Announcement Announcement Module
Collapse
No announcement yet.
UserAuthorizationProcessingFilter intercepting requests ending in / Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • UserAuthorizationProcessingFilter intercepting requests ending in /

    Hi,

    I have two security setups for my web app: one to secure the API using 2-legged OAuth and the other to allow users to log into the admin area.

    When users log into the admin area, the API no longer requries OAuth access as it is presumed they are authenticated.

    Everything works as expected, bar one scenario. If I'm logged in and I request an API URL, like such:

    https://www.domain.com/api/server

    Everything works fine, the FilterChain proceeds past the UserAuthorizationProcessingFilter as expected (as we are already logged in) and gives me the response I'm looking for. However, if I request the API URL with a trailing slash:

    https://www.domain.com/api/server/

    The UserAuthorizationProcessingFilter picks up the request and trys to apply OAuth authentication to it, which obviously fails, and returns a 401. The log about:

    Code:
    DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] Checking match of request : '/api/service/'; against '/static/*' 
    DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] Checking match of request : '/api/service/'; against '/favicon.ico' 
    DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] Checking match of request : '/api/service/'; against '/api/**' 
    DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 1 of 12 in additional filter chain; firing Filter: 'ChannelProcessingFilter' 
    DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] Request '/api/service/' matched by universal pattern '/**' 
    DEBUG [org.springframework.security.web.access.channel.ChannelProcessingFilter] Request: FilterInvocation: URL: /api/service/; ConfigAttributes: [REQUIRES_SECURE_CHANNEL] 
    DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 
    DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: ... 
    DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 3 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 
    DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 4 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 
    DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 5 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 
    DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] SecurityContextHolder not populated with anonymous token, as it already contained: ... 
    DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 6 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter' 
    DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 7 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 
    DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 8 of 12 in additional filter chain; firing Filter: 'UnauthenticatedRequestTokenProcessingFilter' 
    DEBUG [org.springframework.security.oauth.provider.filter.UnauthenticatedRequestTokenProcessingFilter] Request does not require authentication.  OAuth processing skipped. 
    DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 9 of 12 in additional filter chain; firing Filter: 'UserAuthorizationProcessingFilter' 
    DEBUG [org.springframework.security.oauth.provider.filter.UserAuthorizationProcessingFilter] Request is to process authentication 
    DEBUG [org.springframework.security.oauth.provider.filter.UserAuthorizationProcessingFilter] Authentication request failed: org.springframework.security.oauth.provider.InvalidOAuthParametersException: An OAuth token id is required. 
    DEBUG [org.springframework.security.oauth.provider.filter.UserAuthorizationProcessingFilter] Updated SecurityContextHolder to contain null Authentication 
    DEBUG [org.springframework.security.oauth.provider.filter.UserAuthorizationProcessingFilter] Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@67479784 
    DEBUG [org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler] No failure URL set, sending 401 Unauthorized error 
    DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 
    DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] Chain processed normally 
    DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] SecurityContextHolder now cleared, as request processing completed
    As you can see from the log, the UserAuthorizationProcessingFilter outputs:

    Request is to process authentication

    Any ideas?

    Thanks,
    Ale
Working...
X