I didn't look at your code...but I guess you need to redirect to a not
protected page when users try to access your app. If the home page is
protected then redirecting to it will trigger another redirect....
On Fri, Apr 4, 2025 at 3:37 AM Chris Whitcomb <chrswhitc...@gmail.com>
wrote:
> I have a wicket 8 application that is using Spring security (Spring Boot
> 2.1.10) and is deployed on WebSphere traditional 8.5.5.x. WAS is connected
> to an LDAP. This application uses the J2EE (WAS) security. The server
> does have Kerberos configured.
>
> I know WAS 8.5.5 does not officially support Spring boot 2.1.10 and Wicket
> 8. However, I have deployed this to a local WAS without the Kerberos
> configured and it works. This local WAS prompts for login. I do
> understand this could be a version problem.
>
>
>
> We would like the application to use the current Windows user to
> automatically log in (no login prompt to the user).
>
>
>
> When hitting the URL in the logs we see the application loops a number of
> times and each time it loops, it creates a session. I’m not sure where or
> why the session is being created. Eventually the browser shows the error
> ‘too many redirects’. I have seen 20 – 30 sessions created before it
> stops. I have set the Spring SessionCreationPolicy to each option and the
> behavior did not change.
>
>
>
> I want to secure the homepage – only users in a specific group should be
> able to access the home page. If they are not in the group, they should
> get redirected to an access denied page. Since we are having problems, I
> have modified the code to show the page if the user is authenticated. Once
> we get that working, we will add in the group membership.
>
>
>
> I have tried setting the role in the WebSession and then using
> @AuthorizeInstantiotion(“role”).
>
> I have also tried returning the page to display in the WebApplication class
> depending on if the user is signed in or not.
>
> Both just loop until it gives up.
>
> I do see all the output from the home page (SearchPage class) init, but
> then it loops and starts over.
>
>
>
> Code below:
>
>
>
> I do have a web.xml with a security constraint as it seems WebSphere needs
> this otherwise we don’t get a principal at all.
>
> <security-constraint>
>
> <web-resource-collection>
>
> <web-resource-name>User</web-resource-name>
>
> <url-pattern>/*</url-pattern>
>
> </web-resource-collection>
>
> <auth-constraint>
>
> <role-name>AllAuthenticated</role-name>
>
> </auth-constraint>
>
> </security-constraint>
>
> *<!-- Security roles used in the application -->*
>
> <security-role>
>
> <role-name>AllAuthenticated</role-name>
>
> </security-role>
>
>
>
> My WebSession class:
>
> public class *AppWebSession* extends AbstractAuthenticatedWebSession {
>
>
>
> public volatile boolean signedIn;
>
>
>
> public *AppWebSession*(Request request) {
>
> super(request);
>
> *init*();
>
> }
>
>
>
> private void *init*() {
>
> Injector.*get*().*inject*(this);
>
> log.*debug*("Session Injected.");
>
> }
>
>
>
> public static AppWebSession *get*(){
>
> return (AppWebSession) Session.*get*();
>
> }
>
>
>
> @Override
>
> public Roles *getRoles*() {
>
> log.*debug*("getRoles()");
>
>
>
> Roles roles = new *Roles*();
>
>
>
> if(AppWebSession.*get*().*isSignedIn*()){
>
> // Because we are having problems, just set the role if
> isSignedIn = true. Later, we will set the roles based on group membership.
>
> roles.add(“HASACCESS”);
>
>
>
> return roles;
>
> }
>
>
>
> @Override
>
> public boolean *isSignedIn*() {
>
>
>
> signedIn = SecurityContextHolder.*getContext*().*getAuthentication*
> ().*isAuthenticated*();
>
> log.*debug*("signedIn -> " + signedIn); <-- This shows ‘true’.
>
> return signedIn;
>
> }
>
> }
>
>
>
>
>
> My SecurityConfig class:
>
> @Configuration
>
> @EnableWebSecurity (debug = true)
>
> public class *AppSecurityConfig* extends *WebSecurityConfigurerAdapter* {
>
>
>
> private WebSpherePreAuthenticatedProcessingFilter wasPreAuthFilter =
> new *WebSpherePreAuthenticatedProcessingFilter*();
>
>
>
> @Override
>
> protected void *configure*(HttpSecurity http) throws Exception {
>
>
>
> wasPreAuthFilter.*setAuthenticationManager*(*authenticationManager*
> ());
>
> http
>
> .*addFilter*(wasPreAuthFilter)
>
> .*authorizeRequests*()
>
> .*anyRequest*().*permitAll*();
>
> }
>
>
>
> @Override
>
> protected void *configure*(AuthenticationManagerBuilder auth) throws
> Exception {
>
> auth.*authenticationProvider*(*websphereAuthenticationProvider*());
>
> }
>
>
>
>
>
> *// Required for WASPreAuth Filter*
>
> @Bean
>
> public AuthenticationProvider *websphereAuthenticationProvider*() {
>
>
>
> return new *AuthenticationProvider*() {
>
>
>
> @Override
>
> public Authentication *authenticate*(Authentication
> authentication) throws AuthenticationException {
>
>
>
> String groupName = "AD Group name";
>
> PreAuthenticatedAuthenticationToken preAuthToken = new
> *PreAuthenticatedAuthenticationToken*(authentication.*getPrincipal*(),
> authentication.*getCredentials*());
>
>
>
> try {
>
>
>
> Subject subject = WSSubject.*getCallerSubject*();
>
> Optional<Principal> principal = subject.*getPrincipals*
> ().*stream*().*findFirst*();
>
> if (principal.*isPresent*()) {
>
> log.*debug*("principal = " + principal.*get*().
> *getName*());
>
> }
>
> Optional<WSCredential> credentialStream = subject.
> *getPublicCredentials*(WSCredential.class).*stream*().*findFirst*();
>
>
>
> List<GrantedAuthority> authorities = new ArrayList<>();
>
>
>
> Stream<String> groupIds = credentialStream.*get*().
> *getGroupIds*().*stream*();
>
>
>
> Optional<String> group = groupIds.*filter*(i -> i.
> *contains*(groupName.*trim*())).*findFirst*();
>
> if (group.*isPresent*()) {
>
> log.*debug*("group found: " + group.*get*());
>
> authorities.*add*(new *SimpleGrantedAuthority*
> ("ROLE_HASACCESS"));
>
> } else {
>
> log.*debug*("Group not found");
>
> }
>
> preAuthToken = new
> *PreAuthenticatedAuthenticationToken*
> (principal.*get*(), credentialStream.*get*(), authorities);
>
>
>
> }
>
> catch (WSSecurityException e) {
>
> log.*error*(e.*getMessage*(), e);
>
> } catch (CredentialExpiredException e) {
>
> log.*error*(e.*getMessage*(), e);
>
> }
>
>
>
> return preAuthToken;
>
> }
>
>
>
> @Override
>
> public boolean *supports*(Class<?> authentication) {
>
>
>
> return true;
>
> }
>
> };
>
> }
>
> }
>
>
>
> My HomePage class:
>
> *// @AuthorizeInstantiation("hasAccess") Commented out and using the
> getHomePage logic*
>
> public class *SearchPage* extends *BasePage* {
>
>
>
> private IModel<AppSearchCriteria> searchCriteriaIModel = new
> Model<>(new *AppSearchCriteria*());
>
> private boolean showSearchResults = false;
>
>
>
>
>
> public *SearchPage*() {
>
> super();
>
> log.*debug*("SearchPage()");
>
> }
>
>
>
> public *SearchPage*(IModel<AppSearchCriteria> model) {
>
> super();
>
> log.*debug*("SearchPage(model)");
>
> searchCriteriaIModel = model;
>
> }
>
>
>
> @Override
>
> protected void *onInitialize*() {
>
> super.*onInitialize*();
>
> log.*debug*("SearchPage.init()");
>
> Form<AppSearchCriteria> form = new Form<>("form",
> searchCriteriaIModel);
>
> log.*debug*("form created");
>
> form.*type*(FormType.Horizontal);
>
> *add*(form);
>
> log.*debug*("form added");
>
> log.*debug*("SearchPage.init() done");
>
> }
>
> }
>
>
>
> From the WebApplication class:
>
> @Override
>
> public Class<? extends Page> *getHomePage*() {
>
> log.*debug*("getHomePage()");
>
> AppWebSession session = (AppWebSession)AppWebSession.*get*();
>
> log.*debug*("Determine which page to show ...");
>
> // This principal that is output is correct.
>
> log.*debug*("SecurityContextHolder principal: " +
> SecurityContextHolder.*getContext*().*getAuthentication*().*getPrincipal*
> ());
>
>
>
> if (session != null) {
>
> if (session.*isSignedIn*()) {
>
> log.*debug*("signed in - returning
> SearchPage"); <-- I do see this output in the logs
>
> return SearchPage.class;
>
> } else {
>
> log.*debug*("session not signed in - returning
> NotAuthorized");
>
> return NotAuthorized.class;
>
> }
>
> } else {
>
> log.*debug*("session is NULL - returning NotAuthorized");
>
> return NotAuthorized.class;
>
> }
>
> }
>
--
Regards - Ernesto Reinaldo Barreiro
