Change the conduit name so something like: name="https://mydev-svc.state.ak.us:444/.*";
Using the service name can only apply those settings after the service is created and the name and namespace and such is known. To have it apply for wsdl loading as well, use a URL format (and the .* at the end for the regex expansion). Dan On Jun 19, 2013, at 6:49 PM, "Burton, Tom F (DOR)" <[email protected]> wrote: > I've actually made it past these issues. :) but now I have new ones :( > > The initial class I was talking about sub-classing was: > FederationAuthenticationFilter > > The "additional Authentication checks" were in my subclass. > > The java code looked like so: > > boolean required = false; > //should this be equals or some fancy ** matching type stuff? > String path = request.getServletPath(); > required = path.contains(getFilterProcessesUrl()); > //getRequestURI().contains(getFilterProcessesUrl()); > > //TODO: look up an "easy" way to read the spring config > //PageMapHolder manually parses the Spring xml files on deploy > > if ( !required ) { required = PageMapHolder.getPages().containsKey(path); > } > > if ( log.isDebugEnabled() ) > { > log.debug( "Compared: path=" + request.getServletPath() > + ", and " + getFilterProcessesUrl() ); > log.debug("ServletPath Authentication: " + required); > } > if (!required) > { required = super.requiresAuthentication(request, response); } > return required; > > They have been disabled. > > The solution ended up requiring me to copy the implementation of > FederationAuthenticationEntryPoint, > as MyAlaskaEntryPoint. I needed to mangle the redirect URL with more options > than it looks like are > available in the fediz_config file. > I basically had to add: > > redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1") > + "%252Fnewhirereporting%252FmyAlaska" //double > encoded /contextpath/page > > > I also copied it to add > redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID; > > pubId is a URL parameter to add a friendly message to the login page for the > user. > > So now I do actually get a "SAML Token" but all it contains is a GUID. > I then have to call a SOAP web Service to actually convert that GUID into a > real user object. > > > MyAlaskaAuthProvider is a subclass of FederationAuthenticationProvider > > It overrides #authenticate to add some logging before calling super > It overrides #loadUserByFederationResponse to find the myAkUsername BEFORE > calling super > > The current Error I'm getting is a certificate error while trying to access > the GUID based web service. > > So in doing some research I found this: > http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-Howtooverridetheserviceaddress%3F > > > I've followed the page and created a cxf.xml I've added it as another file to > be parsed as part > of my Spring Config. > > cxf.xml has an http:conduit like so: > > <http:conduit > name="{http://cxf.apache.org/}TransportURIResolver.http-conduit";> <!-- > magic value for https --> > > <!--name="{http://myalaska.state.ak.us/wsdl/MyAlaskaService}WSHttpBinding_MyAlaskaService.http-conduit";>--> > > <!-- duplicates values from <certificateStores> in Fediz config --> > <http:tlsClientParameters> > <sec:keyManagers keyPassword="password"> > <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/> > </sec:keyManagers> > <sec:trustManagers> > <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/> > </sec:trustManagers> > <sec:cipherSuitesFilter> > <!-- these filters ensure that a ciphersuite with > export-suitable or null encryption is used, > but exclude anonymous Diffie-Hellman key change as > this is vulnerable to man-in-the-middle attacks --> > <sec:include>.*_EXPORT_.*</sec:include> > <sec:include>.*_EXPORT1024_.*</sec:include> > <sec:include>.*_WITH_DES_.*</sec:include> > <sec:include>.*_WITH_AES_.*</sec:include> > <sec:include>.*_WITH_NULL_.*</sec:include> > <sec:exclude>.*_DH_anon_.*</sec:exclude> > </sec:cipherSuitesFilter> > </http:tlsClientParameters> > <http:client AutoRedirect="true" Connection="Keep-Alive"/> > </http:conduit> > > However when I try and actually create an instance of my soap service, I get > the a stack trace in my log file. Pasted in full below. > To me the Interestring bit is probably: > Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing > 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl'.: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target: > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > > So am I defining my conduit name right? How can I tell if the conduit > wrapping is even happening? > > > Thank you again, > Tom Burton > > > > --------------- Full Stack Trace ------------- > > 06-19@14:27:45 ERROR [] tionAuthenticationProvider - Failed to validate > SignIn request > javax.xml.ws.WebServiceException: > org.apache.cxf.service.factory.ServiceConstructionException: Failed to create > service. > at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:149) > at > org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98) > at javax.xml.ws.Service.<init>(Unknown Source) > at > us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62) > at > us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57) > at > us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50) > at > org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123) > at > org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109) > at > us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34) > at > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) > at > org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62) > at > us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94) > at > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) > at > org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69) > at > org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) > at java.lang.Thread.run(Unknown Source) > Caused by: org.apache.cxf.service.factory.ServiceConstructionException: > Failed to create service. > at > org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:100) > at > org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199) > at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147) > ... 33 more > Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing > 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl'.: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target: > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source) > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) > at > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown > Source) > at > com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source) > at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source) > at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown > Source) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown > Source) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown > Source) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown > Source) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown > Source) > at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown > Source) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown > Source) > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown > Source) > at > com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(Unknown > Source) > at > com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(Unknown > Source) > at > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown > Source) > at > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown > Source) > at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown > Source) > at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown > Source) > at > com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown > Source) > at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source) > at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source) > at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source) > at > org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262) > at > org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205) > at > org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98) > at > org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199) > at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147) > at > org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98) > at javax.xml.ws.Service.<init>(Unknown Source) > at > us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62) > at > us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57) > at > us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50) > at > org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123) > at > org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109) > at > us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34) > at > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) > at > org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62) > at > us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94) > at > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) > at > org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69) > at > org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) > at java.lang.Thread.run(Unknown Source) > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(Unknown Source) > at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) > at sun.security.validator.Validator.validate(Unknown Source) > at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown > Source) > at > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown > Source) > at > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown > Source) > ... 60 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) > at java.security.cert.CertPathBuilder.build(Unknown Source) > ... 66 more > > at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source) > at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source) > at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source) > at > org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262) > at > org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205) > at > org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98) > ... 35 more > 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Authentication request > failed: org.springframework.security.authentication.BadCredentialsException: > org.apache.cxf.service.factory.ServiceConstructionException: Failed to create > service. > 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Updated > SecurityContextHolder to contain null Authentication > 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Delegating to > authentication failure handler > org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@8c9de8 > 06-19@14:27:45 DEBUG [] thenticationFailureHandler - No failure URL set, > sending 401 Unauthorized error > 06-19@14:27:45 DEBUG [] nSecurityContextRepository - SecurityContext is empty > or contents are anonymous - context will not be stored in HttpSession. > 06-19@14:27:45 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder > now cleared, as request processing completed > > > -----Original Message----- > From: Oliver Wulff [mailto:[email protected]] > Sent: Tuesday, June 18, 2013 11:11 PM > To: [email protected] > Subject: RE: FEDIZ Authentication problems > > Hi Tom > >>>> > If I subclass `` to authenticate on my desired URL path `myAlaska` >>>> > Which class do you want to subclass? > >>>> > MyAlaskaAuthProvider >>>> > What kind of AuthProvider is this? > >>>> > If I remove the additional Authentication checks so it only checks on > /j_spring_fediz_security_check >>>> > Can you point me in your configuration what you mean? > >>>> > The first error tells me there was a problem with the sign In > request-response, it's a straight up hit to /myAlaska without the > ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a > POST. >>>> > This is kind of strange. Did you really get redirected to the IDP? Could you > share the browser traffic (httpfox, findbugs, etc). > >>>> > The second error is a redirect loop that /myAlaska -> redirects to the IDP > -> redirects back to myAlaska -> redirects back to the IDP .... > In my production applications people will normally just his / ->redirect to > IDP -> / (or /welcome) and they're logged in. > But I want to support someone directly navigating to /someOtherPage -> > redirect to IDP -> /someOtherPage as well. > When I look into the logs, it appears that the return request from the sign > in page is a plain GET redirect to my desired results page. > It looks like Fediz wants a POST redirect with some desired parameters set > like wa=wsignin1.0 and seeing as its not finding that information It errors, > assumes I'm not logged in and redirects me to my IDPs Sign-In Page. >>>> > This is per WS-Federation spec. The SAML assertion is sent in the wresult > parameter. Fediz works with ADFS but keep in mind that ADFS uses an older > WS-Trust and SAML 1.1 assertion which is supported by Fediz as well. > > >>>> > I have spring security configured like so: > <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" > > <sec:intercept-url pattern="/" access="permitAll"/> > <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" /> > <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" /> > <sec:session-management session-authentication-strategy-ref="sas"/> > </sec:http> > The examples look like you expect a role with the SAML Token. I want to > treat ALL accounts from ADFS with the same role. > Is using ' access="isFullyAuthenticated()" ' appropriate for my use case? >>>> > The following definintion requires that you're authenticated (without the > requirement for any roles): > <sec:intercept-url pattern="/secure/fedservlet" access="isAuthenticated()"/> > > There is an example available for spring security. Here is the spring > security documentation of it: > http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml?view=markup > > HTH > > Oli > > > ------ > > Oliver Wulff > > Blog: http://owulff.blogspot.com > Solution Architect > http://coders.talend.com > > Talend Application Integration Division http://www.talend.com > > ________________________________________ > From: Burton, Tom F (DOR) [[email protected]] > Sent: 18 June 2013 21:15 > To: [email protected] > Subject: FEDIZ Authentication problems > > I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an > RP to an existing .NET ADFS IDP. > > If I subclass `` to authenticate on my desired URL path `myAlaska` I end up > with the following log entries when I try to log in: > > 06-18@09:56:56 INFO [] Spring Security Debugger - > > ************************************************************ > > Request received for '/myAlaska': > > org.apache.catalina.connector.RequestFacade@a2f68b > > servletPath:/myAlaska > pathInfo:null > > Security filter chain: [ > SecurityContextPersistenceFilter > MyAlaskaAuthenticationFilter > RequestCacheAwareFilter > SecurityContextHolderAwareRequestFilter > AnonymousAuthenticationFilter > SessionManagementFilter > ExceptionTranslationFilter > FilterSecurityInterceptor > ] > > > ************************************************************ > > > 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 > of 8 in additional filter chain; firing Filter: > 'SecurityContextPersistenceFilter' > 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession currently > exists > 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was > available from the HttpSession: null. A new one will be created. > 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 > of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter' > 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared: > path=/myAlaska, and /j_spring_fediz_security_check > 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath > Authentication: true > 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to process > authentication > 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging. > wa: null > wresult: null > full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska > Method: GET > 06-18@09:56:56 DEBUG [] ProviderManager - Authentication attempt > using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider > 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating: > org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1dacb29: > Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: > org.springframework.security.web.authentication.WebAuthenticationDetails@b364: > RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities > 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct: > null Result: null Cert Count: 0 > 06-18@09:56:56 DEBUG [] FederationConfigImpl - Reading federation > configuration for context '/newhirereporting' > 06-18@09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null' > 06-18@09:56:56 ERROR [] tionAuthenticationProvider - Failed to validate > SignIn request > org.apache.cxf.fediz.core.exception.ProcessingException: The request was > invalid or malformed > at > org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93) > at > org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121) > at > org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109) > at > us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30) > at > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) > at > org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62) > at > us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94) > at > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) > at > org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69) > at > org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) > at java.lang.Thread.run(Unknown Source) > 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication request > failed: org.springframework.security.authentication.BadCredentialsException: > The request was invalid or malformed > 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated > SecurityContextHolder to contain null Authentication > 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to > authentication failure handler > org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@1508a8b > 06-18@09:56:56 DEBUG [] thenticationFailureHandler - No failure URL set, > sending 401 Unauthorized error > 06-18@09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty > or contents are anonymous - context will not be stored in HttpSession. > 06-18@09:56:56 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder > now cleared, as request processing completed > > If I remove the additional Authentication checks so it only checks on > /j_spring_fediz_security_check I get the following error instead: > > 06-18@10:57:19 INFO [] Spring Security Debugger - > > ************************************************************ > > Request received for '/myAlaska': > > org.apache.catalina.connector.RequestFacade@1cdedd4 > > servletPath:/myAlaska > pathInfo:null > > Security filter chain: [ > SecurityContextPersistenceFilter > MyAlaskaAuthenticationFilter > RequestCacheAwareFilter > SecurityContextHolderAwareRequestFilter > AnonymousAuthenticationFilter > SessionManagementFilter > ExceptionTranslationFilter > FilterSecurityInterceptor > ] > > > ************************************************************ > > > 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 > of 8 in additional filter chain; firing Filter: > 'SecurityContextPersistenceFilter' > 06-18@10:57:19 DEBUG [] nSecurityContextRepository - HttpSession returned > null object for SPRING_SECURITY_CONTEXT > 06-18@10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was > available from the HttpSession: > org.apache.catalina.session.StandardSessionFacade@3d3f6f. A new one will be > created. > 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 > of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter' > 06-18@10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication = > false > 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 > of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' > 06-18@10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null > (property equals) > 06-18@10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null > (property equals) > 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURI: > arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property > equals) > 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443; > arg2=8443 (property equals) > 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURL: > arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska; > arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property > equals) > 06-18@10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https; > arg2=https (property equals) > 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverName: > arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals) > 06-18@10:57:19 DEBUG [] DefaultSavedRequest - contextPath: > arg1=/newhirereporting; arg2=/newhirereporting (property equals) > 06-18@10:57:19 DEBUG [] DefaultSavedRequest - servletPath: > arg1=/myAlaska; arg2=/myAlaska (property equals) > 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - Removing > DefaultSavedRequest from session if present > 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 > of 8 in additional filter chain; firing Filter: > 'SecurityContextHolderAwareRequestFilter' > 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 > of 8 in additional filter chain; firing Filter: > 'AnonymousAuthenticationFilter' > 06-18@10:57:19 DEBUG [] nymousAuthenticationFilter - Populated > SecurityContextHolder with anonymous token: > 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: > Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; > Details: > org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: > RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; > Granted Authorities: ROLE_ANONYMOUS' > 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 > of 8 in additional filter chain; firing Filter: 'SessionManagementFilter' > 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 > of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' > 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 > of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' > 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of > request : '/myalaska'; against '/' > 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of > request : '/myalaska'; against '/myalaska' > 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object: > FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()] > 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Previously > Authenticated: > org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: > Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; > Details: > org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: > RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; > Granted Authorities: ROLE_ANONYMOUS > 06-18@10:57:19 DEBUG [] AffirmativeBased - Voter: > org.springframework.security.web.access.expression.WebExpressionVoter@200930, > returned: -1 > 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied (user > is anonymous); redirecting to authentication entry point > org.springframework.security.access.AccessDeniedException: Access is denied > at > org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) > at > org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206) > at > org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115) > at > org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) > at > org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69) > at > org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) > at java.lang.Thread.run(Unknown Source) > 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest > added to Session: > DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska] > 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication > entry point. > 06-18@10:57:19 DEBUG [] FederationConfigImpl - Reading federation > configuration for context '/newhirereporting' > 06-18@10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context: > org.apache.cxf.fediz.core.config.FederationContext@a302f2 > 06-18@10:57:19 INFO [] FederationProcessorImpl - Issuer url: > https://mydev.alaska.gov/adfs/ls/ > 06-18@10:57:19 INFO [] FederationProcessorImpl - WAuth: > 06-18@10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null > 06-18@10:57:19 INFO [] FederationProcessorImpl - Freshness: null > 06-18@10:57:19 DEBUG [] FederationProcessorImpl - > wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska > 06-18@10:57:19 DEBUG [] FederationProcessorImpl - > wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/ > 06-18@10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP: > https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska&wtrealm=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F&wct=2013-06-18T18%3A57%3A19.790Z&pubId=enhr > 06-18@10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty > or contents are anonymous - context will not be stored in HttpSession. > 06-18@10:57:19 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder > now cleared, as request processing completed > > The first error tells me there was a problem with the sign In > request-response, it's a straight up hit to /myAlaska without the > ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a > POST. > > The second error is a redirect loop that /myAlaska -> redirects to the IDP > -> redirects back to myAlaska -> redirects back to the IDP .... > In my production applications people will normally just his / ->redirect to > IDP -> / (or /welcome) and they're logged in. > But I want to support someone directly navigating to /someOtherPage -> > redirect to IDP -> /someOtherPage as well. > When I look into the logs, it appears that the return request from the sign > in page is a plain GET redirect to my desired results page. > It looks like Fediz wants a POST redirect with some desired parameters set > like wa=wsignin1.0 and seeing as its not finding that information It errors, > assumes I'm not logged in and redirects me to my IDPs Sign-In Page. > > I have spring security configured like so: > <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" > > <sec:intercept-url pattern="/" access="permitAll"/> > <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" /> > <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" /> > <sec:session-management session-authentication-strategy-ref="sas"/> > </sec:http> > The examples look like you expect a role with the SAML Token. I want to > treat ALL accounts from ADFS with the same role. > Is using ' access="isFullyAuthenticated()" ' appropriate for my use case? > > Thank you for any help, > Tom Burton > > Confidentiality Notice: This e-mail message including any attachments, is > for the sole use of the intended recipient(s) and may contain confidential > and privileged information. Any unauthorized review, use, disclosure or > distribution is prohibited. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. -- Daniel Kulp [email protected] - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
