[SEC-855] preauthentication filter is not populating the securityContextHolder
details Created: 27/May/08 Updated: 06/Feb/16 Resolved: 29/May/08
Status:
Project:
Component/s:
Affects
Version/s:
Fix Version/s:
Closed
Spring Security
None
None
Type:
Reporter:
Resolution:
Labels:
Remaining
Estimate:
Time Spent:
Original
Estimate:
Environment:
Bug
kris
Invalid
None
Not Specified
2.0.2
Priority:
Assignee:
Votes:
Not Specified
Not Specified
websphere 6.0.1, spring-security-2.0.1
Description
Steps
1. Enable WAS global security for IBM
2 turn off java security
3. configure LDAP for global security
4. create a login page with just form based authentication
<FORM METHOD=POST ACTION="j_security_check">
<table>
<tr>
<td>UserName</td>
<td><INPUT TYPE=TEXT NAME="j_username" SIZE="10"/>
</tr>
<tr>
<td>Password</td>
<td><INPUT TYPE=TEXT NAME="j_password" SIZE="10"/>
</tr>
<tr>
<td></td>
<td><INPUT TYPE="SUBMIT"></td>
Major
Luke Taylor
0
</tr>
</table>
</FORM>
5. when we submit this form after successful authentication against the LDAP configured in IBM it should be fo
/test.jsp configured in web.xml
6. Upto this point itworks.
7. But in TesterServlet's method if you check for authenticated name in SecurityContextHolder it is null.
8.SecurityContextHolder is not getting populated though it was authenticated successfully in websphere
<!-- ====================== web.xml ================================ -->
<!-- CONTAINER MANAGED SECURITY CONFIGS -->
<!-- Context Configuration locations for Spring XML files -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>acegiChain</filter-name>
<filter-class>
org.springframework.security.util.FilterToBeanProxy
</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>
org.springframework.security.util.FilterChainProxy
</param-value>
</init-param>
</filter>
<!-- CONTAINER MANAGED SECURITY CONFIGS -->
<filter-mapping>
<filter-name>acegiChain</filter-name>
<url-pattern>/test*</url-pattern>
</filter-mapping>
<!-- CONTAINER MANAGED SECURITY CONFIGS -->
<servlet>
<servlet-name>TesterServlet</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<!-

Publishes events for session creation and destruction through the application
context. Optional unless concurrent session control is being used.
-->
<listener>
<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
</listener>
<servlet-mapping>
<servlet-name>TesterServlet</servlet-name>
<url-pattern>*.htm</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>/test.htm</welcome-file>
</welcome-file-list>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>SecureRealm</realm-name>
<form-login-config>
<form-login-page>/loginIBM.jsp</form-login-page>
<form-error-page>/loginIBM.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- ====================== web.xml ================================ -->
<!-- ====================== spring-security.xml WEBSPHERE RELATED SECURITY DEFINITIONS
================================ -->
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
<sec:filter-chain-map path-type="ant">
<sec:filter-chain pattern="/error/*" filters="none"/>
<sec:filter-chain pattern="/back*" filters="none"/>
<sec:filter-chain pattern="/loginibm*" filters="none"/>
<sec:filter-chain pattern="/test*"
filters="httpSessionContextIntegrationFilter,preAuthFilter,
preAuthExceptionTranslationFilter,filterInvocationInterceptor"/>
</sec:filter-chain-map>
</bean>
<bean id="preAuthExceptionTranslationFilter"
class="org.springframework.security.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="preAuthenticatedProcessingFilterEntryPoint"/>
<property name="accessDeniedHandler">
<bean
class="org.springframework.security.ui.AccessDeniedHandlerImpl">
<property name="errorPage" value="/authorizationError.htm" />
</bean>
</property>
</bean>
<bean id="preAuthenticatedProcessingFilterEntryPoint"
class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint"/>
<bean id="grantedAuthoritiesMapper"
class="org.springframework.security.authoritymapping.SimpleAttributes2GrantedAuthoritiesMapper">
<property name="convertAttributeToUpperCase" value="true"/>
</bean>
<bean id="authenticationDetailsSource"
class="org.springframework.security.ui.preauth.websphere.WebSpherePreAuthenticatedWebAuthenticationDeta
<property name="webSphereGroups2GrantedAuthoritiesMapper" ref="grantedAuthoritiesMapper" />
</bean>
<bean id="preAuthenticatedUserDetailsService"
class="org.springframework.security.providers.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService"
<bean id="preAuthenticatedAuthenticationProvider"
class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"/>
</bean>
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
<property name="providers">
<list>
<ref bean="preAuthenticatedAuthenticationProvider" />
</list>
</property>
</bean>
<bean id="preAuthFilter"
class="org.springframework.security.ui.preauth.websphere.WebSpherePreAuthenticatedProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
</bean>
<bean id="requestHeaderPreAuthenticatedProcessingFilter"
class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
</bean>
<bean id="webSphere2SpringSecurityPropagationInterceptor"
class="org.springframework.security.ui.preauth.websphere.WebSphere2SpringSecurityPropagationInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
</bean>
<bean id="securityContextHolderAwareRequestFilter"
class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter">
<property name="wrapperClass"
value="org.springframework.security.wrapper.SecurityContextHolderAwareRequestWrapper"/>
</bean>
Comments
Comment by Luke Taylor [ 27/May/08 ]
I'm assuming websphere is forwarding to the welcome file "/test.htm" after a login? If that's the
case then the filter chain won't be applied. Whether it is or not should be obvious from the
Spring Security debug log. Have you enabled logging and checked the output?
Comment by kris [ 28/May/08 ]
Thanks Luke.
Yes you are right I don't see any filters coming in the way of "/test" url after it is authenticated
from WAS security.
How can my application know about the authentication details in this case as forwarded urls are
not getting intercepted by none of the security filters?
How should I configure in this case?
Comment by Luke Taylor [ 28/May/08 ]
You could either
1. Use a dummy page as your welcome page which does a redirect.
2. Configure your web.xml to apply filters to forwards.
Comment by Luke Taylor [ 29/May/08 ]
This is almost certainly not a bug, but normal servlet filter behaviour, so closing.
Comment by Spring Issuemaster [ 06/Feb/16 ]
This issue has been migrated to https://github.com/spring-projects/spring-security/issues/1106
Generated at Sun Mar 06 04:05:13 UTC 2016 using JIRA 6.4.11#64026sha1:78f6ec473a3f058bd5d6c30e9319c7ab376bdb9c.