I'm trying to use Spring Security 3.1, but I'm losing my HttpSession after the authentication. I'm getting: "No HttpSession currently exists" after having a correct HttpSession created.
I'm getting the following log:
08 janv. 2014 19:53:59 DEBUG HttpSessionSecurityContextRepository - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl#bce8a84f: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#bce8a84f: Principal: org.springframework.security.core.userdetails.User#3b40b2f: Username: ADMIN; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: qx1qn1vbjxx71xedid64oi977; Granted Authorities: ROLE_ADMIN'
08 janv. 2014 19:53:59 DEBUG DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'spring': assuming HandlerAdapter completed request handling
08 janv. 2014 19:53:59 DEBUG DispatcherServlet - Successfully completed request
08 janv. 2014 19:53:59 DEBUG ExceptionTranslationFilter - Chain processed normally
08 janv. 2014 19:53:59 DEBUG SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
08 janv. 2014 19:54:00 DEBUG FilterChainProxy - /index at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
08 janv. 2014 19:54:00 DEBUG HttpSessionSecurityContextRepository - No HttpSession currently exists
08 janv. 2014 19:54:00 DEBUG HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
08 janv. 2014 19:54:00 DEBUG FilterChainProxy - /index at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
08 janv. 2014 19:54:00 DEBUG FilterChainProxy - /index at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
08 janv. 2014 19:54:00 DEBUG FilterChainProxy - /index at position 4 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
08 janv. 2014 19:54:00 DEBUG FilterChainProxy - /index at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
08 janv. 2014 19:54:00 DEBUG FilterChainProxy - /index at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
08 janv. 2014 19:54:00 DEBUG FilterChainProxy - /index at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
08 janv. 2014 19:54:00 DEBUG AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
What could be the problem?
UPDATE:
I found my problem... I had a file that I should have cared about before:
jetty-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN"
"http://jetty.mortbay.org/configure.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="sessionHandler">
<Get name="sessionManager">
<Set name="usingCookies" type="boolean">false</Set>
</Get>
</Get>
</Configure>
I was disabling the cookies myself...
I found my problem... I had a file that I should have cared about before:
jetty-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN"
"http://jetty.mortbay.org/configure.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="sessionHandler">
<Get name="sessionManager">
<Set name="usingCookies" type="boolean">false</Set>
</Get>
</Get>
</Configure>
I was disabling the cookies myself... I've deleted this file and it's now working.
Related
I'm trying to restrict GET access to a URL for one role, and POST access to the same URL for another role as seen below.
#Configuration
#EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password("password").roles("USER").and()
.withUser("readuser").password("password").roles("USER", "READ").and()
.withUser("admin").password("password").roles("USER", "READ", "WRITE");
}
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin().permitAll().and()
.logout().permitAll().and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/api/foo").hasRole("READ")
.antMatchers(HttpMethod.POST, "/api/foo").hasRole("WRITE")
.anyRequest().authenticated()
.and().csrf().disable()
.httpBasic();
When I try a GET (or a POST) with my readuser account, I get an access denied error; but when I try either with the admin account, it can do both.
However, when I remove the line .antMatchers(HttpMethod.POST, "/api/foo").hasRole("WRITE") then my readuser account can properly hit /api/foo with a GET request.
How can I make Spring Security allow both of these restrictions?
UPDATE - including relevant spring security debug log information
Here are the relevant logs when attempting with readuser:
************************************************************
Request received for GET '/api/foo?id=foo':
Request(GET //localhost:8089/api/foo?id=foo)#b4603eb
servletPath:/api/foo
pathInfo:null
headers:
Authorization: Basic cnVudXNlcjpwYXNzd29yZA==
Cookie: JSESSIONID=node0fe3b0i44a5sbpohi6jq6dkkw0.node0
Cache-Control: no-cache
Accept: */*
User-Agent: PostmanRuntime/3.0.11-hotfix.2
Connection: keep-alive
Postman-Token: 99a23213-6cf8-4686-9886-7f9c2de13c6f
Host: localhost:8089
Accept-Encoding: gzip, deflate
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
UsernamePasswordAuthenticationFilter
DefaultLoginPageGeneratingFilter
BasicAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
.
.
.
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/foo'; against 'GET'
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/foo'; against '/api/foo'
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/foo?id=foo; Attributes: [hasRole('ROLE_WRITE')]
2017-05-08 11:31:27.818 DEBUG 5812 --- [p1731685294-106] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#a38eb23d: Principal: org.springframework.security.core.userdetails.User#5c7268d6: Username: readuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_READ,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_READ, ROLE_USER
2017-05-08 11:31:27.818 DEBUG 5812 --- [p1731685294-106] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#7b20c046, returned: -1
2017-05-08 11:31:27.819 DEBUG 5812 --- [p1731685294-106] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
.
.
.
2017-05-08 11:31:27.823 DEBUG 5812 --- [p1731685294-106] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
You are using the wrong HttpMethod class.
javax.ws.rs.HttpMethod#GET returns a String and therefore you use antMatchers(String... antPatterns) instead of antMatchers(HttpMethod method, String... antPatterns) in your Spring Security configuration.
With that configuration Spring Security checks against the URL patterns GET and /api/foo (both for all HTTP methods), see your log:
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/foo'; against 'GET'
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/foo'; against '/api/foo'
You have to use org.springframework.http.HttpMethod#GET, which returns a HttpMethod object.
I have a zuul proxy (http://localhost:8765) serving an angular web app (http://localhost:8080/app). Behind the zuul proxy there is also an oauth2 server (http://localhost:8899).
The web resources are proxied under http://localhost:8765/web and the resources are proxied under http://localhost:8765/api.
The Zuul proxy serves the static web resources without authentication. So the first authentication is done through a JSON call (GET /api/user) which of course fails with 401.
Now I forward the page to "http://localhost:8899/uaa/oauth/authorize?response_type=token&client_id=web&redirect_uri=http://localhost:8765/web/index.html" to make an implicit grant oauth 2 flow. I can authorize now the web application and get forwarded back to my web app. The token is part of the url and I can parse it.
IMHO the only thing I now have to do is to add this token as Authorization header (e.g. Authorization:Bearer 2829d5e2-4fbe-4f91-b74d-c99b2fe894a7). But the zuul proxy won't accept this request as authorized.
I am using spring boot 1.3.2 and spring cloud Brixton.M4.
The Zuul Server Application can be found here and the security config here.
Here are my request headers:
Accept:application/json
Accept-Encoding:gzip, deflate, sdch
Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Authorization:Bearer 2829d5e2-4fbe-4f91-b74d-c99b2fe894a7
Connection:keep-alive
Cookie:XSRF-TOKEN=a6ddea36-e3b7-4f22-b80c-b4c8b6fd7760; JSESSIONID=DAE4649D11386D586A0CF739148E505A; XSRF-TOKEN=3a7a57ad-68f6-4cc6-923b-4e8fe340fe1e
Host:localhost:8765
Referer:http://localhost:8765/web/index.html
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/48.0.2564.82 Chrome/48.0.2564.82 Safari/537.36
X-Auth-Token:2829d5e2-4fbe-4f91-b74d-c99b2fe894a7
X-Requested-With:XMLHttpRequest
X-XSRF-TOKEN:a6ddea36-e3b7-4f22-b80c-b4c8b6fd7760
My Zuul configuration is:
server:
context-path: /
security:
user:
password: none
oauth2:
sso:
loginPath: /login
client:
accessTokenUri: ${authserver.protocol}://${authserver.hostname}:${authserver.port}/${authserver.contextPath}/oauth/token
userAuthorizationUri: ${authserver.protocol}://${authserver.hostname}:${authserver.port}/${authserver.contextPath}/oauth/authorize
clientId: web
resource:
userInfoUri: ${authserver.protocol}://${authserver.hostname}:${authserver.port}/${authserver.contextPath}/user
preferTokenInfo: false
zuul:
routes:
web-portal:
path: /web/**
url: http://localhost:8080/app
user:
path: /api/user/**
url: ${authserver.protocol}://${authserver.hostname}:${authserver.port}/${authserver.contextPath}/user
authentication-service:
path: /uaa/**
stripPrefix: false
---
spring:
profiles: local
logging:
level:
org:
springframework:
security: DEBUG
authserver:
protocol: http
hostname: localhost
port: 8899
contextPath: uaa
The zuul server log is:
2016-02-11 17:11:02.958 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Request '/api/user' matched by universal pattern '/**'
2016-02-11 17:11:02.958 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-02-11 17:11:02.958 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-02-11 17:11:02.958 DEBUG 3242 --- [nio-8765-exec-4] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2016-02-11 17:11:02.958 DEBUG 3242 --- [nio-8765-exec-4] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade#5571734d. A new one will be created.
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#42c144ce
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 4 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using org.springframework.security.web.csrf.CsrfFilter$DefaultRequiresCsrfMatcher#4ad95822
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.util.matcher.AndRequestMatcher : Did not match
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 5 of 13 in additional filter chain; firing Filter: ''
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /api/user' doesn't match 'POST /logout
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 7 of 13 in additional filter chain; firing Filter: 'OAuth2ClientAuthenticationProcessingFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/user'; against '/login'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 8 of 13 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 9 of 13 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: DAE4649D11386D586A0CF739148E505A; Granted Authorities: ROLE_ANONYMOUS'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/user'; against '/index.html'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/user'; against '/home.html'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/user'; against '/web/**'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/user'; against '/uaa/oauth/**'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/user; Attributes: [authenticated]
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: DAE4649D11386D586A0CF739148E505A; Granted Authorities: ROLE_ANONYMOUS
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#77816ac4, returned: -1
2016-02-11 17:11:02.960 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
How can I force the authentication on the zuul proxy against the access token?
--- Edit:
If I enable the authentication for the static web resource by removing the http security exception for it, I get forwarded to the authorization page. When the request gets forwarded back everything works. The zuul proxy forwards to the oauth server with its /login URL as return address. This seems to be the correct way. I suppose it saves some information in its session and after that forwards back to the initial requesting page (in my case /web/index.html).
When I now restart the authentication service (like simulating expired token) the resources from the web application are served, but the request to /api/user (proxied to the authentication server) is denied.
Same happens when I come from a manually constructed authorize URL like
http://localhost:8899/uaa/oauth/authorize?response_type=token&client_id=web&redirect_uri=http://localhost:8765/web/index.html. First I get to the authorization page of the oauth server. This is correct. On click on authorize the request gets forwarded to the web app (/web/index.html). All static content is served without problem, but access to /api/user is again denied. This time with an error logged in the oauth server: Invalid access token: dff5121b-06e4-4bd7-b48e-08ad82d71404
zuul api not forward header by default so disable it we need to add it
zuul:
sensitive-headers: Cookie,Set-Cookie
You should move to Spring Boot 1.3x.
Then, you can annotate you Zulu Proxy with #EnableOAuath2Sso annotation.
In your application.yml for Zuul, specify the following (for Spring Boot 1.3x):
security:
user:
password: none
oauth2:
client:
accessTokenUri: ${oauthserver}:${oauthport}/oauth/token
userAuthorizationUri: ${oauthserver}:${oauthport}/oauth/authorize
clientId: acme
clientSecret: acme secret
Thanks to #Dave I can answer my own question:
To have the Zuul proxy acception the OAuth Bearer Token header, you have to configure it as a resource server instead a SSO server.
Remove the #EnableOAuth2Sso annotation and use the #EnableResourceServer annotation instead. First I had still my WebSecurityConfigurerAdapter in place. So this was fixed by changing
#Configuration
#EnableOAuth2Sso
public class OAuthConfiguration extends WebSecurityConfigurerAdapter {
to
#Configuration
#EnableResourceServer
public class OAuthConfiguration extends ResourceServerConfigurerAdapter {
If one should use the implicit authentication is another topic (see comment from Dave).
By default the Zuul Proxy will remove certain headers because it deems them to sensitive and no other server should receive them. It has a list of cookies and headers it needs to remove. This needs to be overridden. The way to do this for a particular route is:
zuul:
routes:
profile-service-chaining:
sensitiveHeaders:
stripPrefix: false
serviceId: profile-service-chaining
path: /services/profiles
The line 'sensitiveHeaders:' will empty the cookies headers. This will cause all headers to be past to the server the request will be sent to. This will allow the Authorization header to sent to the target server. As the Zuul documentation says make sure to always remove sensitive headers. To do this the add:
sensitiveHeaders: Cookie
The above will remove the Cookie header before it is passed to the next server as specified by the Zuul route.
I have this set-up in order to work with the Netflix stack:
An Eureka Server
A module, exposed to the outside world with a Zuul proxy (registered to Eureka)
A number of back-end microservices (registered to Eureka)
My problem is, when I invoke an URL in the proxy (to be redirected to the microservice) for the second/third time, the autenthicated principal is lost.
These are the log entries:
09:14:31.300 INFO 8720 --- [nio-8080-exec-7] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Mon Sep 14 09:14:31 CEST 2015, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={message=Access is denied, type=org.springframework.security.access.AccessDeniedException}]
09:14:33.387 INFO 8720 --- [io-8080-exec-10] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Mon Sep 14 09:14:33 CEST 2015, principal=eadmin, type=AUTHENTICATION_SUCCESS, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails#fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: DE9DEDCB6A809133C54ABC3403A46B38}]
09:14:33.387 INFO 8720 --- [io-8080-exec-10] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Mon Sep 14 09:14:33 CEST 2015, principal=eadmin, type=AUTHENTICATION_SUCCESS, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails#fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: DE9DEDCB6A809133C54ABC3403A46B38}]
09:14:35.407 INFO 8720 --- [nio-8080-exec-1] o.s.c.n.zuul.filters.ProxyRouteLocator : Finding route for path: /userregistryservice/user-registry/getAllRoles
09:23:40.119 INFO 8720 --- [nio-8080-exec-2] o.s.c.n.zuul.filters.ProxyRouteLocator : Finding route for path: /userregistryservice/user-registry/getAllRoles
09:24:06.689 INFO 8720 --- [nio-8080-exec-3] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Mon Sep 14 09:24:06 CEST 2015, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={message=Access is denied, type=org.springframework.security.access.AccessDeniedException}]
I have implemented a Zuul proxy, where I pass the principal to the request headers to be redirected but when the request is sent for the second time, this filter is not invoked (Spring Security captures the request as it were an anonymous request).
Any ideas on what is going on here?
Thanks
EDIT: Investigating with Fiddler, I have found out that the request being reject is answered with a HTTP 302 code, after two successful requests:
EDIT #2: This is my SpringĀ“s boot security configuration
#Autowired
private RequestHeaderAuthenticationFilter siteminderFilter;
#Override
protected void configure(HttpSecurity http) throws Exception {
// #formatter:off
http.anonymous().and().addFilter(siteminderFilter)
.authorizeRequests()
.antMatchers("/authfallback/**", "/access_requests.css")
.permitAll()
.antMatchers("/auth/**")
.fullyAuthenticated()
.antMatchers("/**/metrics")
.hasAnyRole("SYSTEM", "ADMIN")
.antMatchers("/logs")
.hasAnyRole("SYSTEM", "ADMIN")
.antMatchers("/user-registry/**")
.hasAnyRole("SYSTEM", "ADMIN")
.antMatchers("/AdminTools/**", "/api-docs")
.hasAnyRole("ADMIN")
.antMatchers("/sdoc.jsp", "o2c.html")
.denyAll()
.antMatchers("/**")
.hasAnyRole("SYSTEM", "ENGINEERING", "CUSTOMER", "EXECUTIVE", "ADMIN").and().formLogin()
.loginPage("/authfallback/login").defaultSuccessUrl("/index.html", false)
.permitAll().and().logout()
.invalidateHttpSession(true).logoutUrl("/logout").logoutSuccessHandler(wamLogoutHandler).and()
.exceptionHandling().accessDeniedPage("/auth/authorizationrequest").and().csrf().disable();
// #formatter:on
}
Add the following property to zuul:
zuul.sensitiveHeaders:
I came across the Greach 2014 presentation of Alvaro. I downloaded the example from GitHub and started it.
When I try to authenticate with
curl -i -H "Content-Type: application/json" -X POST -d '{"username":"jimi","password":"jimispassword"}' http://localhost:8080/restful-grails-springsecurity-greach2014/api/login
I am getting this on the curl side.
HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Mon, 18 May 2015 14:57:07 GMT
Connection: close
On serverside I see that.
|Server running. Browse to http://localhost:8080/restful-grails-springsecurity-greach2014
....2015-05-18 16:57:07,840 [http-bio-8080-exec-4] DEBUG util.AntPathRequestMatcher - Request '/api/login' matched by universal pattern '/**'
2015-05-18 16:57:07,841 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /api/login at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-05-18 16:57:07,842 [http-bio-8080-exec-4] DEBUG context.HttpSessionSecurityContextRepository - No HttpSession currently exists
2015-05-18 16:57:07,842 [http-bio-8080-exec-4] DEBUG context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
2015-05-18 16:57:07,844 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /api/login at position 2 of 11 in additional filter chain; firing Filter: 'MutableLogoutFilter'
2015-05-18 16:57:07,844 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /api/login at position 3 of 11 in additional filter chain; firing Filter: 'RequestHolderAuthenticationFilter'
2015-05-18 16:57:07,846 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /api/login at position 4 of 11 in additional filter chain; firing Filter: 'RestAuthenticationFilter'
2015-05-18 16:57:07,878 [http-bio-8080-exec-4] DEBUG rest.RestAuthenticationFilter - Actual URI is /api/login; endpoint URL is /api/login
2015-05-18 16:57:07,878 [http-bio-8080-exec-4] DEBUG rest.RestAuthenticationFilter - Applying authentication filter to this request
2015-05-18 16:57:07,919 [http-bio-8080-exec-4] DEBUG credentials.DefaultJsonPayloadCredentialsExtractor - No JSON body sent in the request
2015-05-18 16:57:07,919 [http-bio-8080-exec-4] DEBUG rest.RestAuthenticationFilter - Username and/or password parameters are missing.
2015-05-18 16:57:07,920 [http-bio-8080-exec-4] DEBUG rest.RestAuthenticationFilter - Setting status to 400
2015-05-18 16:57:07,921 [http-bio-8080-exec-4] DEBUG context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2015-05-18 16:57:07,922 [http-bio-8080-exec-4] DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
No JSON body sent in the request. How do I have to send this using cURL?
Or why doesn't it pick up my
-X POST -d '{"username":"jimi","password":"jimispassword"}'
Change your cURL request as:
curl -i -H "Content-Type: application/json" -X POST -data '{"username":"jimi","password":"jimispassword"}' http://localhost:8080/restful-grails-springsecurity-greach2014/api/login
Notice that i have changed the '-d' with '--data'
I think my problem is rather cURL-syntax related than grails related. I tested with Firefox RestClient and it is working fine.
I've embeded Spring Security in my existing JSF 2 application running on Glassfish 3.1.2.
To do it, I used approach using forwarding to /j_spring_security_check, described in the following article:
http://ocpsoft.org/java/acegi-spring-security-jsf-login-page/
My code is almost 1-to-1 copy of the code of the article.
Here is login.xhtml:
<ui:composition xmlns="http://www.w3.org/1999/xhtml"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:f="http://java.sun.com/jsf/core"
template="/template/template.xhtml">
<ui:define name="content">
<h:form id="loginForm" prependId="false">
<h:panelGrid columns="2">
<h:outputText value="#{msg['loginDialog.login']}: " />
<h:inputText id="j_username" required="true" />
<h:outputText value="#{msg['loginDialog.password']}" />
<h:inputSecret id="j_password" required="true" />
</h:panelGrid>
<h:commandButton type="submit"
action="#{loginBean.doLogin}"
value="#{msg['loginDialog.register']}" />
</h:form>
</ui:define>
Here is my login bean:
public class LoginBean implements Serializable {
public String doLogin() throws IOException, ServletException {
ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
Map map = FacesContext.getCurrentInstance().getExternalContext().getRequestParameterMap();
String j_user = (String) map.get("j_username");
String j_pwd = (String) map.get("j_password");
RequestDispatcher dispatcher = ((ServletRequest) context.getRequest()).getRequestDispatcher("/j_spring_security_check?j_username=" + j_user + "&j_password=" + j_pwd);
dispatcher.forward((ServletRequest) context.getRequest(), (ServletResponse) context.getResponse());
FacesContext.getCurrentInstance().responseComplete();
return null;
}
}
And this is declaration of security context:
<context:component-scan base-package="com.mycompany.package"/>
<security:global-method-security
secured-annotations="enabled">
</security:global-method-security>
<security:http auto-config="true"
access-denied-page="/accessDenied.xhtml">
<security:intercept-url pattern="/*"
access="ROLE_VIEWER,ROLE_CREATOR,ROLE_ADMIN" />
<security:form-login
login-processing-url="/j_spring_security_check"
login-page="/login.xhtml"
default-target-url="/main.xhtml"
authentication-failure-url="/login.xhtml" />
<security:logout logout-url="/logout*"
logout-success-url="/login.xhtml"
invalidate-session="true"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider user-service-ref='userDetailsService'/>
</security:authentication-manager>
Then I created a listener to catch all AbstractAuthenticationEvent:
public class AuthenticationListener implements
ApplicationListener<AbstractAuthenticationEvent> {
private final static Log log = LogFactory.getLog(AuthenticationListener.class);
#Override
public void onApplicationEvent(AbstractAuthenticationEvent e) {
// some processing
}
}
The problem is: after each successefull login, the AuthenticationEvent is generated twice, not once, as it could be suggested.
Would somebody explain, what is wrong ?
Some addition: the event is generated twice, because (I don't understand why), there is automatic logout right after login and then new authentication. Here is the snippet from log:
INFO: ** trying to retrieve user
INFO: ** user is found
INFO: Hibernate: insert into audit (EVENT_TYPE, EVENT_TIMESTAMP,
USER_ID) values (?, ?, ?)
INFO: Current Session destroyed :3ee7b951888eb8920d07fefceaec by
org.apache.catalina.session.StandardSessionFacade#57ac8e Logging out
user...
INFO: Logging out
INFO: Current Session created : 3f1fd377302220f2f27313c06cdc at Mon
Jun 25 16:00:57 CEST 2012 by
org.apache.catalina.session.StandardSessionFacade#912e6a
INFO: Hibernate: insert into audit (EVENT_TYPE, EVENT_TIMESTAMP,
USER_ID) values (?, ?, ?)
Here is the the log with debugging on (sorry for the long list):
26 Jun 2012 12:47:58,703 DEBUG HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
26 Jun 2012 12:47:58,703 DEBUG SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
26 Jun 2012 12:48:04,078 DEBUG FilterChainProxy : /login.xhtml at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
26 Jun 2012 12:48:04,078 DEBUG HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
26 Jun 2012 12:48:04,078 DEBUG HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade#10fbf9. A new one will be created.
26 Jun 2012 12:48:04,078 DEBUG FilterChainProxy : /login.xhtml at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
26 Jun 2012 12:48:04,078 DEBUG FilterChainProxy : /login.xhtml at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
26 Jun 2012 12:48:04,078 DEBUG FilterChainProxy : /login.xhtml at position 4 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
26 Jun 2012 12:48:04,078 DEBUG FilterChainProxy : /login.xhtml at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
26 Jun 2012 12:48:04,078 DEBUG DefaultSavedRequest : pathInfo: both null (property equals)
26 Jun 2012 12:48:04,078 DEBUG DefaultSavedRequest : queryString: both null (property equals)
26 Jun 2012 12:48:04,078 DEBUG DefaultSavedRequest : requestURI: arg1=/mdmd/; arg2=/mdmd/login.xhtml (property not equals)
26 Jun 2012 12:48:04,093 DEBUG HttpSessionRequestCache : saved request doesn't match
26 Jun 2012 12:48:04,093 DEBUG FilterChainProxy : /login.xhtml at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
26 Jun 2012 12:48:04,093 DEBUG FilterChainProxy : /login.xhtml at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
26 Jun 2012 12:48:04,093 DEBUG AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#6faba4dc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 7f9b291fe5d980eba4639fdcb232; Granted Authorities: ROLE_ANONYMOUS'
26 Jun 2012 12:48:04,093 DEBUG FilterChainProxy : /login.xhtml at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
26 Jun 2012 12:48:04,093 DEBUG FilterChainProxy : /login.xhtml at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
26 Jun 2012 12:48:04,093 DEBUG FilterChainProxy : /login.xhtml at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
26 Jun 2012 12:48:04,093 DEBUG AntPathRequestMatcher : Checking match of request : '/login.xhtml'; against '/accessdenied*'
26 Jun 2012 12:48:04,093 DEBUG AntPathRequestMatcher : Checking match of request : '/login.xhtml'; against '/login*'
26 Jun 2012 12:48:04,093 DEBUG FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /login.xhtml; Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]
26 Jun 2012 12:48:04,093 DEBUG FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#6faba4dc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 7f9b291fe5d980eba4639fdcb232; Granted Authorities: ROLE_ANONYMOUS
26 Jun 2012 12:48:04,093 DEBUG AffirmativeBased : Voter: org.springframework.security.access.vote.RoleVoter#88fcb2, returned: 0
26 Jun 2012 12:48:04,093 DEBUG AffirmativeBased : Voter: org.springframework.security.access.vote.AuthenticatedVoter#18620f5, returned: 1
26 Jun 2012 12:48:04,093 DEBUG FilterSecurityInterceptor : Authorization successful
26 Jun 2012 12:48:04,093 DEBUG FilterSecurityInterceptor : RunAsManager did not change Authentication object
26 Jun 2012 12:48:04,093 DEBUG FilterChainProxy : /login.xhtml reached end of additional filter chain; proceeding with original chain
26 Jun 2012 12:48:04,281 DEBUG FilterChainProxy : /j_spring_security_check?j_username=admin&j_password=admin at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
26 Jun 2012 12:48:04,281 DEBUG FilterChainProxy : /j_spring_security_check?j_username=admin&j_password=admin at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
26 Jun 2012 12:48:04,281 DEBUG FilterChainProxy : /j_spring_security_check?j_username=admin&j_password=admin at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
26 Jun 2012 12:48:04,281 DEBUG UsernamePasswordAuthenticationFilter : Request is to process authentication
26 Jun 2012 12:48:04,296 DEBUG ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
26 Jun 2012 12:48:04,296 INFO UserDetailsServiceImpl : ** trying to retrieve user
26 Jun 2012 12:48:06,203 INFO UserDetailsServiceImpl : ** user is found
26 Jun 2012 12:48:06,421 WARN LoggerListener : Authentication event AuthenticationSuccessEvent: admin; details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 7f9b291fe5d980eba4639fdcb232
26 Jun 2012 12:48:06,421 DEBUG SessionFixationProtectionStrategy : Invalidating session with Id '7f9b291fe5d980eba4639fdcb232' and migrating attributes.
26 Jun 2012 12:48:06,468 DEBUG SessionFixationProtectionStrategy : Started new session: 7f9eb44f14616034a4b5169d6ac6
26 Jun 2012 12:48:06,468 DEBUG UsernamePasswordAuthenticationFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#be0d966d: Principal: org.mycompany.domain.security.UserDetailsImpl#1508a8b; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 7f9b291fe5d980eba4639fdcb232; Granted Authorities: ROLE_ADMIN
26 Jun 2012 12:48:06,531 WARN LoggerListener : Authentication event InteractiveAuthenticationSuccessEvent: admin; details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 7f9b291fe5d980eba4639fdcb232
26 Jun 2012 12:48:06,531 DEBUG SavedRequestAwareAuthenticationSuccessHandler : Redirecting to DefaultSavedRequest Url: 'http://localhost:9080/mdmd/'
26 Jun 2012 12:48:06,531 DEBUG DefaultRedirectStrategy : Redirecting to 'http://localhost:9080/mdmd/'
26 Jun 2012 12:48:06,531 DEBUG HttpSessionSecurityContextRepository : SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl#be0d966d: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#be0d966d: Principal: org.mycompany.domain.security.UserDetailsImpl#1508a8b; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 7f9b291fe5d980eba4639fdcb232; Granted Authorities: ROLE_ADMIN'
26 Jun 2012 12:48:06,562 DEBUG ExceptionTranslationFilter : Chain processed normally
26 Jun 2012 12:48:06,562 DEBUG SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
26 Jun 2012 12:48:06,593 DEBUG FilterChainProxy : /index.jsp at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
26 Jun 2012 12:48:06,609 DEBUG HttpSessionSecurityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#be0d966d: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#be0d966d: Principal: org.mycompany.domain.security.UserDetailsImpl#1508a8b; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 7f9b291fe5d980eba4639fdcb232; Granted Authorities: ROLE_ADMIN'
26 Jun 2012 12:48:06,609 DEBUG FilterChainProxy : /index.jsp at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
26 Jun 2012 12:48:06,609 DEBUG FilterChainProxy : /index.jsp at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
26 Jun 2012 12:48:06,609 DEBUG FilterChainProxy : /index.jsp at position 4 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
26 Jun 2012 12:48:06,609 DEBUG FilterChainProxy : /index.jsp at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
26 Jun 2012 12:48:06,609 DEBUG DefaultSavedRequest : pathInfo: both null (property equals)
26 Jun 2012 12:48:06,609 DEBUG DefaultSavedRequest : queryString: both null (property equals)
26 Jun 2012 12:48:06,609 DEBUG DefaultSavedRequest : requestURI: arg1=/mdmd/; arg2=/mdmd/ (property equals)
26 Jun 2012 12:48:06,609 DEBUG DefaultSavedRequest : serverPort: arg1=9080; arg2=9080 (property equals)
26 Jun 2012 12:48:06,609 DEBUG DefaultSavedRequest : requestURL: arg1=http://localhost:9080/mdmd/; arg2=http://localhost:9080/mdmd/ (property equals)
26 Jun 2012 12:48:06,609 DEBUG DefaultSavedRequest : scheme: arg1=http; arg2=http (property equals)
26 Jun 2012 12:48:06,609 DEBUG DefaultSavedRequest : serverName: arg1=localhost; arg2=localhost (property equals)
26 Jun 2012 12:48:06,609 DEBUG DefaultSavedRequest : contextPath: arg1=/mdmd; arg2=/mdmd (property equals)
26 Jun 2012 12:48:06,609 DEBUG DefaultSavedRequest : servletPath: arg1=/index.jsp; arg2=/index.jsp (property equals)
26 Jun 2012 12:48:06,609 DEBUG HttpSessionRequestCache : Removing DefaultSavedRequest from session if present
26 Jun 2012 12:48:06,609 DEBUG FilterChainProxy : /index.jsp at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
26 Jun 2012 12:48:06,609 DEBUG FilterChainProxy : /index.jsp at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
26 Jun 2012 12:48:06,609 DEBUG AnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#be0d966d: Principal: org.mycompany.domain.security.UserDetailsImpl#1508a8b; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 7f9b291fe5d980eba4639fdcb232; Granted Authorities: ROLE_ADMIN'
26 Jun 2012 12:48:06,609 DEBUG FilterChainProxy : /index.jsp at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
26 Jun 2012 12:48:06,609 DEBUG FilterChainProxy : /index.jsp at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
26 Jun 2012 12:48:06,609 DEBUG FilterChainProxy : /index.jsp at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
26 Jun 2012 12:48:06,609 DEBUG AntPathRequestMatcher : Checking match of request : '/index.jsp'; against '/accessdenied*'
26 Jun 2012 12:48:06,625 DEBUG AntPathRequestMatcher : Checking match of request : '/index.jsp'; against '/login*'
26 Jun 2012 12:48:06,625 DEBUG AntPathRequestMatcher : Checking match of request : '/index.jsp'; against '/sessionexpired*'
26 Jun 2012 12:48:06,625 DEBUG AntPathRequestMatcher : Checking match of request : '/index.jsp'; against '/*'
26 Jun 2012 12:48:06,625 DEBUG FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /index.jsp; Attributes: [ROLE_AVIEWER, ROLE_BVIEWER, ROLE_ACREATOR, ROLE_BCREATOR, ROLE_AREGISTER, ROLE_BREGISTER, ROLE_ADMIN]
26 Jun 2012 12:48:06,625 DEBUG FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#be0d966d: Principal: org.mycompany.domain.security.UserDetailsImpl#1508a8b; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 7f9b291fe5d980eba4639fdcb232; Granted Authorities: ROLE_ADMIN
26 Jun 2012 12:48:06,625 DEBUG AffirmativeBased : Voter: org.springframework.security.access.vote.RoleVoter#88fcb2, returned: 1
26 Jun 2012 12:48:06,625 DEBUG FilterSecurityInterceptor : Authorization successful
26 Jun 2012 12:48:06,625 DEBUG FilterSecurityInterceptor : RunAsManager did not change Authentication object
26 Jun 2012 12:48:06,625 DEBUG FilterChainProxy : /index.jsp reached end of additional filter chain; proceeding with original chain
26 Jun 2012 12:48:11,953 DEBUG FilterChainProxy : /main.xhtml at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
26 Jun 2012 12:48:11,953 DEBUG FilterChainProxy : /main.xhtml at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
26 Jun 2012 12:48:11,953 DEBUG FilterChainProxy : /main.xhtml at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
26 Jun 2012 12:48:11,953 DEBUG FilterChainProxy : /main.xhtml at position 4 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
26 Jun 2012 12:48:11,953 DEBUG FilterChainProxy : /main.xhtml at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
26 Jun 2012 12:48:11,953 DEBUG FilterChainProxy : /main.xhtml at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
26 Jun 2012 12:48:11,953 DEBUG FilterChainProxy : /main.xhtml at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
26 Jun 2012 12:48:11,953 DEBUG AnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#be0d966d: Principal: org.mycompany.domain.security.UserDetailsImpl#1508a8b; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 7f9b291fe5d980eba4639fdcb232; Granted Authorities: ROLE_ADMIN'
26 Jun 2012 12:48:11,953 DEBUG FilterChainProxy : /main.xhtml at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
26 Jun 2012 12:48:11,953 DEBUG FilterChainProxy : /main.xhtml at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
26 Jun 2012 12:48:11,953 DEBUG FilterChainProxy : /main.xhtml at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
26 Jun 2012 12:48:11,953 DEBUG FilterChainProxy : /main.xhtml reached end of additional filter chain; proceeding with original chain