Announcement Announcement Module
Collapse
No announcement yet.
digest authentication: authentication working but authorization not working. Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • digest authentication: authentication working but authorization not working.

    Hi i have the following problem with digest authentication.


    Here are my xml settings.
    applicationContext-securityCore.xml
    Code:
    	<security:filter-invocation-definition-source
    		id="security.objectDefinitionService" use-expressions="true">
    		<security:intercept-url pattern="/edit**"
    			access="hasRole('ROLE_ADMIN')" />
    		<security:intercept-url pattern="/sell**"
    			access="hasAnyRole('ROLE_ADMIN', 'ROLE_CONSUMER')" />
    		<security:intercept-url pattern="/buy**"
    			access="hasAnyRole('ROLE_ADMIN', 'ROLE_CONSUMER')" />
    	</security:filter-invocation-definition-source>
    
        <!--  having only one user at a time -->
        <bean id="concurrentSessionFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
          <property name="expiredUrl" value="/sessionExpire"/>
          <property name="sessionRegistry" ref="sessionRegistry"/>
        </bean>
        <bean id="concurrentSessionController" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
               <constructor-arg index="0" ref="sessionRegistry"/>
               <property name="maximumSessions" value="${maximumSessions}"/>
               <property name="exceptionIfMaximumExceeded" value="true"/>
        </bean>
        <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
    
        <!--  http session -->
        <bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.web.context.HttpSessionContextIntegrationFilter">
          <property name="contextClass" value="org.springframework.security.core.context.SecurityContextImpl"/>
          <property name="forceEagerSessionCreation" value="true"/>
          <property name="allowSessionCreation" value="true"/>
        </bean>
    
        <!--  context wrapper -->
        <bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter"/>
    
        <!--  remembering that a user is login -->
        <bean id="rememberMeProcessingFilter" class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter" autowire="byType">
          <property name="rememberMeServices" ref="rememberMeServices"/>
        </bean>
        <bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
          <property name="userDetailsService" ref="digest.userService"/>
          <property name="tokenValiditySeconds" value="${tokenValiditySeconds}"/>
          <property name="key" value="spring remember me"/>
          <property name="tokenRepository" ref="security.persistentTokenService"/>
        </bean>
        <bean id="rememberMeAuthenticationProvider"
              class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
              <property name="key" value="spring remember me"/>
        </bean>
    
        <!--  authentication in general -->
        <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider" lazy-init="true">
            <property name="userDetailsService" ref="digest.userService"/>
            <property name="forcePrincipalAsString" value="true"/>
        </bean>
    
        <!--  handling anoymonous authentication -->
        <bean id="anonymousProcessingFilter" class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
          <property name="key" value="spring anonymous"/>
          <property name="userAttribute" value="Guest,ROLE_ANONYMOUS"/>
        </bean>
        <bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
          <property name="key" value="spring anonymous"/>
        </bean>
    
        <!--  handling logout -->
        <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
          <constructor-arg index="0" value="/logout"/>
          <constructor-arg index="1">
            <list>
              <ref bean="securityContextLogoutHandler"/>
              <ref bean="rememberMeServices"/>
            </list>
          </constructor-arg>
          <property name="filterProcessesUrl" value="/spring_security_logout"/>
        </bean>
        <bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
    
        <!--  error handling -->
        <bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter" autowire="byType">
            <property name="accessDeniedHandler" ref="accessDeniedHandler"/>
        </bean>
        <bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
            <property name="errorPage" value="/accessDenied"/>
        </bean>
    
        <!--  authorization -->
        <bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor" autowire="byName">
          <property name="accessDecisionManager" ref="accessDecisionManager"/>
          <property name="validateConfigAttributes" value="true"/>
          <property name="securityMetadataSource" ref="security.objectDefinitionService"/>
          <property name="authenticationManager" ref="authenticationManager"/>
          <property name="afterInvocationManager" ref="ownership.afterInvocationManager"/>
        </bean>
        
        <bean id="webInvocationPrivilegeEvaluator" class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator">
        	<constructor-arg name="securityInterceptor" ref="filterSecurityInterceptor"/>
        </bean>    
    
        <bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
            <property name="rolePrefix" value="ROLE_"/>
        </bean>
        <bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter"/>
        <bean id="webExpressionVoter" class="org.springframework.security.web.access.expression.WebExpressionVoter">
        	<property name="expressionHandler" ref="expressionHandler"/>
        </bean>
        <bean id="expressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"/>
    
        <!--  decision managers -->
        <util:list id="ownership.decisionVoters">
        	<ref bean="ownership.aclObjectReadVoter"/>
            <ref bean="ownership.aclObjectWriteVoter"/>
            <ref bean="ownership.aclObjectCreateVoter"/>
            <ref bean="ownership.aclObjectDeleteVoter"/>
            <ref bean="roleVoter"/>
            <ref bean="authenticatedVoter"/>
        </util:list>
        <util:list id="ownership.providers">
        	<ref bean="ownership.afterAclCollectionCreate"/>
        	<ref bean="ownership.afterAclCollectionDelete"/>
        	<ref bean="ownership.afterAclCollectionRead"/>
        	<ref bean="ownership.afterAclCollectionWrite"/>
        	<ref bean="ownership.afterAclCreate"/>
        	<ref bean="ownership.afterAclDelete"/>
        	<ref bean="ownership.afterAclRead"/>
        	<ref bean="ownership.afterAclWrite"/>
        </util:list>
        <util:list id="decisionVoters">
        	<ref bean="authenticatedVoter"/>
        	<ref bean="webExpressionVoter"/>
        </util:list>
        
        <bean id="ownership.afterInvocationManager" class="org.springframework.security.access.intercept.AfterInvocationProviderManager">
            <property name="providers" ref="ownership.providers"/>
        </bean>
        <bean id="ownership.accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
            <property name="allowIfAllAbstainDecisions" value="true"/>
            <property name="decisionVoters" ref="ownership.decisionVoters"/>
        </bean>
        <bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
          <property name="decisionVoters" ref="decisionVoters"/>
          <property name="allowIfAllAbstainDecisions" value="true"/>
        </bean>
    
    
    
        <!--  switching user identity -->
        <bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
            <property name="switchUserUrl" value="/spring_security_switch_user"/>
            <property name="exitUserUrl" value="/spring_security_exit_user"/>
            <property name="targetUrl" value="/target"/>
            <property name="userDetailsService" ref="digest.userService"/>
        </bean>
    
        <!--  method security (additional) -->
        <bean id="accessListener" class="org.springframework.security.access.event.LoggerListener"/>
    	<bean id="authenticateListener" class="org.springframework.security.authentication.event.LoggerListener"/>
        <bean id="ownership.methodSecurityInterceptor" class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor" autowire="byType">
          <property name="accessDecisionManager" ref="ownership.accessDecisionManager"/>
          <property name="afterInvocationManager" ref="ownership.afterInvocationManager"/>
          <property name="validateConfigAttributes" value="true"/>
          <property name="securityMetadataSource" ref="security.methodDefinitionService"/>
          <property name="authenticationManager" ref="authenticationManager"/>
        </bean>
        
        <bean id="security.urlMatcher" class="org.springframework.security.web.util.AntUrlPathMatcher"/>

  • #2
    -- applicationContext-digest.xml
    Code:
     
        <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
          <security:filter-chain-map path-type="ant">
              <security:filter-chain pattern="/**"
                        filters="concurrentSessionFilter,httpSessionContextIntegrationFilter,logoutFilter,digestProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor,switchUserProcessingFilter"/>
          </security:filter-chain-map>
        </bean>
    
        <!-- handling digest authentication -->
        <bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
          <property name="providers">
            <list>
              <ref bean="daoAuthenticationProvider"/>
              <ref bean="anonymousAuthenticationProvider"/>
              <ref bean="rememberMeAuthenticationProvider"/>
            </list>
            </property>
        </bean>
        <bean id="digestProcessingFilter" class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
          <property name="userDetailsService" ref="digest.userService"/>
          <property name="authenticationEntryPoint" ref="digestAuthenticationEntryPoint"/>
        </bean>
    
        <bean id="digestAuthenticationEntryPoint" class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
          <property name="realmName" value="${digest.relamName}"/>
          <property name="key" value="${digest.security.key}"/>
          <property name="nonceValiditySeconds" value="3600"/>
        </bean>
        
        <security:user-service id="digest.userService">
        	<security:user name="cable" password="Nathan Cable Summers" authorities="ROLE_ADMIN"/>
             <!-- some more user -->
        </security:user-service>
    after i log in successfully i get this error
    Code:
    authenticated principal: org.springframework.security.authentication.AnonymousAuthenticationToken@2a57f33a: Principal: Guest; Credentials: [PROTECTED]; Authenticated: true;
    Granted Authorities: ROLE_ANONYMOUS; secure object: FilterInvocation: URL: /edit; configuration attributes: [hasRole('ROLE_ADMIN')
    What is wrong? I mean if i enter wrong password, i get rejected by digest user authentication, but after logging in, its putting in anonymous authentication token.

    Comment


    • #3
      Please post logs spanning a full login request. Also let us know what version of Spr Sec you are using.

      Comment


      • #4
        i am using spring security 3.0.5 release.

        Code:
        2011-02-27 23:11:12,234 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif at position 3 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
        2011-02-27 23:11:12,235 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif at position 4 of 10 in additional filter chain; firing Filter: 'DigestAuthenticationFilter'
        2011-02-27 23:11:12,235 DEBUG [org.springframework.security.web.authentication.www.DigestAuthenticationFilter]["http-bio-443"-exec-2][] Authorization header received from user agent: Digest username="adminUser", realm="localhost", nonce="MTI5ODg4MDEzNjk4NDo0YTk1NTJmYmJmNzRmMGJmNTRjZTcxNWUxMTQ5YWQ4MQ==", uri="/app/resources-0.0.1/dojo/resources/blank.gif", response="1221597f043a24e62606535fe6a8cf02", qop=auth, nc=0000004b, cnonce="8511b044274b88d9"
        2011-02-27 23:11:12,236 DEBUG [org.springframework.security.web.authentication.www.DigestAuthenticationFilter]["http-bio-443"-exec-2][] Authentication success for user: 'adminUser' with response: '1221597f043a24e62606535fe6a8cf02'
        2011-02-27 23:11:12,236 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif at position 5 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
        2011-02-27 23:11:12,236 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif at position 6 of 10 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
        2011-02-27 23:11:12,236 DEBUG [org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter]["http-bio-443"-exec-2][] SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fffd1495: Principal: org.springframework.security.core.userdetails.User@3ecc3cdf: Username: adminUser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_DEVELOPER; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 85C85FF27E0CAEC09C151E5885A43B24.tomcat-cluster1; Not granted any authorities'
        2011-02-27 23:11:12,236 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
        2011-02-27 23:11:12,236 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]["http-bio-443"-exec-2][] SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fffd1495: Principal: org.springframework.security.core.userdetails.User@3ecc3cdf: Username: adminUser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_DEVELOPER; 
        Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 85C85FF27E0CAEC09C151E5885A43B24.tomcat-cluster1; Not granted any authorities'
        2011-02-27 23:11:12,237 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif at position 8 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
        2011-02-27 23:11:12,237 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif at position 9 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
        2011-02-27 23:11:12,237 DEBUG [org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource]["http-bio-443"-exec-2][] Converted URL to lowercase, from: '/resources-0.0.1/dojo/resources/blank.gif'; to: '/resources-0.0.1/dojo/resources/blank.gif'
        2011-02-27 23:11:12,237 DEBUG [org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource]["http-bio-443"-exec-2][] Candidate is: '/resources-0.0.1/dojo/resources/blank.gif'; pattern is /buy**; matched=false
        2011-02-27 23:11:12,237 DEBUG [org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource]["http-bio-443"-exec-2][] Candidate is: '/resources-0.0.1/dojo/resources/blank.gif'; pattern is /sell**; matched=false
        2011-02-27 23:11:12,237 DEBUG [org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource]["http-bio-443"-exec-2][] Candidate is: '/resources-0.0.1/dojo/resources/blank.gif'; pattern is /edit**; matched=false
        2011-02-27 23:11:12,239 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor]["http-bio-443"-exec-2][] Public object - authentication not attempted
        2011-02-27 23:11:12,239 INFO  [org.springframework.security.access.event.LoggerListener]["http-bio-443"-exec-2][] Security interception not required for public secure object: FilterInvocation: URL: /resources-0.0.1/dojo/resources/blank.gif
        2011-02-27 23:11:12,239 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif at position 10 of 10 in additional filter chain; firing Filter: 'SwitchUserFilter'
        2011-02-27 23:11:12,239 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif reached end of additional filter chain; proceeding with original chain
        2011-02-27 23:11:12,243 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter]["http-bio-443"-exec-2][] Chain processed normally
        2011-02-27 23:11:12,243 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter]["http-bio-443"-exec-2][] SecurityContextHolder now cleared, as request processing completed

        Comment


        • #5
          so authentication and authorization were both working, but I just couldn't get it working with spring security EL tag. <security:authorize access="hasRole('ROLE_ADMIN')"> seems to always return false. I don't get the access denied page (via interceptor).

          Comment

          Working...
          X