I have created a repository in GitHub: https://github.com/ chriswhitcomb/wicket_spring_was_security
I have an unauthenticated page which is returned in getHomePage. The HomePage only has a link to the search page, which is authenticated. When trying to open the app, the HomePage never loads, I get an error about too many redirects and looking at the logs, it continuously loops. I also added a log file. On Thu, Apr 10, 2025 at 4:42 PM Chris Whitcomb <[email protected]> wrote: > I created an unauthenticated home page and return that in my getHomePage. > That works - the home page displays. As soon as I add a link to the home > page to go to the search page, the home page does not load and I have the > continuous authentication loop. I don't have any security on the home page > surrounding the link. > > Sorry for the bad code formatting. I'm not sure what happened. I also > don't know where all the '*' came from. > > Chris > > > On Friday, April 4, 2025, Ernesto Reinaldo Barreiro <[email protected]> > wrote: > >> I didn't look at your code...but I guess you need to redirect to a not >> protected page when users try to access your app. If the home page is >> protected then redirecting to it will trigger another redirect.... >> >> >> >> On Fri, Apr 4, 2025 at 3:37 AM Chris Whitcomb <[email protected]> >> wrote: >> >> > I have a wicket 8 application that is using Spring security (Spring Boot >> > 2.1.10) and is deployed on WebSphere traditional 8.5.5.x. WAS is >> connected >> > to an LDAP. This application uses the J2EE (WAS) security. The server >> > does have Kerberos configured. >> > >> > I know WAS 8.5.5 does not officially support Spring boot 2.1.10 and >> Wicket >> > 8. However, I have deployed this to a local WAS without the Kerberos >> > configured and it works. This local WAS prompts for login. I do >> > understand this could be a version problem. >> > >> > >> > >> > We would like the application to use the current Windows user to >> > automatically log in (no login prompt to the user). >> > >> > >> > >> > When hitting the URL in the logs we see the application loops a number >> of >> > times and each time it loops, it creates a session. I’m not sure where >> or >> > why the session is being created. Eventually the browser shows the >> error >> > ‘too many redirects’. I have seen 20 – 30 sessions created before it >> > stops. I have set the Spring SessionCreationPolicy to each option and >> the >> > behavior did not change. >> > >> > >> > >> > I want to secure the homepage – only users in a specific group should be >> > able to access the home page. If they are not in the group, they should >> > get redirected to an access denied page. Since we are having problems, >> I >> > have modified the code to show the page if the user is authenticated. >> Once >> > we get that working, we will add in the group membership. >> > >> > >> > >> > I have tried setting the role in the WebSession and then using >> > @AuthorizeInstantiotion(“role”). >> > >> > I have also tried returning the page to display in the WebApplication >> class >> > depending on if the user is signed in or not. >> > >> > Both just loop until it gives up. >> > >> > I do see all the output from the home page (SearchPage class) init, but >> > then it loops and starts over. >> > >> > >> > >> > Code below: >> > >> > >> > >> > I do have a web.xml with a security constraint as it seems WebSphere >> needs >> > this otherwise we don’t get a principal at all. >> > >> > <security-constraint> >> > >> > <web-resource-collection> >> > >> > <web-resource-name>User</web-resource-name> >> > >> > <url-pattern>/*</url-pattern> >> > >> > </web-resource-collection> >> > >> > <auth-constraint> >> > >> > <role-name>AllAuthenticated</role-name> >> > >> > </auth-constraint> >> > >> > </security-constraint> >> > >> > *<!-- Security roles used in the application -->* >> > >> > <security-role> >> > >> > <role-name>AllAuthenticated</role-name> >> > >> > </security-role> >> > >> > >> > >> > My WebSession class: >> > >> > public class *AppWebSession* extends AbstractAuthenticatedWebSession { >> > >> > >> > >> > public volatile boolean signedIn; >> > >> > >> > >> > public *AppWebSession*(Request request) { >> > >> > super(request); >> > >> > *init*(); >> > >> > } >> > >> > >> > >> > private void *init*() { >> > >> > Injector.*get*().*inject*(this); >> > >> > log.*debug*("Session Injected."); >> > >> > } >> > >> > >> > >> > public static AppWebSession *get*(){ >> > >> > return (AppWebSession) Session.*get*(); >> > >> > } >> > >> > >> > >> > @Override >> > >> > public Roles *getRoles*() { >> > >> > log.*debug*("getRoles()"); >> > >> > >> > >> > Roles roles = new *Roles*(); >> > >> > >> > >> > if(AppWebSession.*get*().*isSignedIn*()){ >> > >> > // Because we are having problems, just set the role if >> > isSignedIn = true. Later, we will set the roles based on group >> membership. >> > >> > roles.add(“HASACCESS”); >> > >> > >> > >> > return roles; >> > >> > } >> > >> > >> > >> > @Override >> > >> > public boolean *isSignedIn*() { >> > >> > >> > >> > signedIn = SecurityContextHolder.*getContext*().* >> getAuthentication* >> > ().*isAuthenticated*(); >> > >> > log.*debug*("signedIn -> " + signedIn); <-- This shows >> ‘true’. >> > >> > return signedIn; >> > >> > } >> > >> > } >> > >> > >> > >> > >> > >> > My SecurityConfig class: >> > >> > @Configuration >> > >> > @EnableWebSecurity (debug = true) >> > >> > public class *AppSecurityConfig* extends *WebSecurityConfigurerAdapter* >> { >> > >> > >> > >> > private WebSpherePreAuthenticatedProcessingFilter wasPreAuthFilter >> = >> > new *WebSpherePreAuthenticatedProcessingFilter*(); >> > >> > >> > >> > @Override >> > >> > protected void *configure*(HttpSecurity http) throws Exception { >> > >> > >> > >> > wasPreAuthFilter.*setAuthenticationManager*(* >> authenticationManager* >> > ()); >> > >> > http >> > >> > .*addFilter*(wasPreAuthFilter) >> > >> > .*authorizeRequests*() >> > >> > .*anyRequest*().*permitAll*(); >> > >> > } >> > >> > >> > >> > @Override >> > >> > protected void *configure*(AuthenticationManagerBuilder auth) >> throws >> > Exception { >> > >> > auth.*authenticationProvider*(*websphereAuthenticationProvide >> r*()); >> > >> > } >> > >> > >> > >> > >> > >> > *// Required for WASPreAuth Filter* >> > >> > @Bean >> > >> > public AuthenticationProvider *websphereAuthenticationProvider*() { >> > >> > >> > >> > return new *AuthenticationProvider*() { >> > >> > >> > >> > @Override >> > >> > public Authentication *authenticate*(Authentication >> > authentication) throws AuthenticationException { >> > >> > >> > >> > String groupName = "AD Group name"; >> > >> > PreAuthenticatedAuthenticationToken preAuthToken = new >> > *PreAuthenticatedAuthenticationToken*(authentication.*getPrincipal*(), >> > authentication.*getCredentials*()); >> > >> > >> > >> > try { >> > >> > >> > >> > Subject subject = WSSubject.*getCallerSubject*(); >> > >> > Optional<Principal> principal = >> subject.*getPrincipals* >> > ().*stream*().*findFirst*(); >> > >> > if (principal.*isPresent*()) { >> > >> > log.*debug*("principal = " + principal.*get*(). >> > *getName*()); >> > >> > } >> > >> > Optional<WSCredential> credentialStream = subject. >> > *getPublicCredentials*(WSCredential.class).*stream*().*findFirst*(); >> > >> > >> > >> > List<GrantedAuthority> authorities = new >> ArrayList<>(); >> > >> > >> > >> > Stream<String> groupIds = credentialStream.*get*(). >> > *getGroupIds*().*stream*(); >> > >> > >> > >> > Optional<String> group = groupIds.*filter*(i -> i. >> > *contains*(groupName.*trim*())).*findFirst*(); >> > >> > if (group.*isPresent*()) { >> > >> > log.*debug*("group found: " + group.*get*()); >> > >> > authorities.*add*(new *SimpleGrantedAuthority* >> > ("ROLE_HASACCESS")); >> > >> > } else { >> > >> > log.*debug*("Group not found"); >> > >> > } >> > >> > preAuthToken = new >> > *PreAuthenticatedAuthenticationToken* >> > (principal.*get*(), credentialStream.*get*(), authorities); >> > >> > >> > >> > } >> > >> > catch (WSSecurityException e) { >> > >> > log.*error*(e.*getMessage*(), e); >> > >> > } catch (CredentialExpiredException e) { >> > >> > log.*error*(e.*getMessage*(), e); >> > >> > } >> > >> > >> > >> > return preAuthToken; >> > >> > } >> > >> > >> > >> > @Override >> > >> > public boolean *supports*(Class<?> authentication) { >> > >> > >> > >> > return true; >> > >> > } >> > >> > }; >> > >> > } >> > >> > } >> > >> > >> > >> > My HomePage class: >> > >> > *// @AuthorizeInstantiation("hasAccess") Commented out and using the >> > getHomePage logic* >> > >> > public class *SearchPage* extends *BasePage* { >> > >> > >> > >> > private IModel<AppSearchCriteria> searchCriteriaIModel = new >> > Model<>(new *AppSearchCriteria*()); >> > >> > private boolean showSearchResults = false; >> > >> > >> > >> > >> > >> > public *SearchPage*() { >> > >> > super(); >> > >> > log.*debug*("SearchPage()"); >> > >> > } >> > >> > >> > >> > public *SearchPage*(IModel<AppSearchCriteria> model) { >> > >> > super(); >> > >> > log.*debug*("SearchPage(model)"); >> > >> > searchCriteriaIModel = model; >> > >> > } >> > >> > >> > >> > @Override >> > >> > protected void *onInitialize*() { >> > >> > super.*onInitialize*(); >> > >> > log.*debug*("SearchPage.init()"); >> > >> > Form<AppSearchCriteria> form = new Form<>("form", >> > searchCriteriaIModel); >> > >> > log.*debug*("form created"); >> > >> > form.*type*(FormType.Horizontal); >> > >> > *add*(form); >> > >> > log.*debug*("form added"); >> > >> > log.*debug*("SearchPage.init() done"); >> > >> > } >> > >> > } >> > >> > >> > >> > From the WebApplication class: >> > >> > @Override >> > >> > public Class<? extends Page> *getHomePage*() { >> > >> > log.*debug*("getHomePage()"); >> > >> > AppWebSession session = (AppWebSession)AppWebSession.*get*(); >> > >> > log.*debug*("Determine which page to show ..."); >> > >> > // This principal that is output is correct. >> > >> > log.*debug*("SecurityContextHolder principal: " + >> > SecurityContextHolder.*getContext*().*getAuthentication*().* >> getPrincipal* >> > ()); >> > >> > >> > >> > if (session != null) { >> > >> > if (session.*isSignedIn*()) { >> > >> > log.*debug*("signed in - returning >> > SearchPage"); <-- I do see this output in the logs >> > >> > return SearchPage.class; >> > >> > } else { >> > >> > log.*debug*("session not signed in - returning >> > NotAuthorized"); >> > >> > return NotAuthorized.class; >> > >> > } >> > >> > } else { >> > >> > log.*debug*("session is NULL - returning NotAuthorized"); >> > >> > return NotAuthorized.class; >> > >> > } >> > >> > } >> > >> >> >> -- >> Regards - Ernesto Reinaldo Barreiro >> >
