Announcement Announcement Module
Collapse
No announcement yet.
Preauthentication failing - authentication object not found in securityContextHolder Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Preauthentication failing - authentication object not found in securityContextHolder

    --P.S: my previous post did not show up in the threadlist, so reposting ---

    I am working with a tutorial sample from spring security on websphere 6.1.0.15,
    trying to setup preauthentication (using RequestHeaderPreAuthenticatedProcessingFilter)

    In our case, we are using TAM (Tivoli Access Manager with WebSeal) that will prepopulate the request header "iv-user" before forwarding to our application.

    I have changed the applicationContext-security.xml based on the example provided for siteminder at http://static.springframework.org/sp...h.html#d4e1916

    Here's how it currently looks like
    Code:
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans
    	 http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
         http://www.springframework.org/schema/security
         http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
    
    	<global-method-security secured-annotations="enabled">
    	</global-method-security>
    
    	<http entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
    		<intercept-url pattern="/secure/extreme/*"
    			access="ROLE_SUPERVISOR" />
    		<intercept-url pattern="/secure/*"
    			access="ROLE_SUPERVISOR,ROLE_USER" />
    		<intercept-url pattern="/faces/policysearch*"
    			access="ROLE_SUPERVISOR,ROLE_USER" />
    		<intercept-url pattern="/spring/*"
    			access="ROLE_SUPERVISOR,ROLE_USER" />
    	</http>
    	
    	
       <beans:bean id="preAuthenticatedProcessingFilterEntryPoint"
                class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint"/> 
                
    	<beans:bean id="preAuthenticatedProcessingFilter"
    		class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
    		<custom-filter position="PRE_AUTH_FILTER" />
    		<beans:property name="principalRequestHeader" value="iv-user" />
    		<beans:property name="authenticationManager"  ref="authenticationManager" />
    	</beans:bean>
    	
    	<authentication-manager alias="authenticationManager" />
    	
    	<authentication-provider>
    		<user-service>
    			<user name="super" password="super"
    				authorities="ROLE_SUPERVISOR" />
    			<user name="scott" password="scott" authorities="ROLE_USER" />
    			<user name="mark" password="mark" authorities="ROLE_USER"
    				disabled="true" />
    			<user name="base" password="base" authorities="ROLE_BASE" />
    		</user-service>
    	</authentication-provider>  
    </beans:beans>
    I am mocking TAM's functionality using a mock Authentication filter for working in development mode.

    This MockAuthFilter is being called first (before the springSecurityFilterChain) in the 2 filter chain in my web.xml. All it does is populate a mockRequest class with "iv-user" request header as
    Code:
    mockRequest.addHeader("iv-user","super");
    and also copy the original request's values into this mockRequest object and then it calls
    chain.doFilter(mockRequest, response) to forward to the springSecurityFilterChain.

    My problem is when I click "secure page" link on the main index page (which should go to http://localhost:9080/samples/secure/index.jsp),
    I get the following message in the browser. :
    Code:
    Error 403: Access Denied
    And I get the following exception in my logs
    Code:
    [09/07/08 11:25:37:665 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,655 [WebContainer : 2] DEBUG FilterChainProxy - Converted URL to lowercase, from: '/secure/index.jsp'; to: '/secure/index.jsp'
    [09/07/08 11:25:37:665 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,665 [WebContainer : 2] DEBUG FilterChainProxy - Candidate is: '/secure/index.jsp'; pattern is /**; matched=true
    [09/07/08 11:25:37:665 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,665 [WebContainer : 2] DEBUG FilterChainProxy$VirtualFilterChain - /secure/index.jsp at position 1 of 6 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]'
    [09/07/08 11:25:37:665 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,665 [WebContainer : 2] DEBUG HttpSessionContextIntegrationFilter - No HttpSession currently exists
    [09/07/08 11:25:37:665 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,665 [WebContainer : 2] DEBUG HttpSessionContextIntegrationFilter - New SecurityContext instance will be associated with SecurityContextHolder
    [09/07/08 11:25:37:675 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,665 [WebContainer : 2] DEBUG FilterChainProxy$VirtualFilterChain - /secure/index.jsp at position 2 of 6 in additional filter chain; firing Filter: 'org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter[ order=500; ]'
    [09/07/08 11:25:37:685 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,685 [WebContainer : 2] DEBUG AbstractPreAuthenticatedProcessingFilter - Checking secure context token: null
    [09/07/08 11:25:37:685 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,685 [WebContainer : 2] DEBUG AbstractPreAuthenticatedProcessingFilter - preAuthenticatedPrincipal = super, trying to authenticate
    
    [09/07/08 11:25:37:685 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,685 [WebContainer : 2] DEBUG AbstractPreAuthenticatedProcessingFilter - Cleared security context due to exception
    org.springframework.security.providers.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken
    	at org.springframework.security.providers.ProviderManager.doAuthentication(ProviderManager.java:221)
    	at org.springframework.security.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:46)
    	at org.springframework.security.ui.preauth.AbstractPreAuthenticatedProcessingFilter.doAuthenticate(AbstractPreAuthenticatedProcessingFilter.java:87)
    	at org.springframework.security.ui.preauth.AbstractPreAuthenticatedProcessingFilter.doFilterHttp(AbstractPreAuthenticatedProcessingFilter.java:58)
    
    ................
    ....
    .
    
    [09/07/08 11:25:37:695 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,695 [WebContainer : 2] DEBUG FilterChainProxy$VirtualFilterChain - /secure/index.jsp at position 3 of 6 in additional filter chain; firing Filter: 'org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1100; ]'
    [09/07/08 11:25:37:695 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,695 [WebContainer : 2] DEBUG SavedRequestAwareWrapper - Wrapper not replaced; SavedRequest was: null
    [09/07/08 11:25:37:695 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,695 [WebContainer : 2] DEBUG FilterChainProxy$VirtualFilterChain - /secure/index.jsp at position 4 of 6 in additional filter chain; firing Filter: 'org.springframework.security.ui.ExceptionTranslationFilter[ order=1400; ]'
    [09/07/08 11:25:37:695 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,695 [WebContainer : 2] DEBUG FilterChainProxy$VirtualFilterChain - /secure/index.jsp at position 5 of 6 in additional filter chain; firing Filter: 'org.springframework.security.ui.SessionFixationProtectionFilter[ order=1600; ]'
    [09/07/08 11:25:37:705 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,695 [WebContainer : 2] DEBUG FilterChainProxy$VirtualFilterChain - /secure/index.jsp at position 6 of 6 in additional filter chain; firing Filter: 'org.springframework.security.intercept.web.FilterSecurityInterceptor@522e522e'
    [09/07/08 11:25:37:705 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,705 [WebContainer : 2] DEBUG DefaultFilterInvocationDefinitionSource - Converted URL to lowercase, from: '/secure/index.jsp'; to: '/secure/index.jsp'
    [09/07/08 11:25:37:705 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,705 [WebContainer : 2] DEBUG DefaultFilterInvocationDefinitionSource - Candidate is: '/secure/index.jsp'; pattern is /secure/extreme/*; matched=false
    [09/07/08 11:25:37:705 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,705 [WebContainer : 2] DEBUG DefaultFilterInvocationDefinitionSource - Candidate is: '/secure/index.jsp'; pattern is /secure/*; matched=true
    [09/07/08 11:25:37:715 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,715 [WebContainer : 2] DEBUG AbstractSecurityInterceptor - Secure object: FilterInvocation: URL: /secure/index.jsp; ConfigAttributes: [ROLE_SUPERVISOR, ROLE_USER]
    [09/07/08 11:25:37:715 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,715 [WebContainer : 2] DEBUG ExceptionTranslationFilter - Authentication exception occurred; redirecting to authentication entry point
    org.springframework.security.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
    	at org.springframework.security.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:342)
    	at org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:254)
    	
    
    ..............
    ..
    .
    [09/07/08 11:25:37:725 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,725 [WebContainer : 2] DEBUG ExceptionTranslationFilter - Authentication entry point being called; SavedRequest added to Session: SavedRequest[http://localhost/samples/secure/index.jsp]
    [09/07/08 11:25:37:725 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,725 [WebContainer : 2] DEBUG PreAuthenticatedProcessingFilterEntryPoint - Pre-authenticated entry point called. Rejecting access
    [09/07/08 11:25:37:725 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,725 [WebContainer : 2] DEBUG HttpSessionContextIntegrationFilter - SecurityContextHolder now cleared, as request processing completed
    Any help will be much appreciated..
    THanks,

  • #2
    I had to declare a preauthAuthProvider in my springSecurityContext.xml.

    Here's my new spring context file.
    Code:
    ....
    ..
    .
    	<global-method-security secured-annotations="enabled">
    	</global-method-security>
    
    	<http
    		entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
    		<intercept-url pattern="/secure/extreme/*"
    			access="ROLE_SUPERVISOR" />
    		<intercept-url pattern="/secure/*"
    			access="ROLE_SUPERVISOR,ROLE_USER" />
    		<intercept-url pattern="/faces/policysearch*"
    			access="ROLE_SUPERVISOR,ROLE_USER" />
    		<intercept-url pattern="/spring/*"
    			access="ROLE_SUPERVISOR,ROLE_USER" />
    	</http>
    
    
    	<beans:bean id="preAuthenticatedProcessingFilterEntryPoint"
    		class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
    
    	<beans:bean id="preAuthenticatedProcessingFilter"
    		class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
    		<custom-filter position="PRE_AUTH_FILTER" />
    		<beans:property name="principalRequestHeader" value="iv-user" />
    		<beans:property name="credentialsRequestHeader"
    			value="iv-password" />
    		<beans:property name="authenticationManager"
    			ref="authenticationManager" />
    	</beans:bean>
    
    	<authentication-manager alias="authenticationManager" />
    
    	<beans:bean id="preauthAuthProvider"
    		class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
    		<custom-authentication-provider />
    		<beans:property name="preAuthenticatedUserDetailsService">
    			<beans:bean id="userDetailsServiceWrapper"
    				class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
    				<beans:property name="userDetailsService"
    					ref="userDetailsService" />
    			</beans:bean>
    		</beans:property>
    	</beans:bean>
    
    	<beans:bean id="userDetailsService"
    		class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
    		<beans:property name="userProperties">
    			<beans:bean
    				class="org.springframework.beans.factory.config.PropertiesFactoryBean">
    				<beans:property name="location"
    					value="/WEB-INF/users.properties" />
    			</beans:bean>
    		</beans:property>
    	</beans:bean>

    now it works.. (sorry for the double post)!

    Comment


    • #3
      Hi robinbajaj!
      I'm new with acegi and I have to integrate my application with WebSeal.
      I'll follow your configuration for authentication but I don't know the configuration to obain the user groups ("iv-groups") from header.

      Could you help me?

      thx

      Comment

      Working...
      X