I've actually made it past these issues. :) but now I have new ones :(
The initial class I was talking about sub-classing was:
FederationAuthenticationFilter
The "additional Authentication checks" were in my subclass.
The java code looked like so:
boolean required = false;
//should this be equals or some fancy ** matching type stuff?
String path = request.getServletPath();
required = path.contains(getFilterProcessesUrl());
//getRequestURI().contains(getFilterProcessesUrl());
//TODO: look up an "easy" way to read the spring config
//PageMapHolder manually parses the Spring xml files on deploy
if ( !required ) { required = PageMapHolder.getPages().containsKey(path); }
if ( log.isDebugEnabled() )
{
log.debug( "Compared: path=" + request.getServletPath()
+ ", and " + getFilterProcessesUrl() );
log.debug("ServletPath Authentication: " + required);
}
if (!required)
{ required = super.requiresAuthentication(request, response); }
return required;
They have been disabled.
The solution ended up requiring me to copy the implementation of
FederationAuthenticationEntryPoint,
as MyAlaskaEntryPoint. I needed to mangle the redirect URL with more options
than it looks like are
available in the fediz_config file.
I basically had to add:
redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
+ "%252Fnewhirereporting%252FmyAlaska" //double
encoded /contextpath/page
I also copied it to add
redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID;
pubId is a URL parameter to add a friendly message to the login page for the
user.
So now I do actually get a "SAML Token" but all it contains is a GUID.
I then have to call a SOAP web Service to actually convert that GUID into a
real user object.
MyAlaskaAuthProvider is a subclass of FederationAuthenticationProvider
It overrides #authenticate to add some logging before calling super
It overrides #loadUserByFederationResponse to find the myAkUsername BEFORE
calling super
The current Error I'm getting is a certificate error while trying to access the
GUID based web service.
So in doing some research I found this:
http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-Howtooverridetheserviceaddress%3F
I've followed the page and created a cxf.xml I've added it as another file to
be parsed as part
of my Spring Config.
cxf.xml has an http:conduit like so:
<http:conduit
name="{http://cxf.apache.org/}TransportURIResolver.http-conduit";> <!--
magic value for https -->
<!--name="{http://myalaska.state.ak.us/wsdl/MyAlaskaService}WSHttpBinding_MyAlaskaService.http-conduit";>-->
<!-- duplicates values from <certificateStores> in Fediz config -->
<http:tlsClientParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http:conduit>
However when I try and actually create an instance of my soap service, I get
the a stack trace in my log file. Pasted in full below.
To me the Interestring bit is probably:
Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing
'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl'.:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
So am I defining my conduit name right? How can I tell if the conduit wrapping
is even happening?
Thank you again,
Tom Burton
--------------- Full Stack Trace -------------
06-19@14:27:45 ERROR [] tionAuthenticationProvider - Failed to validate SignIn
request
javax.xml.ws.WebServiceException:
org.apache.cxf.service.factory.ServiceConstructionException: Failed to create
service.
at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:149)
at
org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
at javax.xml.ws.Service.<init>(Unknown Source)
at
us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
at
us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
at
us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
at
org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
at
org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
at
us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at
org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
at
us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at
org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at
org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
Caused by: org.apache.cxf.service.factory.ServiceConstructionException: Failed
to create service.
at
org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:100)
at
org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
... 33 more
Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing
'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl'.:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
Source)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at
com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(Unknown
Source)
at
com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(Unknown
Source)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown
Source)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown
Source)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown
Source)
at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown
Source)
at
com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown
Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at
org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
at
org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
at
org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
at
org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
at
org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
at javax.xml.ws.Service.<init>(Unknown Source)
at
us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
at
us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
at
us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
at
org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
at
org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
at
us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at
org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
at
us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at
org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at
org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
... 60 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 66 more
at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at
org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
at
org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
at
org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
... 35 more
06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Authentication request
failed: org.springframework.security.authentication.BadCredentialsException:
org.apache.cxf.service.factory.ServiceConstructionException: Failed to create
service.
06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Updated
SecurityContextHolder to contain null Authentication
06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Delegating to
authentication failure handler
org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@8c9de8
06-19@14:27:45 DEBUG [] thenticationFailureHandler - No failure URL set,
sending 401 Unauthorized error
06-19@14:27:45 DEBUG [] nSecurityContextRepository - SecurityContext is empty
or contents are anonymous - context will not be stored in HttpSession.
06-19@14:27:45 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now
cleared, as request processing completed
-----Original Message-----
From: Oliver Wulff [mailto:[email protected]]
Sent: Tuesday, June 18, 2013 11:11 PM
To: [email protected]
Subject: RE: FEDIZ Authentication problems
Hi Tom
>>>
If I subclass `` to authenticate on my desired URL path `myAlaska`
>>>
Which class do you want to subclass?
>>>
MyAlaskaAuthProvider
>>>
What kind of AuthProvider is this?
>>>
If I remove the additional Authentication checks so it only checks on
/j_spring_fediz_security_check
>>>
Can you point me in your configuration what you mean?
>>>
The first error tells me there was a problem with the sign In request-response,
it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other
parameters. It's also a GET request and NOT a POST.
>>>
This is kind of strange. Did you really get redirected to the IDP? Could you
share the browser traffic (httpfox, findbugs, etc).
>>>
The second error is a redirect loop that /myAlaska -> redirects to the IDP ->
redirects back to myAlaska -> redirects back to the IDP ....
In my production applications people will normally just his / ->redirect to IDP
-> / (or /welcome) and they're logged in.
But I want to support someone directly navigating to /someOtherPage -> redirect
to IDP -> /someOtherPage as well.
When I look into the logs, it appears that the return request from the sign in
page is a plain GET redirect to my desired results page.
It looks like Fediz wants a POST redirect with some desired parameters set like
wa=wsignin1.0 and seeing as its not finding that information It errors, assumes
I'm not logged in and redirects me to my IDPs Sign-In Page.
>>>
This is per WS-Federation spec. The SAML assertion is sent in the wresult
parameter. Fediz works with ADFS but keep in mind that ADFS uses an older
WS-Trust and SAML 1.1 assertion which is supported by Fediz as well.
>>>
I have spring security configured like so:
<sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
<sec:intercept-url pattern="/" access="permitAll"/>
<sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
<sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
<sec:session-management session-authentication-strategy-ref="sas"/>
</sec:http>
The examples look like you expect a role with the SAML Token. I want to treat
ALL accounts from ADFS with the same role.
Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>>>
The following definintion requires that you're authenticated (without the
requirement for any roles):
<sec:intercept-url pattern="/secure/fedservlet" access="isAuthenticated()"/>
There is an example available for spring security. Here is the spring security
documentation of it:
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml?view=markup
HTH
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Burton, Tom F (DOR) [[email protected]]
Sent: 18 June 2013 21:15
To: [email protected]
Subject: FEDIZ Authentication problems
I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an RP
to an existing .NET ADFS IDP.
If I subclass `` to authenticate on my desired URL path `myAlaska` I end up
with the following log entries when I try to log in:
06-18@09:56:56 INFO [] Spring Security Debugger -
************************************************************
Request received for '/myAlaska':
org.apache.catalina.connector.RequestFacade@a2f68b
servletPath:/myAlaska
pathInfo:null
Security filter chain: [
SecurityContextPersistenceFilter
MyAlaskaAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 of
8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06-18@09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession currently
exists
06-18@09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was
available from the HttpSession: null. A new one will be created.
06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 of
8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared: path=/myAlaska,
and /j_spring_fediz_security_check
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath
Authentication: true
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to process
authentication
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging.
wa: null
wresult: null
full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
Method: GET
06-18@09:56:56 DEBUG [] ProviderManager - Authentication attempt
using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider
06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating:
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1dacb29:
Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@b364:
RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities
06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct:
null Result: null Cert Count: 0
06-18@09:56:56 DEBUG [] FederationConfigImpl - Reading federation
configuration for context '/newhirereporting'
06-18@09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null'
06-18@09:56:56 ERROR [] tionAuthenticationProvider - Failed to validate SignIn
request
org.apache.cxf.fediz.core.exception.ProcessingException: The request was
invalid or malformed
at
org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93)
at
org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121)
at
org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
at
us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30)
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at
org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
at
us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at
org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at
org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication request
failed: org.springframework.security.authentication.BadCredentialsException:
The request was invalid or malformed
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated
SecurityContextHolder to contain null Authentication
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to
authentication failure handler
org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@1508a8b
06-18@09:56:56 DEBUG [] thenticationFailureHandler - No failure URL set,
sending 401 Unauthorized error
06-18@09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty
or contents are anonymous - context will not be stored in HttpSession.
06-18@09:56:56 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now
cleared, as request processing completed
If I remove the additional Authentication checks so it only checks on
/j_spring_fediz_security_check I get the following error instead:
06-18@10:57:19 INFO [] Spring Security Debugger -
************************************************************
Request received for '/myAlaska':
org.apache.catalina.connector.RequestFacade@1cdedd4
servletPath:/myAlaska
pathInfo:null
Security filter chain: [
SecurityContextPersistenceFilter
MyAlaskaAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 of
8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06-18@10:57:19 DEBUG [] nSecurityContextRepository - HttpSession returned null
object for SPRING_SECURITY_CONTEXT
06-18@10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was
available from the HttpSession:
org.apache.catalina.session.StandardSessionFacade@3d3f6f. A new one will be
created.
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 of
8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
06-18@10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication =
false
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 of
8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
06-18@10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null
(property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null
(property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURI:
arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property
equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443;
arg2=8443 (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURL:
arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska;
arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property
equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https;
arg2=https (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverName:
arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - contextPath:
arg1=/newhirereporting; arg2=/newhirereporting (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - servletPath:
arg1=/myAlaska; arg2=/myAlaska (property equals)
06-18@10:57:19 DEBUG [] HttpSessionRequestCache - Removing
DefaultSavedRequest from session if present
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 of
8 in additional filter chain; firing Filter:
'SecurityContextHolderAwareRequestFilter'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 of
8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
06-18@10:57:19 DEBUG [] nymousAuthenticationFilter - Populated
SecurityContextHolder with anonymous token:
'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c:
Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true;
Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4:
RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5;
Granted Authorities: ROLE_ANONYMOUS'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 of
8 in additional filter chain; firing Filter: 'SessionManagementFilter'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 of
8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 of
8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request
: '/myalaska'; against '/'
06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request
: '/myalaska'; against '/myalaska'
06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object:
FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()]
06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Previously Authenticated:
org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c:
Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true;
Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4:
RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5;
Granted Authorities: ROLE_ANONYMOUS
06-18@10:57:19 DEBUG [] AffirmativeBased - Voter:
org.springframework.security.web.access.expression.WebExpressionVoter@200930,
returned: -1
06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied (user is
anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at
org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at
org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at
org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at
org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
06-18@10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest added
to Session:
DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska]
06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication
entry point.
06-18@10:57:19 DEBUG [] FederationConfigImpl - Reading federation
configuration for context '/newhirereporting'
06-18@10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context:
org.apache.cxf.fediz.core.config.FederationContext@a302f2
06-18@10:57:19 INFO [] FederationProcessorImpl - Issuer url:
https://mydev.alaska.gov/adfs/ls/
06-18@10:57:19 INFO [] FederationProcessorImpl - WAuth:
06-18@10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null
06-18@10:57:19 INFO [] FederationProcessorImpl - Freshness: null
06-18@10:57:19 DEBUG [] FederationProcessorImpl -
wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
06-18@10:57:19 DEBUG [] FederationProcessorImpl -
wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/
06-18@10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP:
https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska&wtrealm=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F&wct=2013-06-18T18%3A57%3A19.790Z&pubId=enhr
06-18@10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty
or contents are anonymous - context will not be stored in HttpSession.
06-18@10:57:19 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now
cleared, as request processing completed
The first error tells me there was a problem with the sign In request-response,
it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other
parameters. It's also a GET request and NOT a POST.
The second error is a redirect loop that /myAlaska -> redirects to the IDP ->
redirects back to myAlaska -> redirects back to the IDP ....
In my production applications people will normally just his / ->redirect to IDP
-> / (or /welcome) and they're logged in.
But I want to support someone directly navigating to /someOtherPage -> redirect
to IDP -> /someOtherPage as well.
When I look into the logs, it appears that the return request from the sign in
page is a plain GET redirect to my desired results page.
It looks like Fediz wants a POST redirect with some desired parameters set like
wa=wsignin1.0 and seeing as its not finding that information It errors, assumes
I'm not logged in and redirects me to my IDPs Sign-In Page.
I have spring security configured like so:
<sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
<sec:intercept-url pattern="/" access="permitAll"/>
<sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
<sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
<sec:session-management session-authentication-strategy-ref="sas"/>
</sec:http>
The examples look like you expect a role with the SAML Token. I want to treat
ALL accounts from ADFS with the same role.
Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
Thank you for any help,
Tom Burton
Confidentiality Notice: This e-mail message including any attachments, is for
the sole use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
