Alwas Basic authentication although Digest is configured

[munico]

Hi,
I try to get run Digest Authentication in a client (Eclipse RCP) Server (Tomcat/Spring) application. I configured Digest configuration on server:

Code:

	<bean id="digestAuthenticationFilter"
		class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
		<property name="userDetailsService" ref="ldapUserDetailsService" />
		<property name="authenticationEntryPoint" ref="digestEntryPoint" />
	</bean>
	<bean id="digestEntryPoint"
		class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
		<property name="realmName" value="EAP Realm" />
		<property name="key" value="acegi" />
		<!-- 8h -->
		<property name="nonceValiditySeconds" value="28800" />
	</bean>
	<bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
		<constructor-arg ref="userSearch"/>
		<constructor-arg ref="authoritiesPopulator"/>
	</bean>

First authentication works fine!
The second request always uses Basic Authentication (i can see it in the request header in debug mode).
I use the following implementation of CommonsHttpInvokerRequestExecutor on the client:

Code:

public class AuthenticatedCommonsHttpInvokerRequestExecutor extends
		CommonsHttpInvokerRequestExecutor {
	@Override
	protected void executePostMethod(HttpInvokerClientConfiguration config,
			HttpClient httpClient, PostMethod postMethod) throws IOException {

		Authentication auth = SecurityContextHolder.getContext()
				.getAuthentication();
		if (auth != null) {
			String username = auth.getPrincipal().toString();
			String password = auth.getCredentials().toString();
			Credentials credentials = new UsernamePasswordCredentials(username,
					password);
			List<String> authPrefs = new java.util.ArrayList<String>(1);
			authPrefs.add(AuthPolicy.DIGEST);
			httpClient.getParams().setParameter(
					AuthPolicy.AUTH_SCHEME_PRIORITY, authPrefs);
			httpClient.getParams().setAuthenticationPreemptive(
					auth.isAuthenticated());

			httpClient.getState().setCredentials(AuthScope.ANY, credentials);
		}
		super.executePostMethod(config, httpClient, postMethod);
	}
}

Although I set all Digest information, every request comes with Basic authentication on the server.

Does anyone know the issue?

Regards
phil

[Luke Taylor]

You'll need to show how you are using the filter.

Also is there a BasicAuthenticationFilter in your stacktrace? If not, then perhaps your container is prompting for Basic authentication. That should be easy to check.

[munico]

here's the stack trace:

Code:

org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:321)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:195)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
	at org.springframework.security.web.authentication.www.DigestAuthenticationFilter.doFilter(DigestAuthenticationFilter.java:319)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
	at java.lang.Thread.run(Thread.java:619)

my server side config is:

Code:

	<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
		<security:filter-chain-map path-type="ant">
			<security:filter-chain pattern="/**" filters="securityContextPersistenceFilter,digestAuthenticationFilter,checkSecurityInterceptor" />
		</security:filter-chain-map>
	</bean>


	<!-- Digest Authentication -->
	<bean id="digestAuthenticationFilter"
		class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
		<property name="userDetailsService" ref="ldapUserDetailsService" />
		<property name="authenticationEntryPoint" ref="digestEntryPoint" />
	</bean>
	<bean id="digestEntryPoint"
		class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
		<property name="realmName" value="My Realm" />
		<property name="key" value="acegi" />
		<!-- 8h -->
		<property name="nonceValiditySeconds" value="28800" />
	</bean>
	<bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
		<constructor-arg ref="userSearch"/>
		<constructor-arg ref="authoritiesPopulator"/>
	</bean>

[munico]

another interesting thing. The HttpMethodDirector of commons-http client has the following lines:

Code:

                    if (this.params.isAuthenticationPreemptive()
                     || this.state.isAuthenticationPreemptive()) 
                    {
                        LOG.debug("Preemptively sending default basic credentials");
                        method.getHostAuthState().setPreemptive();
                        method.getHostAuthState().setAuthAttempted(true);
                        if (this.conn.isProxied() && !this.conn.isSecure()) {
                            method.getProxyAuthState().setPreemptive();
                            method.getProxyAuthState().setAuthAttempted(true);
                        }
                    }

the setPreemptive() method sets the AuthScheme always to a basic scheme:

Code:

    public void setPreemptive() {
        if (!this.preemptive) {
            if (this.authScheme != null) {
                throw new IllegalStateException("Authentication state already initialized");
            }
            this.authScheme = AuthPolicy.getAuthScheme(PREEMPTIVE_AUTH_SCHEME);
            this.preemptive = true;
        }
    }

Code:

public class AuthState {

    public static final String PREEMPTIVE_AUTH_SCHEME = "basic";

Do I have the right configuration of the httpclient?