Announcement Announcement Module
Collapse
No announcement yet.
Spring security 3 & SSO with pubcookie Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring security 3 & SSO with pubcookie

    I've to implement SSO using pub-cookie (http://www.pubcookie.org/).

    I think I am on the right track, although there are still some missing pieces. Can somebody please tell me if I have the process right? (below is a simplified version of the hand-shake with pubcookie server)
    1. Subclass RequestHeaderAuthenticationFilter (let's call it myFilter) to check for user principal. Initially principal will be null and an exception will be thrown.
    2. Implement a custom AuthenticationEntryPoint to react to the exception thrown above and redirect request to pubcookie server
    3. Pubcookie server sends the request back to us with custom-headers set with principal info.
    4. myFilter will succeed this time (getPreAuthenticatedPrincipal() will return principal info.
    5. Now what???? For the Authorization part, UserDetailService still nees to be invoked. How to specify that?
    6. How to initialize the SecurityContextHolder with the data pulled in the bullet above?

    Any pointers will be highly appreciated.
    Thanks.

  • #2
    Looking at the source code, a few more things I found....

    1. If I subclass AbstractAuthenticationProcessingFilter instead of AbstractPreAuthenticationProcessingFilter, then I'll have access to an 'authenticationManager' and getAuthenticationManager().authenticate() may be called. This will allow for a subclass of PreAuthenticatedAuthenticationToken to be authenticated by a custom pre-authenticated-just-load-user-details authentication provider.

    However the whole idea of an SSO would be to obviate getAuthenticationManager().authenticate() call.

    Comment


    • #3
      You don't necessarily need to use UserDetailsService or even the AuthenticationManager if you have no need for it. You can just set a SecurityContext with an Authentication that returns true for isAuthenticated and has the proper GrantedAuthority's on it using SecurityContextHolder.setContext method. Just make sure that the SecurityContextPersistenceFilter is invoked so that the Authentication will be associated to the users HttpSession. This is done automatically when using the http element of the Security namespace so long as you do not specify filters=none (i.e. if you need to allow everyone to access that URL specify access=permitAll. Just remember if you set the Authentication you should have some code that securely authenticates the user.

      Comment


      • #4
        Thank you for replying, it makes sense. However, I had to earn it. :-)

        I'm following the pre-auth scenario described in the manual (http://static.springsource.org/sprin...e/preauth.html), almost everything works except for one small (and fatal) glitch. The 'external' app, is in fact a home grown solution and it sits between my app and the real pub-cookie authentication server, this app actually POSTs the (pre-authenticated) userId to my app. I have code like the following in my CustomPreAuth filter, but the POSTed variable is always null, as though it is being stripped away.

        Do you know if Spring Security is doing this?
        Code:
        String preAuthId = request.getParameter("some-pre-auth-id");
        if (preAuthId == null) {
        	 throw new	PreAuthenticatedCredentialsNotFoundException("ID is null");
        }
        Is it illegal for a (pre-auth) filter to access form-posted data?

        Comment


        • #5
          It is not Illegal for the PreAuthentication Filter to access a POST variable and Spring Security should not be stripping it away. I would suggest you turn up logging to see what is happening. Using something to view the HTTP requests, like Tamper Data plugin for Firefox, sent from your browser can be extremely helpful too.

          Comment


          • #6
            Installed Tamper Data. It shows the parameter under 'Post Parameter Name' column and the expected value appears under 'Post Parameter Value'. That would mean the problem is at the server side.

            I'm using https for the app, i wonder if that has anything to do with it?

            Comment


            • #7
              Did you turn on logging in Spring Security? What do the logs look like?

              Comment


              • #8
                Logging is set to TRACE

                log4j.logger.org.springframework.security=TRACE

                There is no error or warning in the logs.

                As incredulous as it may sound, i wrote a 'hello world' app using Spring MVC, same problem there, could not read FORM POST data. Of course if a form within the app is posted, the controller (and Servlet Filter) can read it fine, however if an external application POSTs a form then the parameters seem to vanish.

                Comment


                • #9
                  Do you see any debug statements from Spring Security? You might try adding a Debug point to the PreAuthenticationFilter and see what the request looks like

                  Comment


                  • #10
                    nothing suspicious in the logs. However while debugging I found the request.postData == null. Even though Tamper Data shows the form-post-ddata to be present.

                    The log looks like this:

                    Code:
                    2011-06-26 23:24:37,973 ["http-bio-8443"-exec-6] DEBUG ca.utor.med.dc.medlink.security.PubCookiePreAuthenticatedFilter  - Request is to process authentication
                    2011-06-26 23:24:37,973 ["http-bio-8443"-exec-6] TRACE ca.utor.med.dc.medlink.security.PubCookiePreAuthenticatedFilter  - entry with (*****attemptAuthentication*****)
                    2011-06-26 23:24:43,801 ["http-bio-8443"-exec-6] DEBUG ca.utor.med.dc.medlink.security.PubCookiePreAuthenticatedFilter  - request.getParameter: UTORID = null
                    2011-06-26 23:24:43,802 ["http-bio-8443"-exec-6] DEBUG ca.utor.med.dc.medlink.security.PubCookiePreAuthenticatedFilter  - utorid not found, putting dummy value
                    2011-06-26 23:24:43,802 ["http-bio-8443"-exec-6] DEBUG ca.utor.med.dc.medlink.security.PubCookiePreAuthenticatedFilter  - utorid Not found, redirecting to external authentication system.
                    2011-06-26 23:24:43,802 ["http-bio-8443"-exec-6] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository  - SecurityContext is empty or anonymous - context will not be stored in HttpSession. 
                    2011-06-26 23:24:43,802 ["http-bio-8443"-exec-6] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter  - SecurityContextHolder now cleared, as request processing completed
                    2011-06-26 23:24:43,856 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.FilterChainProxy  - Converted URL to lowercase, from: '/'; to: '/'
                    2011-06-26 23:24:43,856 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.FilterChainProxy  - Candidate is: '/'; pattern is /resources/**; matched=false
                    2011-06-26 23:24:43,856 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.FilterChainProxy  - Converted URL to lowercase, from: '/'; to: '/'
                    2011-06-26 23:24:43,856 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.FilterChainProxy  - Candidate is: '/'; pattern is /**; matched=true
                    2011-06-26 23:24:43,856 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.FilterChainProxy  - /?utorid2=xxxx23 at position 1 of 12 in additional filter chain; firing Filter: 'ChannelProcessingFilter'
                    2011-06-26 23:24:43,857 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource  - Converted URL to lowercase, from: '/'; to: '/'
                    2011-06-26 23:24:43,857 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource  - Candidate is: '/'; pattern is /login*; matched=false
                    2011-06-26 23:24:43,857 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource  - Candidate is: '/'; pattern is /j_spring_security_check; matched=false
                    2011-06-26 23:24:43,857 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource  - Candidate is: '/'; pattern is /admin/**; matched=false
                    2011-06-26 23:24:43,857 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource  - Candidate is: '/'; pattern is /**; matched=true
                    2011-06-26 23:24:43,857 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.access.channel.ChannelProcessingFilter  - Request: FilterInvocation: URL: /?utorid2=xxxx23; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
                    2011-06-26 23:24:43,857 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.FilterChainProxy  - /?utorid2=xxxx23 at position 2 of 12 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
                    2011-06-26 23:24:43,857 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.FilterChainProxy  - /?utorid2=xxxx23 at position 3 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
                    2011-06-26 23:24:43,857 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository  - No HttpSession currently exists
                    2011-06-26 23:24:43,857 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository  - No SecurityContext was available from the HttpSession: null. A new one will be created.
                    2011-06-26 23:24:43,857 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.FilterChainProxy  - /?utorid2=xxxx23 at position 4 of 12 in additional filter chain; firing Filter: 'CustomLogoutFilter'
                    2011-06-26 23:24:43,857 ["http-bio-8443"-exec-4] DEBUG ca.utor.med.dc.medlink.security.CustomLogoutFilter  - ========================================================================================
                    2011-06-26 23:24:43,857 ["http-bio-8443"-exec-4] DEBUG ca.utor.med.dc.medlink.security.CustomLogoutFilter  - $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Custom Logout Filter $$$$$$$$$$$$$$$$$$$$$$$$$$$$$
                    2011-06-26 23:24:43,857 ["http-bio-8443"-exec-4] DEBUG ca.utor.med.dc.medlink.security.CustomLogoutFilter  - ========================================================================================
                    2011-06-26 23:24:43,857 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.FilterChainProxy  - /?utorid2=xxxx23 at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
                    2011-06-26 23:24:43,857 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.FilterChainProxy  - /?utorid2=xxxx23 at position 6 of 12 in additional filter chain; firing Filter: 'PubCookiePreAuthenticatedFilter'
                    2011-06-26 23:24:43,857 ["http-bio-8443"-exec-4] DEBUG ca.utor.med.dc.medlink.security.PubCookiePreAuthenticatedFilter  - Request is to process authentication
                    2011-06-26 23:24:43,858 ["http-bio-8443"-exec-4] TRACE ca.utor.med.dc.medlink.security.PubCookiePreAuthenticatedFilter  - entry with (*****attemptAuthentication*****)
                    2011-06-26 23:24:53,206 ["http-bio-8443"-exec-4] DEBUG ca.utor.med.dc.medlink.security.PubCookiePreAuthenticatedFilter  - request.getParameter: UTORID = null
                    2011-06-26 23:24:53,206 ["http-bio-8443"-exec-4] DEBUG ca.utor.med.dc.medlink.security.PubCookiePreAuthenticatedFilter  - utorid not found, putting dummy value
                    2011-06-26 23:24:53,206 ["http-bio-8443"-exec-4] DEBUG ca.utor.med.dc.medlink.security.PubCookiePreAuthenticatedFilter  - utorid Not found, redirecting to external authentication system.
                    2011-06-26 23:24:53,207 ["http-bio-8443"-exec-4] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository  - SecurityContext is empty or anonymous - context will not be stored in HttpSession.

                    Comment


                    • #11
                      And what do the Tamper data logs look like?

                      Comment

                      Working...
                      X