Announcement Announcement Module
Collapse
No announcement yet.
Possible bug with Spring Security Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Possible bug with Spring Security

    Hi,
    We have used Spring BlazeDS since March 2009. We started with M1 and now we are using version 1.0-RELEASE. Everything has worked fine, until now we are getting occasionally exception related to Spring Security.

    It happens, when we log user in with channel.login-method.

    Exception fault console log:
    Code:
     headers = (Object #1)
          rootCause = (Typed Object #2 'org.springframework.security.AccessDeniedException')
            rootCause = null
            message = "Access is denied"
            localizedMessage = "Access is denied"
            cause = null
            mostSpecificCause = (Ref #2)
          body = null
          correlationId = "B241B15B-33A6-AE26-FEF4-2FF1903E8B51"
          faultDetail = null
          faultString = "Access is denied"
          clientId = "770CC1C1-2D0F-24C2-6B7A-7FD4761569CF"
          timeToLive = 0.0
          destination = "ourService"
          timestamp = 1.246344876157E12
          extendedData = null
          faultCode = "Client.Authorization"
          messageId = "770CC1C1-2D1E-B799-1812-6450FFBD2634"
    Full console log:

    Code:
    [BlazeDS][DEBUG] FlexSession created with id '5D4145230D1A83A64D5BC22852D2228A' for an Http-based client connection
    .
    2009-06-30 10:17:05  INFO MessageBrokerHandlerAdapter.java:99  Channel endpoint my-amf received request.
    [BlazeDS][DEBUG] Deserializing AMF/HTTP request
    Version: 3
      (Message #0 targetURI=null, responseURI=/1)
        (Array #0)
          [0] = (Typed Object #0 'flex.messaging.messages.CommandMessage')
            operation = 5
            correlationId = ""
            clientId = null
            messageId = "FBDF81D9-9916-643B-3556-3006267D5302"
            body = (Object #1)
            timestamp = 0
            timeToLive = 0
            headers = (Object #2)
              DSMessagingVersion = 1
              DSId = "nil"
            destination = ""
    
    [BlazeDS][DEBUG] Serializing AMF/HTTP response
    Version: 3
      (Header #0 name=AppendToGatewayUrl, mustUnderstand=true)
        ";jsessionid=5D4145230D1A83A64D5BC22852D2228A"
    
      (Message #0 targetURI=/1/onResult, responseURI=)
        (Externalizable Object #0 'DSK')
          (Object #1)
            DSMessagingVersion = 1.0
            DSId = "773F0442-DC1F-A438-5869-0D320BCAA4D3"
    1.246346225308E12
    (Byte Array #2, Length 16)
    (Byte Array #3, Length 16)
    (Byte Array #4, Length 16)
    
    2009-06-30 10:17:05  INFO MessageBrokerHandlerAdapter.java:99  Channel endpoint my-amf received request.
    [BlazeDS][DEBUG] Deserializing AMF/HTTP request
    Version: 3
      (Message #0 targetURI=null, responseURI=/1)
        (Array #0)
          [0] = (Typed Object #0 'flex.messaging.messages.CommandMessage')
            operation = 8
            correlationId = ""
            clientId = null
            messageId = "0DD78DB9-3453-7304-1782-3006266DBD2E"
            body = "dGhvOjJiYjgwZDUzN2IxZGEzZTM4YmQzMDM2MWFhODU1Njg2YmRlMGVhY2Q3MTYyZmVmNmEyNWZl
    OTdiZjUyN2EyNWI="
            timestamp = 0
            timeToLive = 0
            headers = (Object #1)
              DSEndpoint = "my_amf"
              DSId = "nil"
            destination = "auth"
    
    [BlazeDS][DEBUG] Serializing AMF/HTTP response
    Version: 3
      (Message #0 targetURI=/1/onResult, responseURI=)
        (Externalizable Object #0 'DSK')
          (Object #1)
            authorities = (Array #2)
              [0] = "ROLE_OURROLE"
              [1] = "ROLE_OURROLE2"
            name = "user"
    (Object #3)
            DSMessagingVersion = 1.0
            DSId = "773F04B5-9B1C-757E-C78C-ECE111176166"
    1.246346225355E12
    (Byte Array #4, Length 16)
    (Byte Array #5, Length 16)
    (Byte Array #6, Length 16)
    
    2009-06-30 10:17:05  INFO MessageBrokerHandlerAdapter.java:99  Channel endpoint my-amf received request.
    [BlazeDS][DEBUG] Deserializing AMF/HTTP request
    Version: 3
      (Message #0 targetURI=null, responseURI=/1)
        (Array #0)
          [0] = (Typed Object #0 'flex.messaging.messages.CommandMessage')
            operation = 5
            correlationId = ""
            clientId = null
            messageId = "08DFF879-385D-5A4E-81D5-300626DAFE10"
            body = (Object #1)
            timestamp = 0
            timeToLive = 0
            headers = (Object #2)
              DSMessagingVersion = 1
              DSId = "nil"
            destination = ""
    
    [BlazeDS][DEBUG] Serializing AMF/HTTP response
    Version: 3
      (Message #0 targetURI=/1/onResult, responseURI=)
        (Externalizable Object #0 'DSK')
          (Object #1)
            DSMessagingVersion = 1.0
            DSId = "773F0574-091C-FBA2-755E-A2E44925BB73"
    1.246346225433E12
    (Byte Array #2, Length 16)
    (Byte Array #3, Length 16)
    (Byte Array #4, Length 16)
    
    2009-06-30 10:17:05  INFO MessageBrokerHandlerAdapter.java:99  Channel endpoint my-amf received request.
    [BlazeDS][DEBUG] Deserializing AMF/HTTP request
    Version: 3
      (Message #0 targetURI=null, responseURI=/2)
        (Array #0)
          [0] = (Typed Object #0 'flex.messaging.messages.RemotingMessage')
            operation = "getOurData"
            source = null
            clientId = null
            messageId = "87231F40-40A3-C378-97C9-300626DAB000"
            body = (Array #1)
              [0] = "user"
            timestamp = 0
            timeToLive = 0
            headers = (Object #2)
              DSEndpoint = "my_amf"
              DSId = "773F0574-091C-FBA2-755E-A2E44925BB73"
            destination = "ourService"
    
    [BlazeDS][DEBUG] Serializing AMF/HTTP response
    Version: 3
      (Message #0 targetURI=/2/onStatus, responseURI=)
        (Typed Object #0 'flex.messaging.messages.ErrorMessage')
          headers = (Object #1)
          rootCause = (Typed Object #2 'org.springframework.security.AccessDeniedException')
            rootCause = null
            message = "Access is denied"
            localizedMessage = "Access is denied"
            cause = null
            mostSpecificCause = (Ref #2)
          body = null
          correlationId = "87231F40-40A3-C378-97C9-300626DAB000"
          faultDetail = null
          faultString = "Access is denied"
          clientId = "773F05BF-B80F-9D6F-0198-FAEC598AF8EC"
          timeToLive = 0.0
          destination = "ourService"
          timestamp = 1.246346225464E12
          extendedData = null
          faultCode = "Client.Authorization"
          messageId = "773F05BF-B819-5B80-7B21-D7C3E93FAC95"

    web.xml

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xmlns="http://java.sun.com/xml/ns/javaee"
    	xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
    	 http://java.sun.com/xml/id=WebApp_ID "
    	version="2.5">
    
    
    	<!-- Name on the application -->
    	<display-name>Our app</display-name>
    
    	<!--======= INITIALIZATION PARAMETERS ======= -->
    	
    	<context-param>
    		<param-name>contextConfigLocation</param-name>
    		<param-value>
    			classpath:/applicationContext.xml
                        <!--other configuration also here, 
                            removed for security reasons -->
    		</param-value>
    	</context-param>
    	
    	
    	<!--=======  FILTERS =======-->
    
        <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        </filter>
    
        <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>
    	
    	<!--=======  LISTENERS =======-->
    
    	<listener>
            <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
        </listener>
    
        <listener>
            <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
        </listener>
    
    <!-- do we need this? -->
        <!-- <listener>
            <listener-class>flex.messaging.HttpFlexSession</listener-class>
        </listener>  -->
    	
    
    	
    	<!--=======  SERVLETS =======-->
    
    
    	<!-- The front controller of this Spring Web application, responsible for handling all application requests -->
        <servlet>
            <servlet-name>DispatcherServlet</servlet-name>
            <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
            <init-param>
                <param-name>contextConfigLocation</param-name>
                <param-value>/WEB-INF/webApplicationContext.xml</param-value>
            </init-param>
            <load-on-startup>1</load-on-startup>
        </servlet>
    
    
    	<!-- Map all /messagebroker requests to the DispatcherServlet for handling -->
    	<servlet-mapping>
    		<servlet-name>DispatcherServlet</servlet-name>
    		<url-pattern>/messagebroker/*</url-pattern>
    	</servlet-mapping>
    	
    </web-app>
    Our security configuration:


    Code:
    <?xml version="1.0"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
      xmlns:beans="http://www.springframework.org/schema/beans"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                  http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"> 
        
         <http auto-config="true" session-fixation-protection="none"/>
    
    
       <authentication-provider>
        
        	<!-- user service is used for demo applications, not in production! -->
    		<user-service>
    	      	<user name="user" password="secret" authorities="ROLE_OURROLE, ROLE_OURROLE2"/>
    		</user-service>
    	
    	</authentication-provider>
       
    </beans:beans>

    Our Spring BlazeDS configuration:

    Code:
    <flex:message-broker>
    
        	<flex:secured  per-client-authentication="true" >
        		<flex:secured-channel channel="my-amf" access="ROLE_OURROLE, ROLE_OURROLE2"/>
        	</flex:secured>
    	</flex:message-broker>
    	
    	<flex:remoting-destination ref="ourService"/>

    We checked this many, many times and this exception came occasionally. This is not related to mispelled password or authorization, because it works sometimes. This bug comes up with about 5/10 attemps. We don`t think that is Java bug / problem.

    Any thoughts for this?

  • #2
    Without being able to dig deeper into the internals, I'm not sure what the cause could be. I noticed that all of your log messages are very close together, time-wise. Are you encountering this in an automated test? If so, any chance you could open a Jira and attach the test to help us reproduce and diagnose?

    Comment


    • #3
      We have resolved this now.

      The problem was wrong security configuration. We had not configured the PreAuthenticatedProcessingFilterEntryPoint.

      New configuration, works like a charm:
      Code:
        <http entry-point-ref="preAuthenticatedEntryPoint" />
          
          <beans:bean id="preAuthenticatedEntryPoint" 
              class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
      
            <authentication-provider>
          
          	<!-- user service is used for demo applications, not in production! -->
      		<user-service>
      	      	<user name="user" password="secret" authorities="ROLE_OURROLE, ROLE_OURROLE2"/>
      		</user-service>
      	
      	</authentication-provider>

      Old configuration, worked occasionally:

      Code:
           <http auto-config="true" session-fixation-protection="none"/>
      
      
         <authentication-provider>
          
          	<!-- user service is used for demo applications, not in production! -->
      		<user-service>
      	      	<user name="user" password="secret" authorities="ROLE_OURROLE, ROLE_OURROLE2"/>
      		</user-service>
      	
      	</authentication-provider>
      It`s quite odd, that the old configuration worked sometimes.

      Comment

      Working...
      X