Spring Security using Websphere & JSF - Unauthenticated problem

Hi,

I'm using Websphere 7 and Spring Security 3 and keeps getting UNAUTHENTICATED after I login.

My web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>All_Admin_User</web-resource-name>
<description />
<url-pattern>*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Authenticated User</role-name>
</auth-constraint>
</security-constraint>

My applicationContext-security.xml:

<sec:http auto-config="true" realm="Demo EOL Login" use-expressions="true" access-denied-page="/accessDenied.jsp" >
<sec:intercept-url pattern="/internal/**" access="hasRole('ROLE_VIEW_EARS_ONLINE')" />
<sec:intercept-url pattern="/external/**" access="hasRole('ROLE_VIEW_EARS_ONLINE')" />
<sec:intercept-url pattern="/**" access="permitAll" />
<sec:form-login/>
<sec:custom-filter position="PRE_AUTH_FILTER" ref="webspherePreAuthFilter" />
</sec:http>

The log from websphere:
MyWebSpherePreAuthenticatedProcessingFilter - principal name is UNAUTHENTICATED
Authentication a is null

I'm using form login for my login_j2ee.jsp I also using the j_spring_security_check action:
<form name="logonForm" action="j_spring_security_check" method="post">

But some how Websphere can't authenticate my login.
Anyone who has had the same problem and managed to solve it?

Kind regards
Jerry Johansson

Can you provide a more detailed log?

More logs

Hi,

When I'm changing my login page to use the j_security_check action I need to login to access the pages. I get in and past my login page and can see my user id in the log in the Principal object.

Logs using j_security_check:

[17/01/11 11:10:48:255 GMT+08:00] 0000007e webcontainer E com.ibm.ws.webcontainer.WebContainer handleRequest SRVE0255E: A WebGroup/Virtual Host to handle /favicon.ico has not been defined.
[17/01/11 11:10:50:162 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedPrincipal called !
[17/01/11 11:10:50:162 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - principal name is ex31548
[17/01/11 11:10:50:162 GMT+08:00] 0000007e SystemOut O Authentication a is null
[17/01/11 11:10:50:162 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedCredentials called ! N/A
[17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O token org.springframework.security.web.authentication.pr eauth.PreAuthenticatedAuthenticationToken@517f1e6f : Principal: ex31548; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.pr eauth.PreAuthenticatedGrantedAuthoritiesWebAuthent icationDetails@fffe9938: RemoteIpAddress: 172.20.203.159; SessionId: ZHzRRoBH7_FUK1OADDFVAUV; Authorities: [CN=EARS ONLINE USER,OU=EARS,OU=SYSTEMS,O=CORP]; Not granted any authorities
[17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O token.name ex31548
[17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O token.getAuthorities []
[17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O token.getCredentials N/A
[17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O token.getDetails org.springframework.security.web.authentication.pr eauth.PreAuthenticatedGrantedAuthoritiesWebAuthent icationDetails@fffe9938: RemoteIpAddress: 172.20.203.159; SessionId: ZHzRRoBH7_FUK1OADDFVAUV; Authorities: [CN=EARS ONLINE USER,OU=EARS,OU=SYSTEMS,O=CORP]
[17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O token.getPrincipal ex31548
[17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O token.isAuthenticated false
[17/01/11 11:10:50:177 GMT+08:00] 0000007e SessionFixati W org.springframework.security.web.authentication.se ssion.SessionFixationProtectionStrategy onAuthentication Your servlet container did not change the session ID when a new session was created. You will not be adequately protected against session-fixation attacks
[17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O Within Simple Filter ... SimpleFilter redirectUrl from Session: null
[17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O SimpleFilter.isAuthenticated() - instance is Authentication
[17/01/11 11:10:50:177 GMT+08:00] 0000007e SystemOut O SimpleFilter.isAuthenticated() - returns: true
[17/01/11 11:10:50:193 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 1
[17/01/11 11:10:50:193 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 2
[17/01/11 11:10:50:193 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 5
[17/01/11 11:10:50:224 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 6
[17/01/11 11:10:50:240 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 7
[17/01/11 11:10:50:365 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 8
[17/01/11 11:10:50:365 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 9
[17/01/11 11:10:50:412 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 10
[17/01/11 11:10:50:412 GMT+08:00] 0000007e SystemOut O AuditTrailBean init 11
[17/01/11 11:10:50:427 GMT+08:00] 0000007e SystemOut O Filtering the Response ...
[17/01/11 11:10:50:427 GMT+08:00] 0000007e WASSession E MTMBuffWrapper storeObject SESN0200E: Caught Exception while trying to serialize.
[17/01/11 11:10:50:427 GMT+08:00] 0000007e WASSession E MTMHashMap handlePropertyHits SESN0202E: Failed to replicate attribute org.springframework.web.context.request.ServletReq uestAttributes.DESTRUCTION_CALLBACK.organisationBe an
[17/01/11 11:10:50:474 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedPrincipal called !
[17/01/11 11:10:50:474 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - principal name is UNAUTHENTICATED
[17/01/11 11:10:50:474 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter getPreAuthenticatedPrincipal a.name: ex31548
[17/01/11 11:10:50:474 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedPrincipal grant authority is ROLE_VIEW_EARS_ONLINE
[17/01/11 11:10:50:474 GMT+08:00] 0000007e SystemOut O Within Simple Filter ... SimpleFilter redirectUrl from Session: null
[17/01/11 11:10:50:474 GMT+08:00] 0000007e SystemOut O SimpleFilter.isAuthenticated() - instance is Authentication
[17/01/11 11:10:50:474 GMT+08:00] 0000007e SystemOut O SimpleFilter.isAuthenticated() - returns: true
[17/01/11 11:10:50:474 GMT+08:00] 0000007e SystemOut O Filtering the Response ...
[17/01/11 11:10:50:490 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedPrincipal called !
[17/01/11 11:10:50:490 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - principal name is UNAUTHENTICATED
[17/01/11 11:10:50:490 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter getPreAuthenticatedPrincipal a.name: ex31548
[17/01/11 11:10:50:490 GMT+08:00] 0000007e SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedPrincipal grant authority is ROLE_VIEW_EARS_ONLINE
[17/01/11 11:10:50:490 GMT+08:00] 0000007e SystemOut O Within Simple Filter ... SimpleFilter redirectUrl from Session: null
[17/01/11 11:10:50:490 GMT+08:00] 0000007e SystemOut O SimpleFilter.isAuthenticated() - instance is Authentication
[17/01/11 11:10:50:490 GMT+08:00] 0000007e SystemOut O SimpleFilter.isAuthenticated() - returns: true

-----------------------------------------------------------

When I'm setting the login page to properly use j_spring_security_check
I can't get past the login page.

Logs when using j_spring_security_check:

[17/01/11 10:53:27:780 GMT+08:00] 0000007c SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedPrincipal called !
[17/01/11 10:53:27:780 GMT+08:00] 0000007c SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - principal name is UNAUTHENTICATED
[17/01/11 10:53:27:780 GMT+08:00] 0000007c SystemOut O Authentication a is null
[17/01/11 10:53:27:780 GMT+08:00] 0000007c SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedCredentials called ! N/A
[17/01/11 10:53:27:780 GMT+08:00] 0000007c SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedPrincipal called !
[17/01/11 10:53:27:780 GMT+08:00] 0000007c SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - principal name is UNAUTHENTICATED
[17/01/11 10:53:27:780 GMT+08:00] 0000007c SystemOut O Authentication a is null
[17/01/11 10:53:27:780 GMT+08:00] 0000007c SystemOut O MyWebSpherePreAuthenticatedProcessingFilter - getPreAuthenticatedCredentials called ! N/A

--------------------------------------------------

A bit of code:

I have a SimpleFilter where I'm checking if I'm authenticated:

public class SimpleFilter implements Filter
{

private FilterConfig filterConfig;

public void doFilter (ServletRequest request,
ServletResponse response,
FilterChain chain)
{

private boolean isAuthenticated()
{
boolean result = false;
SecurityContext context = SecurityContextHolder.getContext();
if (context instanceof SecurityContext)
{
Authentication authentication = context.getAuthentication();
if (authentication instanceof AnonymousAuthenticationToken)
{
// not authenticated
System.out.println("SimpleFilter.isAuthenticated() - instance is AnonymousAuthenticationToken");
}

else if (authentication instanceof Authentication)
{
result = true;
System.out.println("SimpleFilter.isAuthenticated() - instance is Authentication");
}

------------------------------------------

Does it help to select the option that authenticates for each URI visited. I think its somewhere in Security->Global Security->Web and SIP... Then restart the server

Can you post your entire web.xml file.

I am trying something similar, but spring security is overriding my container authentication.

I want to use websphere just for authentication SSO and spring will load the authorities of the user.

Hi guys,

I have the same problem in WebSphere 6.1.
When I try to get

Quote:

public static MyUser getAutenticado()
{
return (MyUser ) SecurityContextHolder.getContext().getAuthenticati on().getPrincipal();
}

In my controller I try

Quote:

UsuarioUtils.getAutenticado().getId();

Is returned Unauthenticated;

When I access the WebSphere direct the error doesn't happens, but if I access by the URL, passing by the load balance and Web Server this error happens.

Any ideia about what can be it?
Any configuration of WebSphere or WebSphere or Load balance?

Thanks,

Hi guys,

I'm attaching a few files for you to see if it can help you out.

Cheers
Jerry Johansson, Perth

For the web.xml I have two different classpaths depending if I'm running locally Tomcat or server Websphere.
applicationContext-security.xml for Tomcat
applicationContext-websphere.xml for Websphere

I also have two different filter names depending of Tomcat or Websphere.
filterChainProxy for Tomcat
springSecurityFilterChain for Websphere

File: web.xml:
<?xml version="1.0"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>EOL Self Admin</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:spring/dataSourceContext.xml
classpath:spring/services-context.xml
classpath:spring/applicationContext.xml



classpath:spring/applicationContext-security.xml


</param-value>
</context-param>
<context-param>
<param-name>javax.faces.DEFAULT_SUFFIX</param-name>
<param-value>.xhtml</param-value>
</context-param>
<context-param>
<param-name>org.richfaces.SKIN</param-name>
<param-value>classic</param-value>
</context-param>
<context-param>
<param-name>org.ajax4jsf.VIEW_HANDLERS</param-name>
<param-value>com.sun.facelets.FaceletViewHandler</param-value>
</context-param>

<context-param>
<param-name>org.ajax4jsf.RESOURCE_URI_PREFIX</param-name>
<param-value>resources/richfaces/a4j</param-value>
</context-param>

<context-param>
<param-name>org.ajax4jsf.GLOBAL_RESOURCE_URI_PREFIX</param-name>
<param-value>resources/richfaces/a4j/g</param-value>
</context-param>

<context-param>
<param-name>org.ajax4jsf.SESSION_RESOURCE_URI_PREFIX</param-name>
<param-value>resources/richfaces/a4j/s</param-value>
</context-param>

<filter>
<display-name>RichFaces Filter</display-name>
<filter-name>richfaces</filter-name>
<filter-class>org.ajax4jsf.Filter</filter-class>
</filter>
<filter-mapping>
<filter-name>richfaces</filter-name>
<servlet-name>Faces Servlet</servlet-name>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>



<filter>
<filter-name>filterChainProxy</filter-name>

<filter-class>org.springframework.web.filter.DelegatingFil terProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>filterChainProxy</filter-name>

<url-pattern>/*</url-pattern>
</filter-mapping>


<filter>
<filter-name>
Simple Filter Example
</filter-name>
<filter-class>
com.apps.admin.filter.SimpleFilter
</filter-class>
</filter>

<filter-mapping>
<filter-name>
Simple Filter Example
</filter-name>
<url-pattern>
/*
</url-pattern>
</filter-mapping>

<listener>
<listener-class>org.springframework.web.context.ContextLoade rListener</listener-class>
</listener>

<listener>
<listener-class>org.springframework.web.util.Log4jConfigList ener</listener-class>
</listener>

<listener>
<listener-class>org.springframework.web.util.IntrospectorCle anupListener</listener-class>
</listener>

<listener>
<listener-class>org.springframework.web.context.request.Requ estContextListener</listener-class>
</listener>

<listener>
<listener-class>org.springframework.security.web.session.Htt pSessionEventPublisher</listener-class>
</listener>

<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>

<resource-ref>
<res-ref-name>jdbc/appsonlineDS</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>


<security-constraint>
<web-resource-collection>
<web-resource-name>Login Page</web-resource-name>
<description />
<url-pattern>/login_j2ee.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Everybody</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>All_Admin_User</web-resource-name>
<description />
<url-pattern>*.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_VIEW_ONLINE</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/external/login_j2ee.jsp</form-login-page>
<form-error-page>/accessDenied.jsp</form-error-page>
</form-login-config>

</login-config>
<security-role>
<role-name>ROLE_VIEW_ONLINE</role-name>
</security-role>

<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/error/errorpage.jsp</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/error/errorpage.jsp</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/error/404page.html</location>
</error-page>

</web-app>

applicationContext-security.xml (To use with Tomcat)

Use this file for Tomcat.

Cheers
Jerry Johansson, Perth

File applicationContext-security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schem...-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

<bean id="filterChainProxy" class="org.springframework.security.web.FilterChai nProxy">
<sec:filter-chain-map path-type="ant">
<sec:filter-chain pattern="/**"
filters="sif,j2eePreAuthFilter,logoutFilter,etf,fs i" />
</sec:filter-chain-map>
</bean>

<bean id="sif"
class="org.springframework.security.web.context.Se curityContextPersistenceFilter" />

<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref='preAuthenticatedAuthenticationProvider' />
</sec:authentication-manager>

<bean id="preAuthenticatedAuthenticationProvider"
class="org.springframework.security.web.authentica tion.preauth.PreAuthenticatedAuthenticationProvide r">
<property name="preAuthenticatedUserDetailsService" ref="myPreAuthenticatedUserDetailsService" />
</bean>

<bean id="preAuthenticatedUserDetailsService"
class="org.springframework.security.web.authentica tion.preauth.PreAuthenticatedGrantedAuthoritiesUse rDetailsService" />

<bean id="myPreAuthenticatedUserDetailsService"
class="com.apps.admin.security.MyPreAuthenticatedG rantedAuthoritiesUserDetailsService">
</bean>

<bean id="j2eePreAuthFilter"
class="org.springframework.security.web.authentica tion.preauth.j2ee.J2eePreAuthenticatedProcessingFi lter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationDetailsSource">
<bean
class="org.springframework.security.web.authentica tion.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuth enticationDetailsSource">
<property name="mappableRolesRetriever">
<bean
class="org.springframework.security.web.authentica tion.preauth.j2ee.WebXmlMappableAttributesRetrieve r" />
</property>
<property name="userRoles2GrantedAuthoritiesMapper">
<bean
class="org.springframework.security.core.authority .mapping.SimpleAttributes2GrantedAuthoritiesMapper ">
<property name="convertAttributeToUpperCase" value="true" />
</bean>
</property>
</bean>
</property>
</bean>

<bean id="preAuthenticatedProcessingFilterEntryPoint"
class="org.springframework.security.web.authentica tion.Http403ForbiddenEntryPoint" />

<bean id="logoutFilter"
class="org.springframework.security.web.authentica tion.logout.LogoutFilter">
<constructor-arg value="/" />
<constructor-arg>
<list>
<bean
class="org.springframework.security.web.authentica tion.logout.SecurityContextLogoutHandler" />
</list>
</constructor-arg>
</bean>

<bean id="servletContext"
class="org.springframework.web.context.support.Ser vletContextFactoryBean" />

<bean id="etf"
class="org.springframework.security.web.access.Exc eptionTranslationFilter">
<property name="authenticationEntryPoint" ref="preAuthenticatedProcessingFilterEntryPoint" />
</bean>

<bean id="httpRequestAccessDecisionManager"
class="org.springframework.security.access.vote.Af firmativeBased">
<property name="allowIfAllAbstainDecisions" value="false" />
<property name="decisionVoters">
<list>
<ref bean="roleVoter" />
</list>
</property>
</bean>

<bean id="fsi"
class="org.springframework.security.web.access.int ercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager" />
<property name="securityMetadataSource">
<sec:filter-invocation-definition-source>
<sec:intercept-url pattern="/internal/**" access="ROLE_VIEW_ONLINE" />
<sec:intercept-url pattern="/external/**" access="ROLE_VIEW_ONLINE" />
</sec:filter-invocation-definition-source>
</property>
</bean>

<bean id="roleVoter" class="org.springframework.security.access.vote.Ro leVoter" />

<bean id="securityContextHolderAwareRequestFilter"
class="org.springframework.security.web.servletapi .SecurityContextHolderAwareRequestFilter" />



</beans>

And here is applicationContext-websphere.xml, to use when running Websphere.

Cheers
Jerry Johansson, Perth

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schem...-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<sec:http auto-config="true" realm="Demo EOL Login" use-expressions="true" access-denied-page="/accessDenied.jsp" >
<sec:intercept-url pattern="/internal/*.xhtml" access="hasRole('ROLE_VIEW_ONLINE') and hasRole('ROLE_VIEW_ONLINE_INTERNAL') and hasRole('ROLE_CORP_ADMIN')" />
<sec:intercept-url pattern="/external/*.xhtml" access="hasRole('ROLE_VIEW_ONLINE') and hasRole('ROLE_VIEW_ONLINE_EXTERNAL') and hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/external/login_j2ee.jsp" access="permitAll" />
<sec:intercept-url pattern="/internal/login_j2ee.jsp" access="permitAll" />
<sec:intercept-url pattern="/**" access="permitAll" />
<sec:intercept-url pattern="/img/**" access="permitAll" />
<sec:intercept-url pattern="/internal/css/**" access="permitAll" />
<sec:intercept-url pattern="/external/css/**" access="permitAll" />
<sec:intercept-url pattern="/internal/img/**" access="permitAll" />
<sec:intercept-url pattern="/external/img/**" access="permitAll" />
<sec:intercept-url pattern="/resources/richfaces/a4j/**" access="permitAll" />
<sec:intercept-url pattern="/resources/richfaces/a4j/scss/datascroller.xcss/DATB/**" access="permitAll" />
<sec:intercept-url pattern="/resources/richfaces/a4j/gorg/richfaces/renderkit/html/css/**" access="permitAll" />
<sec:intercept-url pattern="/resources/richfaces/a4j/gorg.richfaces.renderkit.html.iconimages.DataTable IconSortAsc/DATB/**" access="permitAll" />
<sec:intercept-url pattern="/resources/richfaces/a4j/sorg/richfaces/renderkit/html/css/scrollable-data-table.xcss/DATB/**" access="permitAll" />
<sec:intercept-url pattern="/resources/richfaces/a4j/sorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/**" access="permitAll" />
<sec:intercept-url pattern="/resources/richfaces/a4j/gorg/richfaces/renderkit/html/scripts/**" access="permitAll" />

<sec:form-login/>
<sec:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<sec:custom-filter position="PRE_AUTH_FILTER" ref="webspherePreAuthFilter" />
<sec:session-management session-authentication-strategy-ref="sas"/>
<sec:logout invalidate-session="true"/>

</sec:http>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="preAuthenticatedAuthenticationProvider"/>
</sec:authentication-manager>

<bean id="sessionRegistry" class="org.springframework.security.core.session.S essionRegistryImpl" />

<bean id="sas" class="org.springframework.security.web.authentica tion.session.ConcurrentSessionControlStrategy">
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />

</bean>

<bean id="concurrencyFilter" class="org.springframework.security.web.session.Co ncurrentSessionFilter">
<property name="sessionRegistry" ref="sessionRegistry" />
<property name="expiredUrl" value="/accessDenied.jsp" />
</bean>

<bean id="webspherePreAuthFilter" class="com.apps.admin.security.MyWebSpherePreAuthe nticatedProcessingFilter">
<property name="sessionAuthenticationStrategy" ref="sas" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationDetailsSource" ref="websphereAuthenticationDetailsSource" />
</bean>

<bean id="websphereAuthenticationDetailsSource"
class="org.springframework.security.web.authentica tion.preauth.websphere.WebSpherePreAuthenticatedWe bAuthenticationDetailsSource">
<property name="webSphereGroups2GrantedAuthoritiesMapper" ref="grantedAuthoritiesMapper" />
</bean>
<bean id="grantedAuthoritiesMapper"
class="org.springframework.security.core.authority .mapping.SimpleAttributes2GrantedAuthoritiesMapper ">
<property name="convertAttributeToUpperCase" value="true" />
<property name="attributePrefix" value=""/>
</bean>
<bean id="webSphere2SpringSecurityPropagationInterceptor " class="org.springframework.security.web.authentica tion.preauth.websphere.WebSphere2SpringSecurityPro pagationInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationDetailsSource" ref="websphereAuthenticationDetailsSource"/>
</bean>
<bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.web.authentica tion.preauth.PreAuthenticatedAuthenticationProvide r">
<property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
</bean>

<bean id="preAuthenticatedUserDetailsService"
class="com.apps.admin.security.WasPreAuthenticated UserDetailsService" >

</bean>


<bean id="roleVoter" class="org.springframework.security.access.vote.Ro leVoter">
<property name="rolePrefix" value=""/>
</bean>

</beans><?xml version="1.0" encoding="windows-1250"?>

File: WasPreAuthenticatedUserDetailsService

Below is my WasPreAuthenticatedUserDetailsService, to actually get the grantedAuthorities from the Autentication token, from Websphere and in my case LDAP, and do the validation.

(I have changed the content a bit for package names and variables name for protection)

Cheers
Jerry Johansson, Perth

File WasPreAuthenticatedUserDetailsService:

package com.apps.admin.security;

import com.apps.admin.util.Constants;
import java.util.ArrayList;
import java.util.List;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationEx ception;
import org.springframework.security.core.GrantedAuthority ;
import org.springframework.security.core.authority.Grante dAuthoritiesContainer;
import org.springframework.security.core.authority.Grante dAuthorityImpl;
import org.springframework.security.core.userdetails.Auth enticationUserDetailsService;
import org.springframework.security.core.userdetails.User ;
import org.springframework.security.core.userdetails.User Details;
import org.springframework.security.core.userdetails.User nameNotFoundException;
import org.springframework.util.Assert;
import com.apps.framework.objectclass.Person;
import com.apps.admin.ldap.AppsLDAP;
import com.apps.admin.service.UserService;
import com.apps.admin.util.AppsProperty;
import org.springframework.beans.factory.annotation.Autow ired;
import org.springframework.beans.factory.annotation.Quali fier;

public class WasPreAuthenticatedUserDetailsService implements AuthenticationUserDetailsService {

@Autowired
@Qualifier("userService")
private UserService userService;

List<GrantedAuthority> authAuthorities;
public List<GrantedAuthority> getAuthAuthorities() {
return authAuthorities;
}

public void setAuthAuthorities(List<GrantedAuthority> authAuthorities) {
this.authAuthorities = authAuthorities;
}

/**
* Get a UserDetails object based on the user name contained in the given
* token, and the GrantedAuthorities as returned by the
* GrantedAuthoritiesContainer implementation as returned by
* the token.getDetails() method.
*/
@Override
public UserDetails loadUserDetails(Authentication token)
throws UsernameNotFoundException {
Assert.notNull(token.getDetails());
Assert.isInstanceOf(GrantedAuthoritiesContainer.cl ass, token.getDetails());

List<GrantedAuthority> roles = new ArrayList<GrantedAuthority>();
validateAndSetPermissions(token, roles);
UserDetails ud = createuserDetails(token, roles);
return ud;
}

private void validateAndSetPermissions(Authentication token, List<GrantedAuthority> roles){
boolean isAppsOnlineUser = false;
boolean isAppsMineralBusinessAdmin = false;
boolean isAppsPetroleumBusinessAdmin = false;
List<GrantedAuthority> authorities = ((GrantedAuthoritiesContainer) token.getDetails()).getGrantedAuthorities();

if(authorities != null){
for(GrantedAuthority myAuth : authorities){
if(myAuth.equals("CN=Apps ONLINE USER,OU=Apps,OU=SYSTEMS,O=CORP")){
isAppsOnlineUser = true;
}
else if(myAuth.equals("CN=Apps MINERALS BUSINESS ADMIN,OU=Apps,OU=SYSTEMS,O=CORP"))
{
isAppsMineralBusinessAdmin = true;
}
else if(myAuth.equals("CN=Apps PETROLEUM BUSINESS ADMIN,OU=Apps,OU=SYSTEMS,O=CORP"))
{
isAppsPetroleumBusinessAdmin = true;
}

}

if(isAppsOnlineUser){
Person person = AppsLDAP.getPersonAppsOnly(token.getName());
roles.add(new GrantedAuthorityImpl(Constants.SECURITY_ROLES.VIEW _Apps_ONLINE));

if(isAppsMineralBusinessAdmin)
{
roles.add(new GrantedAuthorityImpl(Constants.SECURITY_ROLES.VIEW _CORP_ADMIN));
}
if(isAppsPetroleumBusinessAdmin)
{
roles.add(new GrantedAuthorityImpl(Constants.SECURITY_ROLES.VIEW _CORP_ADMIN));
}
// Validating if user is Internal or External
boolean isExternal = AppsLDAP.CATEGORY_EXTERNAL.equals(person.getCatego ry().getDescription()); //External
if(isExternal){
GrantedAuthority externalAuth = new GrantedAuthorityImpl(Constants.SECURITY_ROLES.VIEW _Apps_ONLINE_EXTERNAL);
roles.add(externalAuth);
System.out.println("Adding 'View Apps Online EXTERNAL' rights");
}else{
GrantedAuthority internalAuth = new GrantedAuthorityImpl(Constants.SECURITY_ROLES.VIEW _Apps_ONLINE_INTERNAL);
roles.add(internalAuth);
System.out.println("Adding 'View Apps Online INTERNAL' rights");
}
List<String> userRoles = new ArrayList();
try{
userRoles = userService.getRoles(token.getName());
}
catch(Exception e){
System.out.println("userService.getRoles failed with userID: " + token.getName());
}
int i = 0;
for(String role: userRoles) {
if(role != null && role.length() > 0) {
i++;
roles.add(new GrantedAuthorityImpl(role));
System.out.println("Adding role from DB: " + role);
}
}
if(isExternal && i==0){
System.out.println("External User " + token.getName() + " has no roles assigned. NOT an external admin user, will be rejected access.");
}

}
}
}

/**
* Creates the final <tt>UserDetails</tt> object. Can be overridden to customize the contents.
*
* @param token the authentication request token
* @param authorities the pre-authenticated authorities.
*/
protected UserDetails createuserDetails(Authentication token, List<GrantedAuthority> authorities) {
return new User(token.getName(), "N/A", true, true, true, true, authorities);
}
}