Announcement Announcement Module
Collapse
No announcement yet.
Alwas Basic authentication although Digest is configured Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Alwas Basic authentication although Digest is configured

    Hi,
    I try to get run Digest Authentication in a client (Eclipse RCP) Server (Tomcat/Spring) application. I configured Digest configuration on server:

    Code:
    	<bean id="digestAuthenticationFilter"
    		class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
    		<property name="userDetailsService" ref="ldapUserDetailsService" />
    		<property name="authenticationEntryPoint" ref="digestEntryPoint" />
    	</bean>
    	<bean id="digestEntryPoint"
    		class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
    		<property name="realmName" value="EAP Realm" />
    		<property name="key" value="acegi" />
    		<!-- 8h -->
    		<property name="nonceValiditySeconds" value="28800" />
    	</bean>
    	<bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
    		<constructor-arg ref="userSearch"/>
    		<constructor-arg ref="authoritiesPopulator"/>
    	</bean>
    First authentication works fine!
    The second request always uses Basic Authentication (i can see it in the request header in debug mode).
    I use the following implementation of CommonsHttpInvokerRequestExecutor on the client:

    Code:
    public class AuthenticatedCommonsHttpInvokerRequestExecutor extends
    		CommonsHttpInvokerRequestExecutor {
    	@Override
    	protected void executePostMethod(HttpInvokerClientConfiguration config,
    			HttpClient httpClient, PostMethod postMethod) throws IOException {
    
    		Authentication auth = SecurityContextHolder.getContext()
    				.getAuthentication();
    		if (auth != null) {
    			String username = auth.getPrincipal().toString();
    			String password = auth.getCredentials().toString();
    			Credentials credentials = new UsernamePasswordCredentials(username,
    					password);
    			List<String> authPrefs = new java.util.ArrayList<String>(1);
    			authPrefs.add(AuthPolicy.DIGEST);
    			httpClient.getParams().setParameter(
    					AuthPolicy.AUTH_SCHEME_PRIORITY, authPrefs);
    			httpClient.getParams().setAuthenticationPreemptive(
    					auth.isAuthenticated());
    
    			httpClient.getState().setCredentials(AuthScope.ANY, credentials);
    		}
    		super.executePostMethod(config, httpClient, postMethod);
    	}
    }
    Although I set all Digest information, every request comes with Basic authentication on the server.

    Does anyone know the issue?

    Regards
    phil

  • #2
    You'll need to show how you are using the filter.

    Also is there a BasicAuthenticationFilter in your stacktrace? If not, then perhaps your container is prompting for Basic authentication. That should be easy to check.

    Comment


    • #3
      here's the stack trace:
      Code:
      org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
      	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:321)
      	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:195)
      	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
      	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
      	at org.springframework.security.web.authentication.www.DigestAuthenticationFilter.doFilter(DigestAuthenticationFilter.java:319)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
      	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
      	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
      	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
      	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
      	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
      	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
      	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
      	at java.lang.Thread.run(Thread.java:619)
      my server side config is:
      Code:
      	<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
      		<security:filter-chain-map path-type="ant">
      			<security:filter-chain pattern="/**" filters="securityContextPersistenceFilter,digestAuthenticationFilter,checkSecurityInterceptor" />
      		</security:filter-chain-map>
      	</bean>
      
      
      	<!-- Digest Authentication -->
      	<bean id="digestAuthenticationFilter"
      		class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
      		<property name="userDetailsService" ref="ldapUserDetailsService" />
      		<property name="authenticationEntryPoint" ref="digestEntryPoint" />
      	</bean>
      	<bean id="digestEntryPoint"
      		class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
      		<property name="realmName" value="My Realm" />
      		<property name="key" value="acegi" />
      		<!-- 8h -->
      		<property name="nonceValiditySeconds" value="28800" />
      	</bean>
      	<bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
      		<constructor-arg ref="userSearch"/>
      		<constructor-arg ref="authoritiesPopulator"/>
      	</bean>

      Comment


      • #4
        another interesting thing. The HttpMethodDirector of commons-http client has the following lines:
        Code:
                            if (this.params.isAuthenticationPreemptive()
                             || this.state.isAuthenticationPreemptive()) 
                            {
                                LOG.debug("Preemptively sending default basic credentials");
                                method.getHostAuthState().setPreemptive();
                                method.getHostAuthState().setAuthAttempted(true);
                                if (this.conn.isProxied() && !this.conn.isSecure()) {
                                    method.getProxyAuthState().setPreemptive();
                                    method.getProxyAuthState().setAuthAttempted(true);
                                }
                            }
        the setPreemptive() method sets the AuthScheme always to a basic scheme:
        Code:
            public void setPreemptive() {
                if (!this.preemptive) {
                    if (this.authScheme != null) {
                        throw new IllegalStateException("Authentication state already initialized");
                    }
                    this.authScheme = AuthPolicy.getAuthScheme(PREEMPTIVE_AUTH_SCHEME);
                    this.preemptive = true;
                }
            }
        Code:
        public class AuthState {
        
            public static final String PREEMPTIVE_AUTH_SCHEME = "basic";
        Do I have the right configuration of the httpclient?

        Comment

        Working...
        X