-18@09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession currently
exists
06-18@09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was
available from the HttpSession: null. A new one will be created.
06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 of
8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared: path=/myAlaska,
and /j_spring_fediz_security_check
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath
Authentication: true
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to process
authentication
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging.
wa: null
wresult: null
full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
Method: GET
06-18@09:56:56 DEBUG [] ProviderManager - Authentication attempt
using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider
06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating:
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1dacb29:
Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@b364:
RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities
06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct:
null Result: null Cert Count: 0
06-18@09:56:56 DEBUG [] FederationConfigImpl - Reading federation
configuration for context '/newhirereporting'
06-18@09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null'
06-18@09:56:56 ERROR [] tionAuthenticationProvider - Failed to validate SignIn
request
org.apache.cxf.fediz.core.exception.ProcessingException: The request was
invalid or malformed
at
org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93)
at
org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121)
at
org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
at
us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30)
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at
org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
at
us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at
org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at
org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication request
failed: org.springframework.security.authentication.BadCredentialsException:
The request was invalid or malformed
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated
SecurityContextHolder to contain null Authentication
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to
authentication failure handler
org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@1508a8b
06-18@09:56:56 DEBUG [] thenticationFailureHandler - No failure URL set,
sending 401 Unauthorized error
06-18@09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty
or contents are anonymous - context will not be stored in HttpSession.
06-18@09:56:56 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now
cleared, as request processing completed
If I remove the additional Authentication checks so it only checks on
/j_spring_fediz_security_check
I get the following error instead:
06-18@10:57:19 INFO [] Spring Security Debugger -
************************************************************
Request received for '/myAlaska':
org.apache.catalina.connector.RequestFacade@1cdedd4
servletPath:/myAlaska
pathInfo:null
Security filter chain: [
SecurityContextPersistenceFilter
MyAlaskaAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 of
8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06-18@10:57:19 DEBUG [] nSecurityContextRepository - HttpSession returned null
object for SPRING_SECURITY_CONTEXT
06-18@10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was
available from the HttpSession:
org.apache.catalina.session.StandardSessionFacade@3d3f6f. A new one will be
created.
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 of
8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
06-18@10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication =
false
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 of
8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
06-18@10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null
(property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null
(property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURI:
arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property
equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443;
arg2=8443 (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURL:
arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska;
arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property
equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https;
arg2=https (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverName:
arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - contextPath:
arg1=/newhirereporting; arg2=/newhirereporting (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - servletPath:
arg1=/myAlaska; arg2=/myAlaska (property equals)
06-18@10:57:19 DEBUG [] HttpSessionRequestCache - Removing
DefaultSavedRequest from session if present
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 of
8 in additional filter chain; firing Filter:
'SecurityContextHolderAwareRequestFilter'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 of
8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
06-18@10:57:19 DEBUG [] nymousAuthenticationFilter - Populated
SecurityContextHolder with anonymous token:
'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c:
Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true;
Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4:
RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5;
Granted Authorities: ROLE_ANONYMOUS'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 of
8 in additional filter chain; firing Filter: 'SessionManagementFilter'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 of
8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 of
8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request
: '/myalaska'; against '/'
06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request
: '/myalaska'; against '/myalaska'
06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object:
FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()]
06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Previously Authenticated:
org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c:
Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true;
Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4:
RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5;
Granted Authorities: ROLE_ANONYMOUS
06-18@10:57:19 DEBUG [] AffirmativeBased - Voter:
org.springframework.security.web.access.expression.WebExpressionVoter@200930,
returned: -1
06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied (user is
anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at
org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at
org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at
org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at
org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
06-18@10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest added
to Session:
DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska]
06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication
entry point.
06-18@10:57:19 DEBUG [] FederationConfigImpl - Reading federation
configuration for context '/newhirereporting'
06-18@10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context:
org.apache.cxf.fediz.core.config.FederationContext@a302f2
06-18@10:57:19 INFO [] FederationProcessorImpl - Issuer url:
https://mydev.alaska.gov/adfs/ls/
06-18@10:57:19 INFO [] FederationProcessorImpl - WAuth:
06-18@10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null
06-18@10:57:19 INFO [] FederationProcessorImpl - Freshness: null
06-18@10:57:19 DEBUG [] FederationProcessorImpl -
wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
06-18@10:57:19 DEBUG [] FederationProcessorImpl -
wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/
06-18@10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP:
https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska&wtrealm=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F&wct=2013-06-18T18%3A57%3A19.790Z&pubId=enhr
06-18@10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty
or contents are anonymous - context will not be stored in HttpSession.
06-18@10:57:19 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now
cleared, as request processing completed
The first error tells me there was a problem with the sign In request-response,
it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other
parameters. It's also a GET request and NOT a POST.
The second error is a redirect loop that /myAlaska -> redirects to the IDP ->
redirects back to myAlaska -> redirects back to the IDP ....
In my production applications people will normally just his / ->redirect to IDP
-> / (or /welcome) and they're logged in.
But I want to support someone directly navigating to /someOtherPage -> redirect
to IDP -> /someOtherPage as well.
When I look into the logs, it appears that the return request from the sign in
page is a plain GET redirect to my desired results page.
It looks like Fediz wants a POST redirect with some desired parameters set like
wa=wsignin1.0 and seeing as its not finding that information
It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
I have spring security configured like so:
<sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
<sec:intercept-url pattern="/" access="permitAll"/>
<sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
<sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
<sec:session-management session-authentication-strategy-ref="sas"/>
</sec:http>
The examples look like you expect a role with the SAML Token. I want to treat
ALL accounts from ADFS with the same role.
Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
Thank you for any help,
Tom Burton
Confidentiality Notice: This e-mail message including any attachments, is for
the sole use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
