The system I'm hooking into is an upgrade of an older system.
The older system passed a GUID in an HTTP header. (All web applications were
behind a shared proxy.)
The GUID was then run through a web service to retrieve a matching user account.
There were other Web Services as well (That I'm personally not using that use
the GUID.)
All of these web service locations have been changed, with minimal other
interface changes,
And the actual implementations have changed as well. It is my understanding
(Not my systems)
that they went from a Solaris LDAP/Oracle backend to a Active Directory/SQL
Server backend.
I've pasted the token below. It has one attribute MyAlaskaId, it's the value of
that attribute
that I pass to a web service to actually get back a user object. Unless that's
how SAML responses are
designed to work and I still need to configure something.
They have supplied a .NET(C#) sample application. On our dev system I can even
see it in action.
I decided to try dev sample application. I snagged the URL out of my address
bar when I saw it.
Then I split it apart to figure out what was different between the URL the
sample application
generated and mine. That's when I came across the "&wctx=...." bit.
The wctx for the .NET application is probably generated by this bit in the
Sample applications Web.config
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" requireHttps="false"
issuer="https://mydev.alaska.gov/adfs/ls/"; realm="[ TODO ]"
signInQueryString="pubid=[ TODO ]" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
The "&pubid=" is a custom extension they've implemented. When I use it the
login page says:
"'Website Name' has sent you here to sign in."
Honestly you probably know more about ADFS then I do. I'm just flailing about
trying to get it to work.
Also if you don't like subclassing could you please add more logging to your
classes.
It's the single biggest reason I was subclassing.
I think a callback could work. Or what about a system like the maven compiler
plugin has
Unknown xml options just get appended?
So for example
In the maven compiler plugin I can do
<configuration>
<compilerarguments>
<foo>
bash
</foo>
</compilerarguments>
</configuration>
Then it just blindly passes -foo=bash to javac and hopes for the best. (or
that's what it looks like.)
With such a system for fediz
I could have:
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="federationProtocolType" version="1.0.0">
<!-- normal options here -->
<!-- demarcation for Sign-In Only special arguments,
wrap them, no special processing(except escaping?) -->
<signInArgments>
<pubId>myId</pubId>
</signInArguments>
</protocol>
And redirect Url whould end up as with &pubId=myId appended
or "&pubId=" + URLEncoder.encode("id=passive&ru=", "ISO-8859-1"); if escaping.
--- here is my SAML Response (is that the right term?) ---
<t:RequestSecurityTokenResponse
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>
<t:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
2013-06-18T21:25:30.147Z
</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
2013-06-18T22:25:30.147Z
</wsu:Expires>
</t:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing";>
<wsa:Address>
https://cssdappstst.state.ak.us:8443/newhirereporting/
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<saml:Assertion MajorVersion="1" MinorVersion="1"
AssertionID="_517cee33-3b6b-40cc-82cd-a2e10ce61925"
Issuer="http://MYDEV.ALASKA.GOV/adfs/services/trust";
IssueInstant="2013-06-18T21:25:30.147Z"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2013-06-18T21:25:30.147Z"
NotOnOrAfter="2013-06-18T22:25:30.147Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>
https://cssdappstst.state.ak.us:8443/newhirereporting/
</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="MyAlaskaId"
AttributeNamespace="http://my.alaska.gov/claims";>
<saml:AttributeValue>
0d0ad010-d27b-4b53-a8bc-ba85a704e083
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
AuthenticationInstant="2013-06-18T20:06:58.819Z">
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";>
</ds:SignatureMethod>
<ds:Reference URI="#_517cee33-3b6b-40cc-82cd-a2e10ce61925">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";>
</ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256";>
</ds:DigestMethod>
<ds:DigestValue>
RtzUZBhY6myvUAWpwGfXbRrqzLU5pydSxa8uq9TlGnM=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
[Long Signature hash value was Here ]
</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<X509Data>
<X509Certificate>
[Certificate hash was here]
</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</t:RequestedSecurityToken>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
</t:RequestType>
<t:KeyType>
http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
</t:KeyType>
</t:RequestSecurityTokenResponse>
Thank you again,
Tom
-----Original Message-----
From: Oliver Wulff [mailto:[email protected]]
Sent: Wednesday, June 19, 2013 10:36 PM
To: [email protected]
Subject: RE: FEDIZ Authentication problems
Hi Tom
>>>
I needed to mangle the redirect URL with more options than it looks like are
available in the fediz_config file.
I basically had to add:
redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
+ "%252Fnewhirereporting%252FmyAlaska" //double
encoded /contextpath/page
I also copied it to add
redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID; pubId is a URL
parameter to add a friendly message to the login page for the user.
>>>
I'm not a big fan of subclassing in general. Mostly it indicates that there is
a missing extension point in the framework. Do you have to extend the redirect
URL because of ADFS or because of your application? I could add a callback
handler to fill the wctx or even extend the URL. The original request is cached
by spring security thus you don't have to cache any request specific
information in the redirect url. I would like to understand first what the use
case is as this requirement never came up so far.
>>>
So now I do actually get a "SAML Token" but all it contains is a GUID.
I then have to call a SOAP web Service to actually convert that GUID into a
real user object.
>>>
Is this by intension? ADFS is able to add user information from AD. Can you
share the issued SAML token? One of the purposes of WS-Federation is to
centralize (in the IDP/STS) the code to retrieve user information from all
possible user directories and provide this information in a tranparent way to
the application instead of having to pull this information in each application
individually.
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Burton, Tom F (DOR) [[email protected]]
Sent: 20 June 2013 03:09
To: [email protected]
Subject: RE: FEDIZ Authentication problems
Turns out I had mis-read an important piece of the document.
I had put my cxf.xml in src/main/webapp/WEB-INF/ next to my web.xml instead of
in src/main/resources/
moving it to the appropriate directory cleared up my certificate issue.
Tom
-----Original Message-----
From: Burton, Tom F (DOR) [mailto:[email protected]]
Sent: Wednesday, June 19, 2013 3:40 PM
To: [email protected]
Subject: RE: FEDIZ Authentication problems
I just tried
- name=".*"
- name="https://.*.state.ak.us:444/.*";
- name="https://mydev-svc.state.ak.us:444/.*";
I got the same error for all three.
Tom
-----Original Message-----
From: Daniel Kulp [mailto:[email protected]]
Sent: Wednesday, June 19, 2013 2:59 PM
To: [email protected]
Cc: [email protected]
Subject: Re: FEDIZ Authentication problems
Change the conduit name so something like:
name="https://mydev-svc.state.ak.us:444/.*";
Using the service name can only apply those settings after the service is
created and the name and namespace and such is known. To have it apply for
wsdl loading as well, use a URL format (and the .* at the end for the regex
expansion).
Dan
On Jun 19, 2013, at 6:49 PM, "Burton, Tom F (DOR)" <[email protected]>
wrote:
> I've actually made it past these issues. :) but now I have new ones :(
>
> The initial class I was talking about sub-classing was:
> FederationAuthenticationFilter
>
> The "additional Authentication checks" were in my subclass.
>
> The java code looked like so:
>
> boolean required = false;
> //should this be equals or some fancy ** matching type stuff?
> String path = request.getServletPath();
> required = path.contains(getFilterProcessesUrl());
>
> //getRequestURI().contains(getFilterProcessesUrl());
>
> //TODO: look up an "easy" way to read the spring config
> //PageMapHolder manually parses the Spring xml files on deploy
>
> if ( !required ) { required =
> PageMapHolder.getPages().containsKey(path); }
>
> if ( log.isDebugEnabled() )
> {
> log.debug( "Compared: path=" + request.getServletPath()
> + ", and " + getFilterProcessesUrl() );
> log.debug("ServletPath Authentication: " + required);
> }
> if (!required)
> { required = super.requiresAuthentication(request, response); }
> return required;
>
> They have been disabled.
>
> The solution ended up requiring me to copy the implementation of
> FederationAuthenticationEntryPoint,
> as MyAlaskaEntryPoint. I needed to mangle the redirect URL with more
> options than it looks like are available in the fediz_config file.
> I basically had to add:
>
> redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
> + "%252Fnewhirereporting%252FmyAlaska"
> //double encoded /contextpath/page
>
>
> I also copied it to add
> redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID;
>
> pubId is a URL parameter to add a friendly message to the login page for the
> user.
>
> So now I do actually get a "SAML Token" but all it contains is a GUID.
> I then have to call a SOAP web Service to actually convert that GUID into a
> real user object.
>
>
> MyAlaskaAuthProvider is a subclass of FederationAuthenticationProvider
>
> It overrides #authenticate to add some logging before calling super It
> overrides #loadUserByFederationResponse to find the myAkUsername
> BEFORE calling super
>
> The current Error I'm getting is a certificate error while trying to access
> the GUID based web service.
>
> So in doing some research I found this:
> http://cxf.apache.org/docs/client-http-transport-including-ssl-support
> .html#ClientHTTPTransport%28includingSSLsupport%29-Howtooverridetheser
> viceaddress%3F
>
> I've followed the page and created a cxf.xml I've added it as another
> file to be parsed as part of my Spring Config.
>
> cxf.xml has an http:conduit like so:
>
> <http:conduit
> name="{http://cxf.apache.org/}TransportURIResolver.http-conduit";>
> <!-- magic value for https -->
>
> <!--name="{http://myalaska.state.ak.us/wsdl/MyAlaskaService}WSHttpBind
> ing_MyAlaskaService.http-conduit">-->
>
> <!-- duplicates values from <certificateStores> in Fediz config -->
> <http:tlsClientParameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:trustManagers>
> <sec:cipherSuitesFilter>
> <!-- these filters ensure that a ciphersuite with
> export-suitable or null encryption is used,
> but exclude anonymous Diffie-Hellman key change as
> this is vulnerable to man-in-the-middle attacks -->
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
> </sec:cipherSuitesFilter>
> </http:tlsClientParameters>
> <http:client AutoRedirect="true" Connection="Keep-Alive"/>
> </http:conduit>
>
> However when I try and actually create an instance of my soap service, I get
> the a stack trace in my log file. Pasted in full below.
> To me the Interestring bit is probably:
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing
> 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl
> '.: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
> So am I defining my conduit name right? How can I tell if the conduit
> wrapping is even happening?
>
>
> Thank you again,
> Tom Burton
>
>
>
> --------------- Full Stack Trace -------------
>
> 06-19@14:27:45 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> javax.xml.ws.WebServiceException:
> org.apache.cxf.service.factory.ServiceConstructionException: Failed to create
> service.
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:149)
> at
> org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at
> us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at
> us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at
> us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at
> org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at
> org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at
> us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at
> org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at
> us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at
> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at
> org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at
> org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> org.apache.cxf.service.factory.ServiceConstructionException: Failed to create
> service.
> at
> org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:100)
> at
> org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> ... 33 more
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing
> 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl'.:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
> Source)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
> Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
> Source)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
> Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
> Source)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
> Source)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
> Source)
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
> Source)
> at
> com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(Unknown
> Source)
> at
> com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(Unknown
> Source)
> at
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown
> Source)
> at
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown
> Source)
> at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown
> Source)
> at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown
> Source)
> at
> com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown
> Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at
> org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at
> org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at
> org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> at
> org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> at
> org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at
> us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at
> us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at
> us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at
> org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at
> org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at
> us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at
> org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at
> us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at
> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at
> org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at
> org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> at sun.security.validator.Validator.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown
> Source)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
> Source)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
> Source)
> ... 60 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
> at java.security.cert.CertPathBuilder.build(Unknown Source)
> ... 66 more
>
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at
> org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at
> org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at
> org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> ... 35 more
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Authentication request
> failed: org.springframework.security.authentication.BadCredentialsException:
> org.apache.cxf.service.factory.ServiceConstructionException: Failed to create
> service.
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@8c9de8
> 06-19@14:27:45 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-19@14:27:45 DEBUG [] nSecurityContextRepository - SecurityContext is empty
> or contents are anonymous - context will not be stored in HttpSession.
> 06-19@14:27:45 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
>
> -----Original Message-----
> From: Oliver Wulff [mailto:[email protected]]
> Sent: Tuesday, June 18, 2013 11:11 PM
> To: [email protected]
> Subject: RE: FEDIZ Authentication problems
>
> Hi Tom
>
>>>>
> If I subclass `` to authenticate on my desired URL path `myAlaska`
>>>>
> Which class do you want to subclass?
>
>>>>
> MyAlaskaAuthProvider
>>>>
> What kind of AuthProvider is this?
>
>>>>
> If I remove the additional Authentication checks so it only checks on
> /j_spring_fediz_security_check
>>>>
> Can you point me in your configuration what you mean?
>
>>>>
> The first error tells me there was a problem with the sign In
> request-response, it's a straight up hit to /myAlaska without the
> ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a
> POST.
>>>>
> This is kind of strange. Did you really get redirected to the IDP? Could you
> share the browser traffic (httpfox, findbugs, etc).
>
>>>>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP
> -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to
> IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage ->
> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign
> in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set
> like wa=wsignin1.0 and seeing as its not finding that information It errors,
> assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>>>>
> This is per WS-Federation spec. The SAML assertion is sent in the wresult
> parameter. Fediz works with ADFS but keep in mind that ADFS uses an older
> WS-Trust and SAML 1.1 assertion which is supported by Fediz as well.
>
>
>>>>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to
> treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>>>>
> The following definintion requires that you're authenticated (without the
> requirement for any roles):
> <sec:intercept-url pattern="/secure/fedservlet"
> access="isAuthenticated()"/>
>
> There is an example available for spring security. Here is the spring
> security documentation of it:
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src
> /main/webapp/WEB-INF/applicationContext-security.xml?view=markup
>
> HTH
>
> Oli
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> From: Burton, Tom F (DOR) [[email protected]]
> Sent: 18 June 2013 21:15
> To: [email protected]
> Subject: FEDIZ Authentication problems
>
> I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an
> RP to an existing .NET ADFS IDP.
>
> If I subclass `` to authenticate on my desired URL path `myAlaska` I end up
> with the following log entries when I try to log in:
>
> 06-18@09:56:56 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@a2f68b
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1
> of 8 in additional filter chain; firing Filter:
> 'SecurityContextPersistenceFilter'
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession
> currently exists
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was
> available from the HttpSession: null. A new one will be created.
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2
> of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared:
> path=/myAlaska, and /j_spring_fediz_security_check
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath
> Authentication: true
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to
> process authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging.
> wa: null
> wresult: null
> full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> Method: GET
> 06-18@09:56:56 DEBUG [] ProviderManager - Authentication attempt
> using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating:
> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1dacb29:
> Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@b364:
> RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct:
> null Result: null Cert Count: 0
> 06-18@09:56:56 DEBUG [] FederationConfigImpl - Reading federation
> configuration for context '/newhirereporting'
> 06-18@09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null'
> 06-18@09:56:56 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> org.apache.cxf.fediz.core.exception.ProcessingException: The request was
> invalid or malformed
> at
> org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93)
> at
> org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121)
> at
> org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at
> us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30)
> at
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at
> org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at
> us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at
> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at
> org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at
> org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication
> request failed:
> org.springframework.security.authentication.BadCredentialsException:
> The request was invalid or malformed
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@1508a8b
> 06-18@09:56:56 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty
> or contents are anonymous - context will not be stored in HttpSession.
> 06-18@09:56:56 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> If I remove the additional Authentication checks so it only checks on
> /j_spring_fediz_security_check I get the following error instead:
>
> 06-18@10:57:19 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@1cdedd4
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1
> of 8 in additional filter chain; firing Filter:
> 'SecurityContextPersistenceFilter'
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - HttpSession
> returned null object for SPRING_SECURITY_CONTEXT
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was
> available from the HttpSession:
> org.apache.catalina.session.StandardSessionFacade@3d3f6f. A new one will be
> created.
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2
> of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication =
> false
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3
> of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null
> (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null
> (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURI:
> arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property
> equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443;
> arg2=8443 (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURL:
> arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska;
> arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property
> equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https;
> arg2=https (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverName:
> arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - contextPath:
> arg1=/newhirereporting; arg2=/newhirereporting (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - servletPath:
> arg1=/myAlaska; arg2=/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - Removing
> DefaultSavedRequest from session if present
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4
> of 8 in additional filter chain; firing Filter:
> 'SecurityContextHolderAwareRequestFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5
> of 8 in additional filter chain; firing Filter:
> 'AnonymousAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] nymousAuthenticationFilter - Populated
> SecurityContextHolder with anonymous token:
> 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c:
> Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true;
> Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4:
> RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5;
> Granted Authorities: ROLE_ANONYMOUS'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6
> of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7
> of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8
> of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of
> request : '/myalaska'; against '/'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of
> request : '/myalaska'; against '/myalaska'
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object:
> FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()]
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Previously
> Authenticated:
> org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c:
> Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true;
> Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4:
> RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5;
> Granted Authorities: ROLE_ANONYMOUS
> 06-18@10:57:19 DEBUG [] AffirmativeBased - Voter:
> org.springframework.security.web.access.expression.WebExpressionVoter@200930,
> returned: -1
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied
> (user is anonymous); redirecting to authentication entry point
> org.springframework.security.access.AccessDeniedException: Access is denied
> at
> org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
> at
> org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
> at
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
> at
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at
> org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at
> org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest
> added to Session:
> DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska]
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication
> entry point.
> 06-18@10:57:19 DEBUG [] FederationConfigImpl - Reading federation
> configuration for context '/newhirereporting'
> 06-18@10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context:
> org.apache.cxf.fediz.core.config.FederationContext@a302f2
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Issuer url:
> https://mydev.alaska.gov/adfs/ls/
> 06-18@10:57:19 INFO [] FederationProcessorImpl - WAuth:
> 06-18@10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Freshness: null
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl -
> wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl -
> wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/
> 06-18@10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP:
> https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska&wtrealm=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F&wct=2013-06-18T18%3A57%3A19.790Z&pubId=enhr
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty
> or contents are anonymous - context will not be stored in HttpSession.
> 06-18@10:57:19 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> The first error tells me there was a problem with the sign In
> request-response, it's a straight up hit to /myAlaska without the
> ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a
> POST.
>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP
> -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to
> IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage ->
> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign
> in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set
> like wa=wsignin1.0 and seeing as its not finding that information It errors,
> assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to
> treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>
> Thank you for any help,
> Tom Burton
>
> Confidentiality Notice: This e-mail message including any attachments, is
> for the sole use of the intended recipient(s) and may contain confidential
> and privileged information. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended recipient, please
> contact the sender by reply e-mail and destroy all copies of the original
> message.
--
Daniel Kulp
[email protected] - http://dankulp.com/blog Talend Community Coder -
http://coders.talend.com
