Announcement Announcement Module
Collapse
No announcement yet.
Spring Security using Websphere & JSF - Unauthenticated problem Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security using Websphere & JSF - Unauthenticated problem

    Hi,

    I'm using Websphere 7 and Spring Security 3 and keeps getting UNAUTHENTICATED after I login.

    My web.xml:
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>All_Admin_User</web-resource-name>
    <description />
    <url-pattern>*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    <http-method>PUT</http-method>
    <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>Authenticated User</role-name>
    </auth-constraint>
    </security-constraint>


    My applicationContext-security.xml:

    <sec:http auto-config="true" realm="Demo EOL Login" use-expressions="true" access-denied-page="/accessDenied.jsp" >
    <sec:intercept-url pattern="/internal/**" access="hasRole('ROLE_VIEW_EARS_ONLINE')" />
    <sec:intercept-url pattern="/external/**" access="hasRole('ROLE_VIEW_EARS_ONLINE')" />
    <sec:intercept-url pattern="/**" access="permitAll" />
    <sec:form-login/>
    <sec:custom-filter position="PRE_AUTH_FILTER" ref="webspherePreAuthFilter" />
    </sec:http>

    The log from websphere:
    MyWebSpherePreAuthenticatedProcessingFilter - principal name is UNAUTHENTICATED
    Authentication a is null

    I'm using form login for my login_j2ee.jsp I also using the j_spring_security_check action:
    <form name="logonForm" action="j_spring_security_check" method="post">

    But some how Websphere can't authenticate my login.
    Anyone who has had the same problem and managed to solve it?

    Kind regards
    Jerry Johansson
    Last edited by jerryjohansson; Jan 14th, 2011, 02:07 AM. Reason: Wrong edit

  • #2
    Can you provide a more detailed log?

    Comment


    • #3
      More logs

      Hi,

      When I'm changing my login page to use the j_security_check action I need to login to access the pages. I get in and past my login page and can see my user id in the log in the Principal object.

      Logs using j_security_check:

      [17/01/11 11:10:48:255 GMT+08:00] 0000007e webcontainer E com.ibm.ws.webcontainer.WebContainer handleRequest SRVE0255E: A WebGroup/Virtual Host to handle /favicon.ico has not been defined.
      [17/01/11 11:10:50:162 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedPrincipal called !
      [17/01/11 11:10:50:162 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - principal name is ex31548
      [17/01/11 11:10:50:162 GMT+08:00] 0000007e SystemOut O Authentication a is null
      [17/01/11 11:10:50:162 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedCredentials called ! N/A
      [17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O token org.springframework.security.web.authentication.pr eauth.PreAuthenticatedAuthenticationToken@517f1e6f : Principal: ex31548; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.pr eauth.PreAuthenticatedGrantedAuthoritiesWebAuthent icationDetails@fffe9938: RemoteIpAddress: 172.20.203.159; SessionId: ZHzRRoBH7_FUK1OADDFVAUV; Authorities: [CN=EARS ONLINE USER,OU=EARS,OU=SYSTEMS,O=CORP]; Not granted any authorities
      [17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O token.name ex31548
      [17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O token.getAuthorities []
      [17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O token.getCredentials N/A
      [17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O token.getDetails org.springframework.security.web.authentication.pr eauth.PreAuthenticatedGrantedAuthoritiesWebAuthent icationDetails@fffe9938: RemoteIpAddress: 172.20.203.159; SessionId: ZHzRRoBH7_FUK1OADDFVAUV; Authorities: [CN=EARS ONLINE USER,OU=EARS,OU=SYSTEMS,O=CORP]
      [17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O token.getPrincipal ex31548
      [17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O token.isAuthenticated false
      [17/01/11 11:10:50:177 GMT+08:00] 0000007e SessionFixati W org.springframework.security.web.authentication.se ssion.SessionFixationProtectionStrategy onAuthentication Your servlet container did not change the session ID when a new session was created. You will not be adequately protected against session-fixation attacks
      [17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O Within Simple Filter ... SimpleFilter redirectUrl from Session: null
      [17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O SimpleFilter.isAuthenticated() - instance is Authentication
      [17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O SimpleFilter.isAuthenticated() - returns: true
      [17/01/11 11:10:50:193 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 1
      [17/01/11 11:10:50:193 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 2
      [17/01/11 11:10:50:193 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 5
      [17/01/11 11:10:50:224 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 6
      [17/01/11 11:10:50:240 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 7
      [17/01/11 11:10:50:365 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 8
      [17/01/11 11:10:50:365 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 9
      [17/01/11 11:10:50:412 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 10
      [17/01/11 11:10:50:412 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 11
      [17/01/11 11:10:50:427 GMT+08:00] 0000007e SystemOut O Filtering the Response ...
      [17/01/11 11:10:50:427 GMT+08:00] 0000007e WASSession E MTMBuffWrapper storeObject SESN0200E: Caught Exception while trying to serialize.
      [17/01/11 11:10:50:427 GMT+08:00] 0000007e WASSession E MTMHashMap handlePropertyHits SESN0202E: Failed to replicate attribute org.springframework.web.context.request.ServletReq uestAttributes.DESTRUCTION_CALLBACK.organisationBe an
      [17/01/11 11:10:50:474 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedPrincipal called !
      [17/01/11 11:10:50:474 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - principal name is UNAUTHENTICATED
      [17/01/11 11:10:50:474 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter getPreAuthenticatedPrincipal a.name: ex31548
      [17/01/11 11:10:50:474 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedPrincipal grant authority is ROLE_VIEW_EARS_ONLINE
      [17/01/11 11:10:50:474 GMT+08:00] 0000007e SystemOut O Within Simple Filter ... SimpleFilter redirectUrl from Session: null
      [17/01/11 11:10:50:474 GMT+08:00] 0000007e SystemOut O SimpleFilter.isAuthenticated() - instance is Authentication
      [17/01/11 11:10:50:474 GMT+08:00] 0000007e SystemOut O SimpleFilter.isAuthenticated() - returns: true
      [17/01/11 11:10:50:474 GMT+08:00] 0000007e SystemOut O Filtering the Response ...
      [17/01/11 11:10:50:490 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedPrincipal called !
      [17/01/11 11:10:50:490 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - principal name is UNAUTHENTICATED
      [17/01/11 11:10:50:490 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter getPreAuthenticatedPrincipal a.name: ex31548
      [17/01/11 11:10:50:490 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedPrincipal grant authority is ROLE_VIEW_EARS_ONLINE
      [17/01/11 11:10:50:490 GMT+08:00] 0000007e SystemOut O Within Simple Filter ... SimpleFilter redirectUrl from Session: null
      [17/01/11 11:10:50:490 GMT+08:00] 0000007e SystemOut O SimpleFilter.isAuthenticated() - instance is Authentication
      [17/01/11 11:10:50:490 GMT+08:00] 0000007e SystemOut O SimpleFilter.isAuthenticated() - returns: true

      -----------------------------------------------------------

      When I'm setting the login page to properly use j_spring_security_check
      I can't get past the login page.

      Logs when using j_spring_security_check:

      [17/01/11 10:53:27:780 GMT+08:00] 0000007c SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedPrincipal called !
      [17/01/11 10:53:27:780 GMT+08:00] 0000007c SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - principal name is UNAUTHENTICATED
      [17/01/11 10:53:27:780 GMT+08:00] 0000007c SystemOut O Authentication a is null
      [17/01/11 10:53:27:780 GMT+08:00] 0000007c SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedCredentials called ! N/A
      [17/01/11 10:53:27:780 GMT+08:00] 0000007c SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedPrincipal called !
      [17/01/11 10:53:27:780 GMT+08:00] 0000007c SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - principal name is UNAUTHENTICATED
      [17/01/11 10:53:27:780 GMT+08:00] 0000007c SystemOut O Authentication a is null
      [17/01/11 10:53:27:780 GMT+08:00] 0000007c SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedCredentials called ! N/A

      --------------------------------------------------

      A bit of code:

      I have a SimpleFilter where I'm checking if I'm authenticated:


      public class SimpleFilter implements Filter
      {

      private FilterConfig filterConfig;

      public void doFilter (ServletRequest request,
      ServletResponse response,
      FilterChain chain)
      {

      private boolean isAuthenticated()
      {
      boolean result = false;
      SecurityContext context = SecurityContextHolder.getContext();
      if (context instanceof SecurityContext)
      {
      Authentication authentication = context.getAuthentication();
      if (authentication instanceof AnonymousAuthenticationToken)
      {
      // not authenticated
      System.out.println("SimpleFilter.isAuthenticated() - instance is AnonymousAuthenticationToken");
      }

      else if (authentication instanceof Authentication)
      {
      result = true;
      System.out.println("SimpleFilter.isAuthenticated() - instance is Authentication");
      }

      ------------------------------------------

      Comment


      • #4
        Does it help to select the option that authenticates for each URI visited. I think its somewhere in Security->Global Security->Web and SIP... Then restart the server

        Comment


        • #5
          Can you post your entire web.xml file.

          I am trying something similar, but spring security is overriding my container authentication.

          I want to use websphere just for authentication SSO and spring will load the authorities of the user.

          Comment


          • #6
            Hi guys,

            I have the same problem in WebSphere 6.1.
            When I try to get
            public static MyUser getAutenticado()
            {
            return (MyUser ) SecurityContextHolder.getContext().getAuthenticati on().getPrincipal();
            }
            In my controller I try
            UsuarioUtils.getAutenticado().getId();
            Is returned Unauthenticated;

            When I access the WebSphere direct the error doesn't happens, but if I access by the URL, passing by the load balance and Web Server this error happens.

            Any ideia about what can be it?
            Any configuration of WebSphere or WebSphere or Load balance?

            Thanks,
            Last edited by dcmdeivid; Sep 2nd, 2011, 10:14 AM.

            Comment


            • #7
              Hi guys,

              I'm attaching a few files for you to see if it can help you out.

              Cheers
              Jerry Johansson, Perth

              For the web.xml I have two different classpaths depending if I'm running locally Tomcat or server Websphere.
              applicationContext-security.xml for Tomcat
              applicationContext-websphere.xml for Websphere

              I also have two different filter names depending of Tomcat or Websphere.
              filterChainProxy for Tomcat
              springSecurityFilterChain for Websphere



              File: web.xml:
              <?xml version="1.0"?>
              <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
              http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
              <display-name>EOL Self Admin</display-name>
              <context-param>
              <param-name>contextConfigLocation</param-name>
              <param-value>
              classpath:spring/dataSourceContext.xml
              classpath:spring/services-context.xml
              classpath:spring/applicationContext.xml

              <!-- Use for TOMCAT: applicationContext-security.xml,
              Use for Webspher: applicationContext-websphere.xml -->

              classpath:spring/applicationContext-security.xml
              <!-- classpath:spring/applicationContext-websphere.xml -->

              </param-value>
              </context-param>
              <context-param>
              <param-name>javax.faces.DEFAULT_SUFFIX</param-name>
              <param-value>.xhtml</param-value>
              </context-param>
              <context-param>
              <param-name>org.richfaces.SKIN</param-name>
              <param-value>classic</param-value>
              </context-param>
              <context-param>
              <param-name>org.ajax4jsf.VIEW_HANDLERS</param-name>
              <param-value>com.sun.facelets.FaceletViewHandler</param-value>
              </context-param>

              <context-param>
              <param-name>org.ajax4jsf.RESOURCE_URI_PREFIX</param-name>
              <param-value>resources/richfaces/a4j</param-value>
              </context-param>

              <context-param>
              <param-name>org.ajax4jsf.GLOBAL_RESOURCE_URI_PREFIX</param-name>
              <param-value>resources/richfaces/a4j/g</param-value>
              </context-param>

              <context-param>
              <param-name>org.ajax4jsf.SESSION_RESOURCE_URI_PREFIX</param-name>
              <param-value>resources/richfaces/a4j/s</param-value>
              </context-param>


              <filter>
              <display-name>RichFaces Filter</display-name>
              <filter-name>richfaces</filter-name>
              <filter-class>org.ajax4jsf.Filter</filter-class>
              </filter>
              <filter-mapping>
              <filter-name>richfaces</filter-name>
              <servlet-name>Faces Servlet</servlet-name>
              <dispatcher>REQUEST</dispatcher>
              <dispatcher>FORWARD</dispatcher>
              <dispatcher>INCLUDE</dispatcher>
              </filter-mapping>

              <!-- Spring security filter -->
              <!-- Use for TOMCAT: filterChainProxy,
              Use for Websphere: springSecurityFilterChain -->
              <filter>
              <filter-name>filterChainProxy</filter-name>
              <!-- <filter-name>springSecurityFilterChain</filter-name> -->
              <filter-class>org.springframework.web.filter.DelegatingFil terProxy</filter-class>
              </filter>
              <filter-mapping>
              <filter-name>filterChainProxy</filter-name>
              <!-- <filter-name>springSecurityFilterChain</filter-name> -->
              <url-pattern>/*</url-pattern>
              </filter-mapping>

              <!-- Define the filters within the Web Application -->
              <filter>
              <filter-name>
              Simple Filter Example
              </filter-name>
              <filter-class>
              com.apps.admin.filter.SimpleFilter
              </filter-class>
              </filter>
              <!-- Map the filter to a Servlet or URL -->
              <filter-mapping>
              <filter-name>
              Simple Filter Example
              </filter-name>
              <url-pattern>
              /*
              </url-pattern>
              </filter-mapping>


              <listener>
              <listener-class>org.springframework.web.context.ContextLoade rListener</listener-class>
              </listener>

              <listener>
              <listener-class>org.springframework.web.util.Log4jConfigList ener</listener-class>
              </listener>

              <listener>
              <listener-class>org.springframework.web.util.IntrospectorCle anupListener</listener-class>
              </listener>

              <listener>
              <listener-class>org.springframework.web.context.request.Requ estContextListener</listener-class>
              </listener>

              <listener>
              <listener-class>org.springframework.security.web.session.Htt pSessionEventPublisher</listener-class>
              </listener>

              <servlet>
              <servlet-name>Faces Servlet</servlet-name>
              <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
              <load-on-startup>1</load-on-startup>
              </servlet>
              <servlet-mapping>
              <servlet-name>Faces Servlet</servlet-name>
              <url-pattern>*.xhtml</url-pattern>
              </servlet-mapping>

              <welcome-file-list>
              <welcome-file>index.jsp</welcome-file>
              </welcome-file-list>

              <resource-ref>
              <res-ref-name>jdbc/appsonlineDS</res-ref-name>
              <res-type>javax.sql.DataSource</res-type>
              <res-auth>Container</res-auth>
              </resource-ref>

              <!-- Container provided security settings -->
              <security-constraint>
              <web-resource-collection>
              <web-resource-name>Login Page</web-resource-name>
              <description />
              <url-pattern>/login_j2ee.jsp</url-pattern>
              </web-resource-collection>
              <auth-constraint>
              <role-name>Everybody</role-name>
              </auth-constraint>
              </security-constraint>
              <security-constraint>
              <web-resource-collection>
              <web-resource-name>All_Admin_User</web-resource-name>
              <description />
              <url-pattern>*.xhtml</url-pattern>
              </web-resource-collection>
              <auth-constraint>
              <role-name>ROLE_VIEW_ONLINE</role-name>
              </auth-constraint>
              </security-constraint>

              <login-config>
              <auth-method>FORM</auth-method>
              <form-login-config>
              <form-login-page>/external/login_j2ee.jsp</form-login-page>
              <form-error-page>/accessDenied.jsp</form-error-page>
              </form-login-config>

              </login-config>
              <security-role>
              <role-name>ROLE_VIEW_ONLINE</role-name>
              </security-role>

              <error-page>
              <exception-type>java.lang.Throwable</exception-type>
              <location>/error/errorpage.jsp</location>
              </error-page>
              <error-page>
              <error-code>500</error-code>
              <location>/error/errorpage.jsp</location>
              </error-page>
              <error-page>
              <error-code>404</error-code>
              <location>/error/404page.html</location>
              </error-page>



              </web-app>
              Last edited by jerryjohansson; Sep 7th, 2011, 04:41 AM.

              Comment


              • #8
                applicationContext-security.xml (To use with Tomcat)

                Use this file for Tomcat.

                Cheers
                Jerry Johansson, Perth

                File applicationContext-security.xml:

                <?xml version="1.0" encoding="UTF-8"?>
                <beans xmlns="http://www.springframework.org/schema/beans"
                xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xsi:schemaLocation="http://www.springframework.org/schema/beans
                http://www.springframework.org/schem...-beans-3.0.xsd
                http://www.springframework.org/schema/security
                http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

                <bean id="filterChainProxy" class="org.springframework.security.web.FilterChai nProxy">
                <sec:filter-chain-map path-type="ant">
                <sec:filter-chain pattern="/**"
                filters="sif,j2eePreAuthFilter,logoutFilter,etf,fs i" />
                </sec:filter-chain-map>
                </bean>

                <bean id="sif"
                class="org.springframework.security.web.context.Se curityContextPersistenceFilter" />

                <sec:authentication-manager alias="authenticationManager">
                <sec:authentication-provider ref='preAuthenticatedAuthenticationProvider' />
                </sec:authentication-manager>

                <bean id="preAuthenticatedAuthenticationProvider"
                class="org.springframework.security.web.authentica tion.preauth.PreAuthenticatedAuthenticationProvide r">
                <property name="preAuthenticatedUserDetailsService" ref="myPreAuthenticatedUserDetailsService" />
                </bean>

                <bean id="preAuthenticatedUserDetailsService"
                class="org.springframework.security.web.authentica tion.preauth.PreAuthenticatedGrantedAuthoritiesUse rDetailsService" />

                <bean id="myPreAuthenticatedUserDetailsService"
                class="com.apps.admin.security.MyPreAuthenticatedG rantedAuthoritiesUserDetailsService">
                </bean>

                <bean id="j2eePreAuthFilter"
                class="org.springframework.security.web.authentica tion.preauth.j2ee.J2eePreAuthenticatedProcessingFi lter">
                <property name="authenticationManager" ref="authenticationManager" />
                <property name="authenticationDetailsSource">
                <bean
                class="org.springframework.security.web.authentica tion.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuth enticationDetailsSource">
                <property name="mappableRolesRetriever">
                <bean
                class="org.springframework.security.web.authentica tion.preauth.j2ee.WebXmlMappableAttributesRetrieve r" />
                </property>
                <property name="userRoles2GrantedAuthoritiesMapper">
                <bean
                class="org.springframework.security.core.authority .mapping.SimpleAttributes2GrantedAuthoritiesMapper ">
                <property name="convertAttributeToUpperCase" value="true" />
                </bean>
                </property>
                </bean>
                </property>
                </bean>

                <bean id="preAuthenticatedProcessingFilterEntryPoint"
                class="org.springframework.security.web.authentica tion.Http403ForbiddenEntryPoint" />

                <bean id="logoutFilter"
                class="org.springframework.security.web.authentica tion.logout.LogoutFilter">
                <constructor-arg value="/" />
                <constructor-arg>
                <list>
                <bean
                class="org.springframework.security.web.authentica tion.logout.SecurityContextLogoutHandler" />
                </list>
                </constructor-arg>
                </bean>

                <bean id="servletContext"
                class="org.springframework.web.context.support.Ser vletContextFactoryBean" />

                <bean id="etf"
                class="org.springframework.security.web.access.Exc eptionTranslationFilter">
                <property name="authenticationEntryPoint" ref="preAuthenticatedProcessingFilterEntryPoint" />
                </bean>

                <bean id="httpRequestAccessDecisionManager"
                class="org.springframework.security.access.vote.Af firmativeBased">
                <property name="allowIfAllAbstainDecisions" value="false" />
                <property name="decisionVoters">
                <list>
                <ref bean="roleVoter" />
                </list>
                </property>
                </bean>

                <bean id="fsi"
                class="org.springframework.security.web.access.int ercept.FilterSecurityInterceptor">
                <property name="authenticationManager" ref="authenticationManager" />
                <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager" />
                <property name="securityMetadataSource">
                <sec:filter-invocation-definition-source>
                <sec:intercept-url pattern="/internal/**" access="ROLE_VIEW_ONLINE" />
                <sec:intercept-url pattern="/external/**" access="ROLE_VIEW_ONLINE" />
                </sec:filter-invocation-definition-source>
                </property>
                </bean>

                <bean id="roleVoter" class="org.springframework.security.access.vote.Ro leVoter" />

                <bean id="securityContextHolderAwareRequestFilter"
                class="org.springframework.security.web.servletapi .SecurityContextHolderAwareRequestFilter" />

                <!-- <sec:global-method-security
                pre-post-annotations="enabled" />
                -->

                </beans>

                Comment


                • #9
                  And here is applicationContext-websphere.xml, to use when running Websphere.

                  Cheers
                  Jerry Johansson, Perth


                  <?xml version="1.0" encoding="UTF-8"?>
                  <beans xmlns="http://www.springframework.org/schema/beans"
                  xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                  xsi:schemaLocation="http://www.springframework.org/schema/beans
                  http://www.springframework.org/schem...-beans-3.0.xsd
                  http://www.springframework.org/schema/security
                  http://www.springframework.org/schema/security/spring-security-3.0.xsd">

                  <sec:http auto-config="true" realm="Demo EOL Login" use-expressions="true" access-denied-page="/accessDenied.jsp" >
                  <sec:intercept-url pattern="/internal/*.xhtml" access="hasRole('ROLE_VIEW_ONLINE') and hasRole('ROLE_VIEW_ONLINE_INTERNAL') and hasRole('ROLE_CORP_ADMIN')" />
                  <sec:intercept-url pattern="/external/*.xhtml" access="hasRole('ROLE_VIEW_ONLINE') and hasRole('ROLE_VIEW_ONLINE_EXTERNAL') and hasRole('ROLE_ADMIN')" />
                  <sec:intercept-url pattern="/external/login_j2ee.jsp" access="permitAll" />
                  <sec:intercept-url pattern="/internal/login_j2ee.jsp" access="permitAll" />
                  <sec:intercept-url pattern="/**" access="permitAll" />
                  <sec:intercept-url pattern="/img/**" access="permitAll" />
                  <sec:intercept-url pattern="/internal/css/**" access="permitAll" />
                  <sec:intercept-url pattern="/external/css/**" access="permitAll" />
                  <sec:intercept-url pattern="/internal/img/**" access="permitAll" />
                  <sec:intercept-url pattern="/external/img/**" access="permitAll" />
                  <sec:intercept-url pattern="/resources/richfaces/a4j/**" access="permitAll" />
                  <sec:intercept-url pattern="/resources/richfaces/a4j/scss/datascroller.xcss/DATB/**" access="permitAll" />
                  <sec:intercept-url pattern="/resources/richfaces/a4j/gorg/richfaces/renderkit/html/css/**" access="permitAll" />
                  <sec:intercept-url pattern="/resources/richfaces/a4j/gorg.richfaces.renderkit.html.iconimages.DataTable IconSortAsc/DATB/**" access="permitAll" />
                  <sec:intercept-url pattern="/resources/richfaces/a4j/sorg/richfaces/renderkit/html/css/scrollable-data-table.xcss/DATB/**" access="permitAll" />
                  <sec:intercept-url pattern="/resources/richfaces/a4j/sorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/**" access="permitAll" />
                  <sec:intercept-url pattern="/resources/richfaces/a4j/gorg/richfaces/renderkit/html/scripts/**" access="permitAll" />

                  <sec:form-login/>
                  <sec:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
                  <sec:custom-filter position="PRE_AUTH_FILTER" ref="webspherePreAuthFilter" />
                  <sec:session-management session-authentication-strategy-ref="sas"/>
                  <sec:logout invalidate-session="true"/>

                  </sec:http>
                  <sec:authentication-manager alias="authenticationManager">
                  <sec:authentication-provider ref="preAuthenticatedAuthenticationProvider"/>
                  </sec:authentication-manager>

                  <bean id="sessionRegistry" class="org.springframework.security.core.session.S essionRegistryImpl" />

                  <bean id="sas" class="org.springframework.security.web.authentica tion.session.ConcurrentSessionControlStrategy">
                  <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
                  <!--<property name="maximumSessions" value="1" />
                  <property name="exceptionIfMaximumExceeded" value="true"/>-->
                  </bean>

                  <bean id="concurrencyFilter" class="org.springframework.security.web.session.Co ncurrentSessionFilter">
                  <property name="sessionRegistry" ref="sessionRegistry" />
                  <property name="expiredUrl" value="/accessDenied.jsp" />
                  </bean>


                  <bean id="webspherePreAuthFilter" class="com.apps.admin.security.MyWebSpherePreAuthe nticatedProcessingFilter">
                  <property name="sessionAuthenticationStrategy" ref="sas" />
                  <property name="authenticationManager" ref="authenticationManager" />
                  <property name="authenticationDetailsSource" ref="websphereAuthenticationDetailsSource" />
                  </bean>

                  <bean id="websphereAuthenticationDetailsSource"
                  class="org.springframework.security.web.authentica tion.preauth.websphere.WebSpherePreAuthenticatedWe bAuthenticationDetailsSource">
                  <property name="webSphereGroups2GrantedAuthoritiesMapper" ref="grantedAuthoritiesMapper" />
                  </bean>
                  <bean id="grantedAuthoritiesMapper"
                  class="org.springframework.security.core.authority .mapping.SimpleAttributes2GrantedAuthoritiesMapper ">
                  <property name="convertAttributeToUpperCase" value="true" />
                  <property name="attributePrefix" value=""/>
                  </bean>
                  <bean id="webSphere2SpringSecurityPropagationInterceptor " class="org.springframework.security.web.authentica tion.preauth.websphere.WebSphere2SpringSecurityPro pagationInterceptor">
                  <property name="authenticationManager" ref="authenticationManager"/>
                  <property name="authenticationDetailsSource" ref="websphereAuthenticationDetailsSource"/>
                  </bean>
                  <bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.web.authentica tion.preauth.PreAuthenticatedAuthenticationProvide r">
                  <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
                  </bean>
                  <!--
                  <bean id="preAuthenticatedUserDetailsService"
                  class="org.springframework.security.web.authentica tion.preauth.PreAuthenticatedGrantedAuthoritiesUse rDetailsService" />
                  -->
                  <bean id="preAuthenticatedUserDetailsService"
                  class="com.apps.admin.security.WasPreAuthenticated UserDetailsService" >
                  <!-- <property name="authAuthorities">
                  <list>
                  ROLE1

                  </list>
                  </property>
                  -->
                  </bean>

                  <!-- notice the "" value in rolePrefix -->
                  <bean id="roleVoter" class="org.springframework.security.access.vote.Ro leVoter">
                  <property name="rolePrefix" value=""/>
                  </bean>




                  </beans><?xml version="1.0" encoding="windows-1250"?>

                  Comment


                  • #10
                    File: WasPreAuthenticatedUserDetailsService

                    Below is my WasPreAuthenticatedUserDetailsService, to actually get the grantedAuthorities from the Autentication token, from Websphere and in my case LDAP, and do the validation.

                    (I have changed the content a bit for package names and variables name for protection)

                    Cheers
                    Jerry Johansson, Perth



                    File WasPreAuthenticatedUserDetailsService:

                    package com.apps.admin.security;

                    import com.apps.admin.util.Constants;
                    import java.util.ArrayList;
                    import java.util.List;

                    import org.springframework.security.core.Authentication;
                    import org.springframework.security.core.AuthenticationEx ception;
                    import org.springframework.security.core.GrantedAuthority ;
                    import org.springframework.security.core.authority.Grante dAuthoritiesContainer;
                    import org.springframework.security.core.authority.Grante dAuthorityImpl;
                    import org.springframework.security.core.userdetails.Auth enticationUserDetailsService;
                    import org.springframework.security.core.userdetails.User ;
                    import org.springframework.security.core.userdetails.User Details;
                    import org.springframework.security.core.userdetails.User nameNotFoundException;
                    import org.springframework.util.Assert;
                    import com.apps.framework.objectclass.Person;
                    import com.apps.admin.ldap.AppsLDAP;
                    import com.apps.admin.service.UserService;
                    import com.apps.admin.util.AppsProperty;
                    import org.springframework.beans.factory.annotation.Autow ired;
                    import org.springframework.beans.factory.annotation.Quali fier;


                    public class WasPreAuthenticatedUserDetailsService implements AuthenticationUserDetailsService {

                    @Autowired
                    @Qualifier("userService")
                    private UserService userService;

                    List<GrantedAuthority> authAuthorities;
                    public List<GrantedAuthority> getAuthAuthorities() {
                    return authAuthorities;
                    }

                    public void setAuthAuthorities(List<GrantedAuthority> authAuthorities) {
                    this.authAuthorities = authAuthorities;
                    }

                    /**
                    * Get a UserDetails object based on the user name contained in the given
                    * token, and the GrantedAuthorities as returned by the
                    * GrantedAuthoritiesContainer implementation as returned by
                    * the token.getDetails() method.
                    */
                    @Override
                    public UserDetails loadUserDetails(Authentication token)
                    throws UsernameNotFoundException {
                    Assert.notNull(token.getDetails());
                    Assert.isInstanceOf(GrantedAuthoritiesContainer.cl ass, token.getDetails());

                    List<GrantedAuthority> roles = new ArrayList<GrantedAuthority>();
                    validateAndSetPermissions(token, roles);
                    UserDetails ud = createuserDetails(token, roles);
                    return ud;
                    }

                    private void validateAndSetPermissions(Authentication token, List<GrantedAuthority> roles){
                    boolean isAppsOnlineUser = false;
                    boolean isAppsMineralBusinessAdmin = false;
                    boolean isAppsPetroleumBusinessAdmin = false;
                    List<GrantedAuthority> authorities = ((GrantedAuthoritiesContainer) token.getDetails()).getGrantedAuthorities();

                    if(authorities != null){
                    for(GrantedAuthority myAuth : authorities){
                    if(myAuth.equals("CN=Apps ONLINE USER,OU=Apps,OU=SYSTEMS,O=CORP")){
                    isAppsOnlineUser = true;
                    }
                    else if(myAuth.equals("CN=Apps MINERALS BUSINESS ADMIN,OU=Apps,OU=SYSTEMS,O=CORP"))
                    {
                    isAppsMineralBusinessAdmin = true;
                    }
                    else if(myAuth.equals("CN=Apps PETROLEUM BUSINESS ADMIN,OU=Apps,OU=SYSTEMS,O=CORP"))
                    {
                    isAppsPetroleumBusinessAdmin = true;
                    }

                    }

                    if(isAppsOnlineUser){
                    Person person = AppsLDAP.getPersonAppsOnly(token.getName());
                    roles.add(new GrantedAuthorityImpl(Constants.SECURITY_ROLES.VIEW _Apps_ONLINE));

                    if(isAppsMineralBusinessAdmin)
                    {
                    roles.add(new GrantedAuthorityImpl(Constants.SECURITY_ROLES.VIEW _CORP_ADMIN));
                    }
                    if(isAppsPetroleumBusinessAdmin)
                    {
                    roles.add(new GrantedAuthorityImpl(Constants.SECURITY_ROLES.VIEW _CORP_ADMIN));
                    }
                    // Validating if user is Internal or External
                    boolean isExternal = AppsLDAP.CATEGORY_EXTERNAL.equals(person.getCatego ry().getDescription()); //External
                    if(isExternal){
                    GrantedAuthority externalAuth = new GrantedAuthorityImpl(Constants.SECURITY_ROLES.VIEW _Apps_ONLINE_EXTERNAL);
                    roles.add(externalAuth);
                    System.out.println("Adding 'View Apps Online EXTERNAL' rights");
                    }else{
                    GrantedAuthority internalAuth = new GrantedAuthorityImpl(Constants.SECURITY_ROLES.VIEW _Apps_ONLINE_INTERNAL);
                    roles.add(internalAuth);
                    System.out.println("Adding 'View Apps Online INTERNAL' rights");
                    }
                    List<String> userRoles = new ArrayList();
                    try{
                    userRoles = userService.getRoles(token.getName());
                    }
                    catch(Exception e){
                    System.out.println("userService.getRoles failed with userID: " + token.getName());
                    }
                    int i = 0;
                    for(String role: userRoles) {
                    if(role != null && role.length() > 0) {
                    i++;
                    roles.add(new GrantedAuthorityImpl(role));
                    System.out.println("Adding role from DB: " + role);
                    }
                    }
                    if(isExternal && i==0){
                    System.out.println("External User " + token.getName() + " has no roles assigned. NOT an external admin user, will be rejected access.");
                    }

                    }
                    }
                    }

                    /**
                    * Creates the final <tt>UserDetails</tt> object. Can be overridden to customize the contents.
                    *
                    * @param token the authentication request token
                    * @param authorities the pre-authenticated authorities.
                    */
                    protected UserDetails createuserDetails(Authentication token, List<GrantedAuthority> authorities) {
                    return new User(token.getName(), "N/A", true, true, true, true, authorities);
                    }
                    }

                    Comment

                    Working...
                    X