Announcement Announcement Module
Collapse
No announcement yet.
Spring security: 3.0.5 username is null in OpenIdAuthenticationToken Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring security: 3.0.5 username is null in OpenIdAuthenticationToken

    Hi I have the following

    applicationContext-security.xml
    Code:
    <bean id="httpFireWall"
    		class="org.springframework.security.web.firewall.DefaultHttpFirewall" />
    	<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
    		<security:filter-chain-map path-type="ant">
    			<security:filter-chain pattern="/**"
    				filters="channelProcessingFilter,concurrentSessionFilter,securityContextPersistenceFilter,logoutFilter,openIdProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor,switchUserProcessingFilter" />
    		</security:filter-chain-map>
    		<property name="firewall" ref="httpFireWall" />
    	</bean>
    
    	<!-- handling form authentication -->
    	<bean id="authenticationManager"
    		class="org.springframework.security.authentication.ProviderManager">
    		<property name="providers" ref="providers" />
    	</bean>
    
    	<util:list id="providers">
    		<ref bean="openIdAuthenticationProvider" />
    	</util:list>
    
    	<bean id="openIdProcessingFilter"
    		class="org.springframework.security.openid.OpenIDAuthenticationFilter">
    		<property name="authenticationManager" ref="authenticationManager" />
    		<property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
    		<property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
    		<property name="sessionAuthenticationStrategy" ref="concurrentSessionController" />
    		<property name="filterProcessesUrl" value="/j_spring_openid_security_check" />
    		<property name="consumer" ref="openIdConsumer" />
    	</bean>
    
    	<bean id="openIdConsumer" class="org.springframework.security.openid.OpenID4JavaConsumer">
    		<constructor-arg index="0" ref="consumerManager" />
    		<constructor-arg index="1" ref="openIdAttributes" />
    	</bean>
    	<bean id="consumerManager" class="org.openid4java.consumer.ConsumerManager" />
    	<util:list id="openIdAttributes"
    		value-type="org.springframework.security.openid.OpenIDAttribute">
    		<ref bean="openIdEmailAttribute" />
    	</util:list>
    	<bean id="openIdEmailAttribute" class="org.springframework.security.openid.OpenIDAttribute">
    		<constructor-arg index="0" value="email" />
    		<constructor-arg index="1"
    			value="http://axschema.org/contact/email" />
    		<property name="required" value="true" />
    		<property name="count" value="1" />
    	</bean>
    
    	<bean id="authenticationSuccessHandler"
    		class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    		<property name="defaultTargetUrl" value="/default" />
    	</bean>
    
    	<bean id="authenticationFailureHandler"
    		class="com.security..OpenIdAuthenticationFailureHandler">
    		<property name="defaultFailureUrl" value="/authenticateFail" />
    		<property name="allowSessionCreation" value="true" />
    		<property name="exceptionMappings" ref="exceptionMappings" />
    	</bean>
    
    <bean id="authenticationEntryPoint"
    		class="org.springframework.security.web.authentication.AuthenticationProcessingFilterEntryPoint">
    		<property name="loginFormUrl" value="/login" />
    		<property name="forceHttps" value="false" />
    	</bean>
    
    	<bean id="openIdAuthenticationProvider"
    		class="org.springframework.security.openid.OpenIDAuthenticationProvider">
    		<property name="userDetailsService" ref="myuserService" />
    	</bean>
    
    	<!-- handling logout -->
    	<bean id="logoutFilter"
    		class="org.springframework.security.web.authentication.logout.LogoutFilter">
    		<constructor-arg index="0" value="/logout" />
    		<constructor-arg index="1" ref="logoutHandlers" />
    		<property name="filterProcessesUrl" value="/j_spring_security_logout" />
    	</bean>
    
    	<util:list id="logoutHandlers"
    		value-type="org.springframework.security.web.authentication.logout.LogoutHandler">
    		<ref bean="rememberMeServices" />
    		<ref bean="securityContextLogoutHandler" />
    	</util:list>
    
    	<bean id="securityContextLogoutHandler"
    		class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
    		<property name="invalidateHttpSession" value="true" />
    	</bean>
    
    	<!-- error handling -->
    	<bean id="exceptionTranslationFilter"
    		class="org.springframework.security.web.access.ExceptionTranslationFilter"
    		autowire="byType">
    		<property name="accessDeniedHandler" ref="accessDeniedHandler" />
    		<property name="authenticationTrustResolver" ref="authenticationTrustResolver" />
    	</bean>
    	<bean id="accessDeniedHandler"
    		class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
    		<property name="errorPage" value="/accessDenied" />
    	</bean>
    	<bean id="authenticationTrustResolver"
    		class="org.springframework.security.authentication.AuthenticationTrustResolverImpl" />
    
    	<!-- security persistence context -->
    	<bean id="securityContextPersistenceFilter"
    		class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
    		<property name="forceEagerSessionCreation" value="true" />
    		<property name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
    	</bean>
    	<bean id="httpSessionSecurityContextRepository"
    		class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">
    		<property name="allowSessionCreation" value="true" />
    	</bean>
    
    	<!-- context wrapper -->
    	<bean id="securityContextHolderAwareRequestFilter"
    		class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter" />
    [code]

    my openid security handler just sends you to registration screen if your login into open id but not in the system. This works.

    My logs to my login process
    Code:
    2011-07-15 06:26:13,989 DEBUG [org.springframework.security.openid.OpenIDAuthenticationFilter]["http-bio-6443"-exec-4][] Redirecting to https://open.login.yahooapis.com/openid/op/auth?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=${replace with token}"
    2011-07-15 06:26:14,755 DEBUG [org.springframework.security.openid.OpenIDAuthenticationFilter]["http-bio-6443"-exec-6][] Request is to process authentication
    [org.springframework.security.openid.OpenIDAuthenticationFilter]["http-bio"][] Supplied OpenID identity is https://me.yahoo.com/a/qMEzW9YcsdgwTHUu352XFku90UopFg--
    If i do aquery, the openid identity matches.

    Code:
    SQL> select user_name from com_user where com_user_id = 16121;
    
    USER_NAME
    ---------------------------------------------------------------
    
    https://me.yahoo.com/a/qMEzW9YcsdgwTHUu352XFku90UopFg--#695c9
    As you can see, I am using logout process of remember me follow by regular logout. Now when I click logout the username in the openid authentication token is null.
    Code:
    Logging out user '[[email protected]c4ebc: Principal: com.user.domain.User@1d8f59e3[id=16121,username=<null>]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364:
    Granted Authorities: ROLE_USER, attributes : [[email:[[email protected]]]]]' and transferring to logout destination
    If I change to regular http login, than the username happens to be not null.

    Because of this I get error during logout cause remember me service can't do persistence logout due to username being null.
    Last edited by cablepuff; Jul 15th, 2011, 08:32 AM.
Working...
X