I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an RP to an existing .NET ADFS IDP.
If I subclass `` to authenticate on my desired URL path `myAlaska`
I end up with the following log entries when I try to log in:
06-18 [ at ] 09:56:56 INFO [] Spring Security Debugger -
************************************************************
Request received for '/myAlaska':
org.apache.catalina.connector.RequestFacade [ at ] a2f68b
servletPath:/myAlaska
pathInfo:null
Security filter chain: [
SecurityContextPersistenceFilter
MyAlaskaAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
************************************************************
06-18 [ at ] 09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06-18 [ at ] 09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession currently exists
06-18 [ at ] 09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
06-18 [ at ] 09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
06-18 [ at ] 09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared: path=/myAlaska, and /j_spring_fediz_security_check
06-18 [ at ] 09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath Authentication: true
06-18 [ at ] 09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to process authentication
06-18 [ at ] 09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging.
wa: null
wresult: null
full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
Method: GET
06-18 [ at ] 09:56:56 DEBUG [] ProviderManager - Authentication attempt using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider
06-18 [ at ] 09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating: org.springframework.security.authentication.UsernamePasswordAuthenticationToken [ at ] 1dacb29: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails [ at ] b364: RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities
06-18 [ at ] 09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct: null Result: null Cert Count: 0
06-18 [ at ] 09:56:56 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
06-18 [ at ] 09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null'
06-18 [ at ] 09:56:56 ERROR [] tionAuthenticationProvider - Failed to validate SignIn request
org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed
at org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93)
at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121)
at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
06-18 [ at ] 09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: The request was invalid or malformed
06-18 [ at ] 09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
06-18 [ at ] 09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler [ at ] 1508a8b
06-18 [ at ] 09:56:56 DEBUG [] thenticationFailureHandler - No failure URL set, sending 401 Unauthorized error
06-18 [ at ] 09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
06-18 [ at ] 09:56:56 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check
I get the following error instead:
06-18 [ at ] 10:57:19 INFO [] Spring Security Debugger -
************************************************************
Request received for '/myAlaska':
org.apache.catalina.connector.RequestFacade [ at ] 1cdedd4
servletPath:/myAlaska
pathInfo:null
Security filter chain: [
SecurityContextPersistenceFilter
MyAlaskaAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
************************************************************
06-18 [ at ] 10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06-18 [ at ] 10:57:19 DEBUG [] nSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
06-18 [ at ] 10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade [ at ] 3d3f6f. A new one will be created.
06-18 [ at ] 10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
06-18 [ at ] 10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication = false
06-18 [ at ] 10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null (property equals)
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null (property equals)
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - requestURI: arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property equals)
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443; arg2=8443 (property equals)
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - requestURL: arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska; arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property equals)
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https; arg2=https (property equals)
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - serverName: arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals)
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - contextPath: arg1=/newhirereporting; arg2=/newhirereporting (property equals)
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - servletPath: arg1=/myAlaska; arg2=/myAlaska (property equals)
06-18 [ at ] 10:57:19 DEBUG [] HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
06-18 [ at ] 10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
06-18 [ at ] 10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
06-18 [ at ] 10:57:19 DEBUG [] nymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken [ at ] 6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails [ at ] fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS'
06-18 [ at ] 10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
06-18 [ at ] 10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
06-18 [ at ] 10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
06-18 [ at ] 10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/'
06-18 [ at ] 10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/myalaska'
06-18 [ at ] 10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()]
06-18 [ at ] 10:57:19 DEBUG [] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken [ at ] 6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails [ at ] fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS
06-18 [ at ] 10:57:19 DEBUG [] AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter [ at ] 200930, returned: -1
06-18 [ at ] 10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
06-18 [ at ] 10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska]
06-18 [ at ] 10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication entry point.
06-18 [ at ] 10:57:19 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
06-18 [ at ] 10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context: org.apache.cxf.fediz.core.config.FederationContext [ at ] a302f2
06-18 [ at ] 10:57:19 INFO [] FederationProcessorImpl - Issuer url: https://mydev.alaska.gov/adfs/ls/
06-18 [ at ] 10:57:19 INFO [] FederationProcessorImpl - WAuth:
06-18 [ at ] 10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null
06-18 [ at ] 10:57:19 INFO [] FederationProcessorImpl - Freshness: null
06-18 [ at ] 10:57:19 DEBUG [] FederationProcessorImpl - wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
06-18 [ at ] 10:57:19 DEBUG [] FederationProcessorImpl - wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/
06-18 [ at ] 10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP: https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0슷ꦗ=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska싚?=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F쇋=2013-06-18T18%3A57%3A19.790Zꛦ=enhr
06-18 [ at ] 10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
06-18 [ at ] 10:57:19 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information
It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
I have spring security configured like so:
<sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
<sec:intercept-url pattern="/" access="permitAll"/>
<sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
<sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
<sec:session-management session-authentication-strategy-ref="sas"/>
</sec:http>
The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
Thank you for any help,
Tom Burton
Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
If I subclass `` to authenticate on my desired URL path `myAlaska`
I end up with the following log entries when I try to log in:
06-18 [ at ] 09:56:56 INFO [] Spring Security Debugger -
************************************************************
Request received for '/myAlaska':
org.apache.catalina.connector.RequestFacade [ at ] a2f68b
servletPath:/myAlaska
pathInfo:null
Security filter chain: [
SecurityContextPersistenceFilter
MyAlaskaAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
************************************************************
06-18 [ at ] 09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06-18 [ at ] 09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession currently exists
06-18 [ at ] 09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
06-18 [ at ] 09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
06-18 [ at ] 09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared: path=/myAlaska, and /j_spring_fediz_security_check
06-18 [ at ] 09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath Authentication: true
06-18 [ at ] 09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to process authentication
06-18 [ at ] 09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging.
wa: null
wresult: null
full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
Method: GET
06-18 [ at ] 09:56:56 DEBUG [] ProviderManager - Authentication attempt using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider
06-18 [ at ] 09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating: org.springframework.security.authentication.UsernamePasswordAuthenticationToken [ at ] 1dacb29: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails [ at ] b364: RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities
06-18 [ at ] 09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct: null Result: null Cert Count: 0
06-18 [ at ] 09:56:56 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
06-18 [ at ] 09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null'
06-18 [ at ] 09:56:56 ERROR [] tionAuthenticationProvider - Failed to validate SignIn request
org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed
at org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93)
at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121)
at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
06-18 [ at ] 09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: The request was invalid or malformed
06-18 [ at ] 09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
06-18 [ at ] 09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler [ at ] 1508a8b
06-18 [ at ] 09:56:56 DEBUG [] thenticationFailureHandler - No failure URL set, sending 401 Unauthorized error
06-18 [ at ] 09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
06-18 [ at ] 09:56:56 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check
I get the following error instead:
06-18 [ at ] 10:57:19 INFO [] Spring Security Debugger -
************************************************************
Request received for '/myAlaska':
org.apache.catalina.connector.RequestFacade [ at ] 1cdedd4
servletPath:/myAlaska
pathInfo:null
Security filter chain: [
SecurityContextPersistenceFilter
MyAlaskaAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
************************************************************
06-18 [ at ] 10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06-18 [ at ] 10:57:19 DEBUG [] nSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
06-18 [ at ] 10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade [ at ] 3d3f6f. A new one will be created.
06-18 [ at ] 10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
06-18 [ at ] 10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication = false
06-18 [ at ] 10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null (property equals)
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null (property equals)
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - requestURI: arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property equals)
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443; arg2=8443 (property equals)
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - requestURL: arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska; arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property equals)
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https; arg2=https (property equals)
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - serverName: arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals)
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - contextPath: arg1=/newhirereporting; arg2=/newhirereporting (property equals)
06-18 [ at ] 10:57:19 DEBUG [] DefaultSavedRequest - servletPath: arg1=/myAlaska; arg2=/myAlaska (property equals)
06-18 [ at ] 10:57:19 DEBUG [] HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
06-18 [ at ] 10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
06-18 [ at ] 10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
06-18 [ at ] 10:57:19 DEBUG [] nymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken [ at ] 6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails [ at ] fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS'
06-18 [ at ] 10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
06-18 [ at ] 10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
06-18 [ at ] 10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
06-18 [ at ] 10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/'
06-18 [ at ] 10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/myalaska'
06-18 [ at ] 10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()]
06-18 [ at ] 10:57:19 DEBUG [] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken [ at ] 6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails [ at ] fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS
06-18 [ at ] 10:57:19 DEBUG [] AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter [ at ] 200930, returned: -1
06-18 [ at ] 10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
06-18 [ at ] 10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska]
06-18 [ at ] 10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication entry point.
06-18 [ at ] 10:57:19 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
06-18 [ at ] 10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context: org.apache.cxf.fediz.core.config.FederationContext [ at ] a302f2
06-18 [ at ] 10:57:19 INFO [] FederationProcessorImpl - Issuer url: https://mydev.alaska.gov/adfs/ls/
06-18 [ at ] 10:57:19 INFO [] FederationProcessorImpl - WAuth:
06-18 [ at ] 10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null
06-18 [ at ] 10:57:19 INFO [] FederationProcessorImpl - Freshness: null
06-18 [ at ] 10:57:19 DEBUG [] FederationProcessorImpl - wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
06-18 [ at ] 10:57:19 DEBUG [] FederationProcessorImpl - wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/
06-18 [ at ] 10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP: https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0슷ꦗ=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska싚?=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F쇋=2013-06-18T18%3A57%3A19.790Zꛦ=enhr
06-18 [ at ] 10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
06-18 [ at ] 10:57:19 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information
It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
I have spring security configured like so:
<sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
<sec:intercept-url pattern="/" access="permitAll"/>
<sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
<sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
<sec:session-management session-authentication-strategy-ref="sas"/>
</sec:http>
The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
Thank you for any help,
Tom Burton
Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
