cirorezende
Apr 7th, 2010, 06:02 PM
Hello!
I have upgraded to Security 3.0.2, and ended up with the following issue: when I place a call to response.sendRedirect() from inside the method successfulAuthentication() - in UsernamePasswordAuthenticationFilter - I receive an IllegalStateException and the system redirects to the default successful authentication page.
My requirement is that when user successfully authenticate, I must redirect him to a page according to a certain condition, and if that condition is false, I must redirect him to another page. That used to work before moving to Spring Security 3.0.
Here is relevant part of my applicationContext-Security.xml:
<beans:beans ... >
<security:http entry-point-ref="myAuthenticationEntryPoint" auto-config="false">
...
<security:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationProcessingFilter"/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="MyCustomAuthenticationProvider"/>
</security:authentication-manager>
<beans:bean id="MyCustomAuthenticationProvider" class="br.com.smartnet.vrben.portal.security.CustomAuthen ticationProvider">
<beans:property name="locator">
<beans:bean class="br.com.smartnet.vrben.portal.locator.ServiceLocato r" />
</beans:property>
</beans:bean>
<beans:bean id="myAuthenticationEntryPoint" class="br.com.smartnet.vrben.portal.security.CustomAuthen ticationEntryPoint" >
<beans:property name="loginFormUrl" value="/index.html" />
<beans:property name="forceHttps" value="false" />
</beans:bean>
<beans:bean id="authenticationProcessingFilter" class="br.com.smartnet.vrben.portal.security.CustomAuthen ticationProcessingFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationFailureHandler" ref="failureHandler" />
<beans:property name="authenticationSuccessHandler" ref="successHandler" />
<beans:property name="sessionAuthenticationStrategy" ref="sessionFixationProtectionStrategy"/>
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<beans:property name="locator">
<beans:bean class="br.com.smartnet.vrben.portal.locator.ServiceLocato r" />
</beans:property>
</beans:bean>
<beans:bean id="successHandler" class="org.springframework.security.web.authentication.Sa vedRequestAwareAuthenticationSuccessHandler" >
<beans:property name="defaultTargetUrl" value="/index.html" />
</beans:bean>
<beans:bean id="failureHandler" class="org.springframework.security.web.authentication.Si mpleUrlAuthenticationFailureHandler" >
<beans:property name="defaultFailureUrl" value="/index.html?authfailed=true" />
</beans:bean>
<beans:bean id="sessionFixationProtectionStrategy" class="org.springframework.security.web.authentication.se ssion.SessionFixationProtectionStrategy">
<beans:property name="migrateSessionAttributes" value="true" />
</beans:bean>
</beans:beans>
Here is the relevant part of my CustomAuthenticationProcessingFilter, which extends UsernamePasswordAuthenticationFilter:
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult) throws IOException, ServletException {
logger.info("login successful: " + authResult.getDetails());
super.successfulAuthentication(request, response, authResult);
// if user is a member of ROLE_PATROCINADOR, redirects them
// to the sponsor's page
if(isUserPatrocinador(request)) {
logger.info("redirecting to the patrocinador's page: " + request.getContextPath() + PATROCINADOR_VIEW);
response.sendRedirect(response.encodeRedirectURL(r equest.getContextPath() + PATROCINADOR_VIEW));
} else {
Usuario usuario = recuperarUsuarioLogado();
if( usuario != null ){
try {
List<Programa> programas = locator.getProgramaInterface().selecionarProgramas doBeneficiario(usuario.getChave());
String redirectUrl = request.getContextPath();
if( programas.size() == 1 ){
//if size == 1 redirect to another URL
Programa programa = programas.iterator().next();
String codPrograma = programa.getCodigoPrograma();
redirectUrl = redirectUrl + PROGRAMA_VIEW + "?idPrograma=" + codPrograma;
} else {
redirectUrl = redirectUrl + MEUS_PROGRAMAS_VIEW;
}
String encodedUrl = response.encodeRedirectURL( redirectUrl );
response.sendRedirect( encodedUrl ); ==> HERE IS WHERE THE PROBLEM HAPPENS
} catch (Exception e) {
logger.error("Erro ao tentar realizar o redirecionamento do usuario autenticado." + e.getMessage(), e);
logger.error("Causa: " + e.getCause().getMessage() + " - Redirecionando para a página principal.");
response.sendRedirect(response.encodeRedirectURL(r equest.getContextPath() + MAIN_VIEW));
}
}
}
}
And here is the log of the error thrown:
[07/04/10 19:47:53:172 BRT] 00000025 SystemOut O 19:47:53,172 INFO CustomAuthenticationProcessingFilter,WebContainer : 3:41 - login successful: org.springframework.security.web.authentication.We bAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: gUraxa6NbqE2z3JxEe6qF6V
[07/04/10 19:47:53:188 BRT] 00000025 SystemOut O 19:47:53,188 INFO ERROR CustomAuthenticationProcessingFilter,WebContainer : 3:80 - Error while trying to redirect authenticated user: null
java.lang.IllegalStateException
at com.ibm.ws.webcontainer.webapp.WebAppDispatcherCon text.sendRedirectWithStatusCode(WebAppDispatcherCo ntext.java:484)
at com.ibm.ws.webcontainer.webapp.WebAppDispatcherCon text.sendRedirect(WebAppDispatcherContext.java:441 )
at com.ibm.ws.webcontainer.srt.SRTServletResponse.sen dRedirect(SRTServletResponse.java:1036)
at javax.servlet.http.HttpServletResponseWrapper.send Redirect(HttpServletResponseWrapper.java:170)
at org.springframework.security.web.context.SaveConte xtOnUpdateOrErrorResponseWrapper.sendRedirect(Save ContextOnUpdateOrErrorResponseWrapper.java:74)
at br.com.xxx.yyy.portal.security.CustomAuthenticatio nProcessingFilter.successfulAuthentication(CustomA uthenticationProcessingFilter.java:75)
at org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter.doFilter(Abst ractAuthenticationProcessingFilter.java:219)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.authentication.lo gout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.access.channel.Ch annelProcessingFilter.doFilter(ChannelProcessingFi lter.java:109)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:149)
at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:167)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapp er.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.d oFilter(WebAppFilterChain.java:130)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain._ doFilter(WebAppFilterChain.java:87)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager .doFilter(WebAppFilterManager.java:834)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager .invokeFilters(WebAppFilterManager.java:744)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager .invokeFilters(WebAppFilterManager.java:697)
at com.ibm.ws.wswebcontainer.filter.WebAppFilterManag er.invokeFilters(WebAppFilterManager.java:118)
at com.ibm.ws.webcontainer.extension.DefaultExtension Processor.invokeFilters(DefaultExtensionProcessor. java:818)
at com.ibm.ws.webcontainer.extension.DefaultExtension Processor.handleRequest(DefaultExtensionProcessor. java:768)
at com.ibm.ws.wswebcontainer.extension.DefaultExtensi onProcessor.handleRequest(DefaultExtensionProcesso r.java:113)
at com.ibm.ws.webcontainer.webapp.WebApp.handleReques t(WebApp.java:3440)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequ est(WebGroup.java:267)
at com.ibm.ws.webcontainer.WebContainer.handleRequest (WebContainer.java:815)
at com.ibm.ws.wswebcontainer.WebContainer.handleReque st(WebContainer.java:1461)
at com.ibm.ws.webcontainer.channel.WCChannelLink.read y(WCChannelLink.java:118)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLi nk.handleDiscrimination(HttpInboundLink.java:458)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLi nk.handleNewInformation(HttpInboundLink.java:387)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLi nk.ready(HttpInboundLink.java:267)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialRe adCallback.sendToDiscriminators(NewConnectionIniti alReadCallback.java:214)
at
...
Appreciate any help. Thanks IN ADVANCE!!!
I have upgraded to Security 3.0.2, and ended up with the following issue: when I place a call to response.sendRedirect() from inside the method successfulAuthentication() - in UsernamePasswordAuthenticationFilter - I receive an IllegalStateException and the system redirects to the default successful authentication page.
My requirement is that when user successfully authenticate, I must redirect him to a page according to a certain condition, and if that condition is false, I must redirect him to another page. That used to work before moving to Spring Security 3.0.
Here is relevant part of my applicationContext-Security.xml:
<beans:beans ... >
<security:http entry-point-ref="myAuthenticationEntryPoint" auto-config="false">
...
<security:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationProcessingFilter"/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="MyCustomAuthenticationProvider"/>
</security:authentication-manager>
<beans:bean id="MyCustomAuthenticationProvider" class="br.com.smartnet.vrben.portal.security.CustomAuthen ticationProvider">
<beans:property name="locator">
<beans:bean class="br.com.smartnet.vrben.portal.locator.ServiceLocato r" />
</beans:property>
</beans:bean>
<beans:bean id="myAuthenticationEntryPoint" class="br.com.smartnet.vrben.portal.security.CustomAuthen ticationEntryPoint" >
<beans:property name="loginFormUrl" value="/index.html" />
<beans:property name="forceHttps" value="false" />
</beans:bean>
<beans:bean id="authenticationProcessingFilter" class="br.com.smartnet.vrben.portal.security.CustomAuthen ticationProcessingFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationFailureHandler" ref="failureHandler" />
<beans:property name="authenticationSuccessHandler" ref="successHandler" />
<beans:property name="sessionAuthenticationStrategy" ref="sessionFixationProtectionStrategy"/>
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<beans:property name="locator">
<beans:bean class="br.com.smartnet.vrben.portal.locator.ServiceLocato r" />
</beans:property>
</beans:bean>
<beans:bean id="successHandler" class="org.springframework.security.web.authentication.Sa vedRequestAwareAuthenticationSuccessHandler" >
<beans:property name="defaultTargetUrl" value="/index.html" />
</beans:bean>
<beans:bean id="failureHandler" class="org.springframework.security.web.authentication.Si mpleUrlAuthenticationFailureHandler" >
<beans:property name="defaultFailureUrl" value="/index.html?authfailed=true" />
</beans:bean>
<beans:bean id="sessionFixationProtectionStrategy" class="org.springframework.security.web.authentication.se ssion.SessionFixationProtectionStrategy">
<beans:property name="migrateSessionAttributes" value="true" />
</beans:bean>
</beans:beans>
Here is the relevant part of my CustomAuthenticationProcessingFilter, which extends UsernamePasswordAuthenticationFilter:
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult) throws IOException, ServletException {
logger.info("login successful: " + authResult.getDetails());
super.successfulAuthentication(request, response, authResult);
// if user is a member of ROLE_PATROCINADOR, redirects them
// to the sponsor's page
if(isUserPatrocinador(request)) {
logger.info("redirecting to the patrocinador's page: " + request.getContextPath() + PATROCINADOR_VIEW);
response.sendRedirect(response.encodeRedirectURL(r equest.getContextPath() + PATROCINADOR_VIEW));
} else {
Usuario usuario = recuperarUsuarioLogado();
if( usuario != null ){
try {
List<Programa> programas = locator.getProgramaInterface().selecionarProgramas doBeneficiario(usuario.getChave());
String redirectUrl = request.getContextPath();
if( programas.size() == 1 ){
//if size == 1 redirect to another URL
Programa programa = programas.iterator().next();
String codPrograma = programa.getCodigoPrograma();
redirectUrl = redirectUrl + PROGRAMA_VIEW + "?idPrograma=" + codPrograma;
} else {
redirectUrl = redirectUrl + MEUS_PROGRAMAS_VIEW;
}
String encodedUrl = response.encodeRedirectURL( redirectUrl );
response.sendRedirect( encodedUrl ); ==> HERE IS WHERE THE PROBLEM HAPPENS
} catch (Exception e) {
logger.error("Erro ao tentar realizar o redirecionamento do usuario autenticado." + e.getMessage(), e);
logger.error("Causa: " + e.getCause().getMessage() + " - Redirecionando para a página principal.");
response.sendRedirect(response.encodeRedirectURL(r equest.getContextPath() + MAIN_VIEW));
}
}
}
}
And here is the log of the error thrown:
[07/04/10 19:47:53:172 BRT] 00000025 SystemOut O 19:47:53,172 INFO CustomAuthenticationProcessingFilter,WebContainer : 3:41 - login successful: org.springframework.security.web.authentication.We bAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: gUraxa6NbqE2z3JxEe6qF6V
[07/04/10 19:47:53:188 BRT] 00000025 SystemOut O 19:47:53,188 INFO ERROR CustomAuthenticationProcessingFilter,WebContainer : 3:80 - Error while trying to redirect authenticated user: null
java.lang.IllegalStateException
at com.ibm.ws.webcontainer.webapp.WebAppDispatcherCon text.sendRedirectWithStatusCode(WebAppDispatcherCo ntext.java:484)
at com.ibm.ws.webcontainer.webapp.WebAppDispatcherCon text.sendRedirect(WebAppDispatcherContext.java:441 )
at com.ibm.ws.webcontainer.srt.SRTServletResponse.sen dRedirect(SRTServletResponse.java:1036)
at javax.servlet.http.HttpServletResponseWrapper.send Redirect(HttpServletResponseWrapper.java:170)
at org.springframework.security.web.context.SaveConte xtOnUpdateOrErrorResponseWrapper.sendRedirect(Save ContextOnUpdateOrErrorResponseWrapper.java:74)
at br.com.xxx.yyy.portal.security.CustomAuthenticatio nProcessingFilter.successfulAuthentication(CustomA uthenticationProcessingFilter.java:75)
at org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter.doFilter(Abst ractAuthenticationProcessingFilter.java:219)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.authentication.lo gout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.access.channel.Ch annelProcessingFilter.doFilter(ChannelProcessingFi lter.java:109)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:149)
at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:167)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapp er.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.d oFilter(WebAppFilterChain.java:130)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain._ doFilter(WebAppFilterChain.java:87)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager .doFilter(WebAppFilterManager.java:834)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager .invokeFilters(WebAppFilterManager.java:744)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager .invokeFilters(WebAppFilterManager.java:697)
at com.ibm.ws.wswebcontainer.filter.WebAppFilterManag er.invokeFilters(WebAppFilterManager.java:118)
at com.ibm.ws.webcontainer.extension.DefaultExtension Processor.invokeFilters(DefaultExtensionProcessor. java:818)
at com.ibm.ws.webcontainer.extension.DefaultExtension Processor.handleRequest(DefaultExtensionProcessor. java:768)
at com.ibm.ws.wswebcontainer.extension.DefaultExtensi onProcessor.handleRequest(DefaultExtensionProcesso r.java:113)
at com.ibm.ws.webcontainer.webapp.WebApp.handleReques t(WebApp.java:3440)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequ est(WebGroup.java:267)
at com.ibm.ws.webcontainer.WebContainer.handleRequest (WebContainer.java:815)
at com.ibm.ws.wswebcontainer.WebContainer.handleReque st(WebContainer.java:1461)
at com.ibm.ws.webcontainer.channel.WCChannelLink.read y(WCChannelLink.java:118)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLi nk.handleDiscrimination(HttpInboundLink.java:458)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLi nk.handleNewInformation(HttpInboundLink.java:387)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLi nk.ready(HttpInboundLink.java:267)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialRe adCallback.sendToDiscriminators(NewConnectionIniti alReadCallback.java:214)
at
...
Appreciate any help. Thanks IN ADVANCE!!!