Announcement Announcement Module
Collapse
No announcement yet.
Spring Security https login to http default-target-url causing null Session/Security Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security https login to http default-target-url causing null Session/Security

    Hello,

    I'm using spring security 3.0.5 and I have my login page under https but then I want my
    default-target-url to be under http but when I do this and my default-target-url is matched by Spring it has a null HttpSession and thusly a null SecurityContext and auths me as anonymous role instead of user. When I have both under https its no problem. Any ideas on how to support this?

    10:47:51,373 DEBUG DefaultListableBeanFactory:242 - Returning cached instance of singleton bean 'eventDispatcher'
    10:47:51,374 DEBUG SessionFixationProtectionStrategy:84 - Invalidating session with Id '3DFFA5FE669496C0A83781B8B8672033' and migrating attributes.
    10:47:51,375 DEBUG SessionFixationProtectionStrategy:94 - Started new session: BF8ECD94D1C4821381C8EED0284D1AE6
    10:47:51,376 DEBUG UsernamePasswordAuthenticationFilter:289 - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.Userna mePasswordAuthenticationToken@48ad5079: Principal: com.dc.api.model.Users@1f529f0; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@0: RemoteIpAddress: 76.102.97.125; SessionId: 3DFFA5FE669496C0A83781B8B8672033; Granted Authorities: com.dc.api.model.Authority@1a1de34
    10:47:51,377 DEBUG DefaultListableBeanFactory:242 - Returning cached instance of singleton bean 'eventDispatcher'
    10:47:51,378 DEBUG SavedRequestAwareAuthenticationSuccessHandler:107 - Using default Url: /registered/home.html
    10:47:51,378 DEBUG DefaultRedirectStrategy:36 - Redirecting to '/dreamcatcher/registered/home.html'
    10:47:51,379 DEBUG HttpSessionSecurityContextRepository:360 - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.Securit yContextImpl@48ad5079: Authentication: org.springframework.security.authentication.Userna mePasswordAuthenticationToken@48ad5079: Principal: com.dc.api.model.Users@1f529f0; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@0: RemoteIpAddress: 76.102.97.125; SessionId: 3DFFA5FE669496C0A83781B8B8672033; Granted Authorities: com.dc.api.model.Authority@1a1de34'

    10:47:51,531 DEBUG DefaultFilterInvocationSecurityMetadataSource:200 - Candidate is: '/registered/home.html'; pattern is /registered/*; matched=true
    10:47:51,532 DEBUG ChannelProcessingFilter:99 - Request: FilterInvocation: URL: /registered/home.html; ConfigAttributes: [REQUIRES_INSECURE_CHANNEL]
    10:47:51,532 DEBUG FilterChainProxy:375 - /registered/home.html at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
    10:47:51,532 DEBUG HttpSessionSecurityContextRepository:130 - No HttpSession currently exists
    10:47:51,532 DEBUG HttpSessionSecurityContextRepository:88 - No SecurityContext was available from the HttpSession: null. A new one will be created.
    10:47:51,533 DEBUG FilterChainProxy:375 - /registered/home.html at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
    10:47:51,533 DEBUG FilterChainProxy:375 - /registered/home.html at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
    10:47:51,533 DEBUG FilterChainProxy:375 - /registered/home.html at position 5 of 11 in additional filter chain; firing Filter: 'XMLAuthenticationFilter'
    10:47:51,533 DEBUG FilterChainProxy:375 - /registered/home.html at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
    10:47:51,534 DEBUG FilterChainProxy:375 - /registered/home.html at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
    10:47:51,534 DEBUG FilterChainProxy:375 - /registered/home.html at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
    10:47:51,534 DEBUG AnonymousAuthenticationFilter:67 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.Anony mousAuthenticationToken@d45589d8: Principal: guest; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@0: RemoteIpAddress: 76.102.97.125; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'


    config:
    Code:
        <?xml version="1.0" encoding="UTF-8"?>
        <beans:beans
            xmlns="http://www.springframework.org/schema/security"
            xmlns:beans="http://www.springframework.org/schema/beans"
            xmlns:util="http://www.springframework.org/schema/util"
            xmlns:context="http://www.springframework.org/schema/context"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:schemaLocation="http://www.springframework.org/schema/beans
            http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/util
            http://www.springframework.org/schema/util/spring-util-3.0.xsd
            http://www.springframework.org/schema/security
            http://www.springframework.org/schema/security/spring-security-3.0.xsd
            http://www.springframework.org/schema/context
            http://www.springframework.org/schema/context/spring-context-3.0.xsd">
            <context:annotation-config />
            <context:component-scan base-package="dc" />
            <global-method-security />
         	<http access-denied-page="/auth/denied.html">
         		 <intercept-url filters="none" pattern="/javax.faces.resource/**" />
                 <intercept-url filters="none" pattern="/services/rest-api/1.0/**" />
                 <intercept-url filters="none" pattern="/preregistered/*"/>
                 <intercept-url
                    pattern="/**/*.xhtml"
                    access="ROLE_NONE_GETS_ACCESS" />
                 <intercept-url
                    pattern="/auth/*"
                    access="ROLE_ANONYMOUS,ROLE_USER" requires-channel="https"/>
                 <intercept-url pattern="/j_spring_security_check" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"/>
                 <intercept-url
                    pattern="/preregistered/*"
                    access="ROLE_ANONYMOUS,ROLE_USER" requires-channel="http"/>
                 <intercept-url
                    pattern="/registered/*"
                    access="ROLE_USER" requires-channel="http"/>
                <form-login
                    login-processing-url="/j_spring_security_check.html"
                    login-page="/auth/login.html"
                    default-target-url="/registered/home.html"
                    authentication-failure-url="/auth/login.html" />
                 <logout invalidate-session="true" 
        		      logout-url="/auth/logout.html" 
        		      success-handler-ref="DCLogoutSuccessHandler"/>
                <anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
         	</http>
         	<!-- Configure the authentication provider -->
        	<authentication-manager>
        		<authentication-provider user-service-ref="userManager">
        		        <password-encoder ref="passwordEncoder" />
        		</authentication-provider>
            </authentication-manager>
        </beans:beans>

  • #2
    Please read the session management section of the FAQ.

    Comment


    • #3
      thanks Luke, I found it. <session-management session-fixation-protection="none"/>

      I run into another problem now, any ideas? Maybe another thread is proper.

      I had to use session-fixation-protection="none" in my application (form based login) as I have to switch between https (for login) and http (for all other pages) and I run into an issue when I logout and try to log back in. My logout redirect me back to my login page and then I'm unable to authenticate as it authenticates me as ROLE_ANONYMOUS and only the ROLE_USER has access to the success login page. If I close the browser and come back to login its fine. Is there anything special I need to do for my logout to support session-fixation-protection="none"? I've tried just using the basic logout and my custom logout.

      config:

      Code:
      <?xml version="1.0" encoding="UTF-8"?>
          <beans:beans
              xmlns="http://www.springframework.org/schema/security"
              xmlns:beans="http://www.springframework.org/schema/beans"
              xmlns:util="http://www.springframework.org/schema/util"
              xmlns:context="http://www.springframework.org/schema/context"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://www.springframework.org/schema/beans
              http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
              http://www.springframework.org/schema/util
              http://www.springframework.org/schema/util/spring-util-3.0.xsd
              http://www.springframework.org/schema/security
              http://www.springframework.org/schema/security/spring-security-3.0.xsd
              http://www.springframework.org/schema/context
              http://www.springframework.org/schema/context/spring-context-3.0.xsd">
              <context:annotation-config />
              <context:component-scan base-package="dc" />
              <global-method-security />
           	<http access-denied-page="/auth/denied.html">
           		 <intercept-url filters="none" pattern="/javax.faces.resource/**" />
                   <intercept-url filters="none" pattern="/services/rest-api/1.0/**" />
                   <intercept-url filters="none" pattern="/preregistered/*"/>
                   <intercept-url
                      pattern="/**/*.xhtml"
                      access="ROLE_NONE_GETS_ACCESS" />
                   <intercept-url
                      pattern="/auth/*"
                      access="ROLE_ANONYMOUS,ROLE_USER"/>
                   <intercept-url
                      pattern="/preregistered/*"
                      access="ROLE_ANONYMOUS,ROLE_USER"/>
                   <intercept-url
                      pattern="/registered/*"
                      access="ROLE_USER"
                      requires-channel="http"/>
                  <form-login
                      login-processing-url="/j_spring_security_check.html"
                      login-page="/auth/login.html"
                      default-target-url="/registered/home.html"
                      authentication-failure-url="/auth/login.html" />
                   <logout invalidate-session="true" 
          		      logout-url="/auth/logout.html" 
          		      success-handler-ref="DCLogoutSuccessHandler"/>
                  <anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
                  <custom-filter after="FORM_LOGIN_FILTER" ref="xmlAuthenticationFilter" />
                  <session-management session-fixation-protection="none"/>
           	</http>
           	<!-- Configure the authentication provider -->
          	<authentication-manager alias="am">
          		<authentication-provider user-service-ref="userManager">
          		        <password-encoder ref="passwordEncoder" />
          		</authentication-provider>
          		<authentication-provider ref="xmlAuthenticationProvider" />
              </authentication-manager>
          </beans:beans>
      custom logout filter:

      Code:
        public class DCSimpleUrlLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler{
          
          	public void onLogoutSuccess(HttpServletRequest request, 
          			javax.servlet.http.HttpServletResponse response,
                      Authentication authentication)
               throws java.io.IOException,
                      javax.servlet.ServletException{
          			
          				response.sendRedirect("/auth/login.html");
          		    }
          				
          		}

      Comment


      • #4
        I am curious if there was a final resolution to this issue raised by "cgswtsu" ?

        I am seeing a similar issue with my current legacy web application (Spring 3.0.5 + Tomcat 7.0.27). The symptom is that every successful login/logout is consistently followed by a login failure. When configured to use only http or only https the issue does not occur, so it has to do with switching from http to https. The same application running on (Spring 3.0.5 + WebSphere 6.1) does not exhibit this issue.

        Thanks in advance for any setting or work-around that could resolve the issue.

        Martin


        -----Failed login:
        Wed Jun 06 14:37:15 EDT 2012 DEBUG ChannelProcessingFilter:99 - Request: FilterInvocation: URL: /home.htm; ConfigAttributes: [REQUIRES_INSECURE_CHANNEL]
        Wed Jun 06 14:37:15 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
        Wed Jun 06 14:37:15 EDT 2012 DEBUG HttpSessionSecurityContextRepository:130 - No HttpSession currently exists
        Wed Jun 06 14:37:15 EDT 2012 DEBUG HttpSessionSecurityContextRepository:88 - No SecurityContext was available from the HttpSession: null. A new one will be created.
        Wed Jun 06 14:37:15 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
        Wed Jun 06 14:37:15 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 4 of 11 in additional filter chain; firing Filter: 'PreAuthenticationManager'
        Wed Jun 06 14:37:15 EDT 2012 DEBUG PreAuthenticationManager:82 - Checking secure context token: null
        Wed Jun 06 14:37:15 EDT 2012 DEBUG PreAuthenticationManager:103 - No pre-authenticated principal found in request
        Wed Jun 06 14:37:15 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 5 of 11 in additional filter chain; firing Filter: 'AuthenticationFilter'
        Wed Jun 06 14:37:15 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
        Wed Jun 06 14:37:15 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
        Wed Jun 06 14:37:15 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
        Wed Jun 06 14:37:15 EDT 2012 DEBUG AnonymousAuthenticationFilter:67 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.Anony mousAuthenticationToken@6faa1b5a: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@ffff6a82: RemoteIpAddress: 10.1.21.69; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
        Wed Jun 06 14:37:15 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
        Wed Jun 06 14:37:15 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
        Wed Jun 06 14:37:15 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'




        -----Successful login:
        Wed Jun 06 14:35:50 EDT 2012 DEBUG ChannelProcessingFilter:99 - Request: FilterInvocation: URL: /home.htm; ConfigAttributes: [REQUIRES_INSECURE_CHANNEL]
        Wed Jun 06 14:35:50 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
        Wed Jun 06 14:35:50 EDT 2012 DEBUG HttpSessionSecurityContextRepository:166 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.Securit yContextImpl@6662cadc: Authentication: org.springframework.security.authentication.Userna mePasswordAuthenticationToken@6662cadc: Principal: test7; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER, ROLE_ADMIN'
        Wed Jun 06 14:35:50 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
        Wed Jun 06 14:35:50 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 4 of 11 in additional filter chain; firing Filter: 'PreAuthenticationManager'
        Wed Jun 06 14:35:50 EDT 2012 DEBUG PreAuthenticationManager:82 - Checking secure context token: org.springframework.security.authentication.Userna mePasswordAuthenticationToken@6662cadc: Principal: test7; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER, ROLE_ADMIN
        Wed Jun 06 14:35:50 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 5 of 11 in additional filter chain; firing Filter: 'AuthenticationFilter'
        Wed Jun 06 14:35:50 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
        Wed Jun 06 14:35:50 EDT 2012 DEBUG DefaultSavedRequest:314 - pathInfo: both null (property equals)
        Wed Jun 06 14:35:50 EDT 2012 DEBUG DefaultSavedRequest:314 - queryString: both null (property equals)
        Wed Jun 06 14:35:50 EDT 2012 DEBUG DefaultSavedRequest:330 - requestURI: arg1=/home.htm; arg2=/home.htm (property equals)
        Wed Jun 06 14:35:50 EDT 2012 DEBUG DefaultSavedRequest:330 - serverPort: arg1=80; arg2=80 (property equals)
        Wed Jun 06 14:35:50 EDT 2012 DEBUG DefaultSavedRequest:330 - requestURL: arg1=http://localhost.tester/home.htm; arg2=http://localhost.tester/home.htm (property equals)
        Wed Jun 06 14:35:50 EDT 2012 DEBUG DefaultSavedRequest:330 - scheme: arg1=http; arg2=http (property equals)
        Wed Jun 06 14:35:50 EDT 2012 DEBUG DefaultSavedRequest:330 - serverName: arg1=localhost.tester; arg2=localhost.tester (property equals)
        Wed Jun 06 14:35:50 EDT 2012 DEBUG DefaultSavedRequest:330 - contextPath: arg1=; arg2= (property equals)
        Wed Jun 06 14:35:50 EDT 2012 DEBUG DefaultSavedRequest:330 - servletPath: arg1=/home.htm; arg2=/home.htm (property equals)
        Wed Jun 06 14:35:50 EDT 2012 DEBUG HttpSessionRequestCache:59 - Removing DefaultSavedRequest from session if present
        Wed Jun 06 14:35:50 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
        Wed Jun 06 14:35:50 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
        Wed Jun 06 14:35:50 EDT 2012 DEBUG AnonymousAuthenticationFilter:72 - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.Usern amePasswordAuthenticationToken@6662cadc: Principal: test7; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER, ROLE_ADMIN'
        Wed Jun 06 14:35:50 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
        Wed Jun 06 14:35:50 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
        Wed Jun 06 14:35:50 EDT 2012 DEBUG FilterChainProxy:375 - /home.htm at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
        Wed Jun 06 14:35:50 EDT 2012 DEBUG ExpressionBasedFilterInvocationSecurityMetadataSou rce:173 - Converted URL to lowercase, from: '/home.htm'; to: '/home.htm'

        Comment


        • #5
          Originally posted by martin3043 View Post
          I am curious if there was a final resolution to this issue raised by "cgswtsu" ?

          I am seeing a similar issue with my current legacy web application (Spring 3.0.5 + Tomcat 7.0.27). The symptom is that every successful login/logout is consistently followed by a login failure. When configured to use only http or only https the issue does not occur, so it has to do with switching from http to https. The same application running on (Spring 3.0.5 + WebSphere 6.1) does not exhibit this issue.

          Thanks in advance for any setting or work-around that could resolve the issue.
          Please refer to the Session Management section of the FAQ as Luke mentioned

          Comment


          • #6
            Before posting, I did refer to the session management link and tried a number of the discussed options such as "session-fixation-protection". I did not observe any change in behavior hence the reason for my posting to the topic.

            Comment


            • #7
              It sounds as though you are running into this issue. In general, it is not recommended or secure to switch between HTTP and HTTPS when something secret like a Session ID is passed along. Refer to SSL Strip link or seach for FireSheep if you want details.

              If you still wish to do this, ensuring you create the initial session over HTTP will ensure the cookie is not specified as a secure cookie. This thread has an example filter that should help you do this. Again, this approach is not recommended as it is not secure.

              Comment

              Working...
              X