Announcement Announcement Module
Collapse
No announcement yet.
How to specify an AuthProvider in Spring Sec 2? Trying to backport Kerb / SPNEGO ext Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to specify an AuthProvider in Spring Sec 2? Trying to backport Kerb / SPNEGO ext

    Hi all,
    I'm backporting Mike Weisner's great Kerberos / SPNEGO extension to work with Spring Security 2.0.4 to allow SPNEGO authentication for Atlassian Crowd products. I'd use NTLM, but I have the requirement of redirecting the user to the login page if they're outside of the network, which the Kerberos / SPNEGO enables. I've been able to backport all Sprin g Security 3 classes and am able to get SSO within the network and the login form outside of the network working with the Roo Petclinic app. I run into trouble with the form login authentication provider. It worked fine for Spring Security 3, but I get into a redirect loop with Spring Security 2, and the exception generated in the console is:

    Code:
    org.springframework.security.providers.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.extensions.kerberos.KerberosServiceRequestToken
            at org.springframework.security.providers.ProviderManager.doAuthentication(ProviderManager.java:214)
            at org.springframework.security.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:46)
            at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:131)
            at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
            at org.springframework.security.ui.logout.LogoutFilter.doFilterHttp(LogoutFilter.java:89)
            at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
            at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
            at org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
            at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
            at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
            at org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:175)
            at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
            at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
            at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
            at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
            at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
            at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
            at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:864)
            at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
            at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1665)
            at java.lang.Thread.run(Thread.java:662)
    The only line of code that I really have control over is
    org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter.doFilter(S pnegoAuthenticationProcessingFilter.java:131)
    where the AuthenticationManager.authenticate(authenticationR equest) method is called. However, I don't really seem to have control over how the Authentication Manager is injected...

    I came across Preauthentication failing - authentication object not found in securityContextHolder but the preauth provider is already specified. Others I've come across are
    http://forum.springsource.org/showth...ation-provider
    and http://stackoverflow.com/questions/9...ation-provider


    My config file is

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    
    <beans:beans xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:sec="http://www.springframework.org/schema/security"
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
    
    	<!-- HTTP security configurations -->
        <sec:http entry-point-ref="spnegoEntryPoint">
        	<sec:form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t"/>
            <sec:logout logout-url="/resources/j_spring_security_logout"/>
            <sec:intercept-url pattern="/owners/**" access="IS_AUTHENTICATED_FULLY" />
            <sec:intercept-url pattern="/pets/**" access="IS_AUTHENTICATED_FULLY" />
            <sec:intercept-url pattern="/vets/**" access="IS_AUTHENTICATED_FULLY" />
            <sec:intercept-url pattern="/visits/**" access="IS_AUTHENTICATED_FULLY" />
            <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        </sec:http>
    
        <beans:bean id="spnegoEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />
    
        <beans:bean id="spnegoAuthenticationProcessingFilter"
                    class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
            <custom-filter position="PRE_AUTH_FILTER" />
            <beans:property name="authenticationManager" ref="authenticationManager"/>
            <beans:property name="failureHandler">
                <beans:bean
                        class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
                    <beans:property name="defaultFailureUrl" value="/login"/>
                    <beans:property name="allowSessionCreation" value="true"/>
                </beans:bean>
            </beans:property>
        </beans:bean>
    
    	<!-- Configure Authentication mechanism -->
        <sec:authentication-manager alias="authenticationManager"/>
    
    
        <beans:bean id="kerberosAuthenticationProvider"
    		class="org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider">
            <sec:custom-authentication-provider/>
    		<beans:property name="kerberosClient">
    			<beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosClient">
    				<beans:property name="debug" value="true"/>
    			</beans:bean>
    		</beans:property>
    		<beans:property name="userDetailsService" ref="dummyUserDetailsService"/>
    	</beans:bean>
    
    	<beans:bean id="kerberosServiceAuthenticationProvider"
    		class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
            <sec:custom-authentication-provider/>
    		<beans:property name="ticketValidator">
    			<beans:bean
    				class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
    				<beans:property name="servicePrincipal" value="spnego_test" />
    				<!-- Setting keyTabLocation to a classpath resource will most likely not work in a Java EE application Server -->
    				<!-- See the Javadoc for more information on that -->
    				<beans:property name="keyTabLocation" value="file:///C:\\apache-tomcat-6.0.32\\petclinic.keytab" />
    				<beans:property name="debug" value="true" />
    			</beans:bean>
    		</beans:property>
    		<beans:property name="userDetailsService" ref="dummyUserDetailsService" />
    	</beans:bean>
    
        <beans:bean id="dummyUserDetailsService" class="com.springsource.petclinic.security.DummyUserDetailsService"/>
    
    </beans:beans>
    and I've tried

    Code:
        <beans:bean id="authenticationManager"
                    class="org.springframework.security.providers.ProviderManager">
            <beans:property name="providers">
                <beans:list>
                    <beans:ref local="kerberosAuthenticationProvider"/>
                    <beans:ref local="kerberosServiceAuthenticationProvider"/>
                </beans:list>
            </beans:property>
        </beans:bean>
    as the authentication manager declaration as well with the same results.


    This may very well be a Spring Security 2 issue that I'm unaware of -- I'm new to Spring Security and any help on what I need to do to set the AuthenticationProvider on the AuthenticationManager to get this resolved would be greatly appreciated.

  • #2
    Ok -- it looks like the exception is supposed to be happening. I remember seeing an exception being generated when I used Spring Security 3, but didn't take a close look at it. The code is falling into the catch block (as it should), and then the ExceptionMappingAuthenticationFailureHandler takes over from there. I'll see if I can figure out what is going wrong and post back my results.

    Comment


    • #3
      Had to add <sec:anonymous/> to the <http> section...

      Comment

      Working...
      X