digest authentication: authentication working but authorization not working.

[cablepuff]

Hi i have the following problem with digest authentication.


Here are my xml settings.
applicationContext-securityCore.xml

Code:

	<security:filter-invocation-definition-source
		id="security.objectDefinitionService" use-expressions="true">
		<security:intercept-url pattern="/edit**"
			access="hasRole('ROLE_ADMIN')" />
		<security:intercept-url pattern="/sell**"
			access="hasAnyRole('ROLE_ADMIN', 'ROLE_CONSUMER')" />
		<security:intercept-url pattern="/buy**"
			access="hasAnyRole('ROLE_ADMIN', 'ROLE_CONSUMER')" />
	</security:filter-invocation-definition-source>

    <!--  having only one user at a time -->
    <bean id="concurrentSessionFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
      <property name="expiredUrl" value="/sessionExpire"/>
      <property name="sessionRegistry" ref="sessionRegistry"/>
    </bean>
    <bean id="concurrentSessionController" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
           <constructor-arg index="0" ref="sessionRegistry"/>
           <property name="maximumSessions" value="${maximumSessions}"/>
           <property name="exceptionIfMaximumExceeded" value="true"/>
    </bean>
    <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>

    <!--  http session -->
    <bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.web.context.HttpSessionContextIntegrationFilter">
      <property name="contextClass" value="org.springframework.security.core.context.SecurityContextImpl"/>
      <property name="forceEagerSessionCreation" value="true"/>
      <property name="allowSessionCreation" value="true"/>
    </bean>

    <!--  context wrapper -->
    <bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter"/>

    <!--  remembering that a user is login -->
    <bean id="rememberMeProcessingFilter" class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter" autowire="byType">
      <property name="rememberMeServices" ref="rememberMeServices"/>
    </bean>
    <bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
      <property name="userDetailsService" ref="digest.userService"/>
      <property name="tokenValiditySeconds" value="${tokenValiditySeconds}"/>
      <property name="key" value="spring remember me"/>
      <property name="tokenRepository" ref="security.persistentTokenService"/>
    </bean>
    <bean id="rememberMeAuthenticationProvider"
          class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
          <property name="key" value="spring remember me"/>
    </bean>

    <!--  authentication in general -->
    <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider" lazy-init="true">
        <property name="userDetailsService" ref="digest.userService"/>
        <property name="forcePrincipalAsString" value="true"/>
    </bean>

    <!--  handling anoymonous authentication -->
    <bean id="anonymousProcessingFilter" class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
      <property name="key" value="spring anonymous"/>
      <property name="userAttribute" value="Guest,ROLE_ANONYMOUS"/>
    </bean>
    <bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
      <property name="key" value="spring anonymous"/>
    </bean>

    <!--  handling logout -->
    <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
      <constructor-arg index="0" value="/logout"/>
      <constructor-arg index="1">
        <list>
          <ref bean="securityContextLogoutHandler"/>
          <ref bean="rememberMeServices"/>
        </list>
      </constructor-arg>
      <property name="filterProcessesUrl" value="/spring_security_logout"/>
    </bean>
    <bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>

    <!--  error handling -->
    <bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter" autowire="byType">
        <property name="accessDeniedHandler" ref="accessDeniedHandler"/>
    </bean>
    <bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
        <property name="errorPage" value="/accessDenied"/>
    </bean>

    <!--  authorization -->
    <bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor" autowire="byName">
      <property name="accessDecisionManager" ref="accessDecisionManager"/>
      <property name="validateConfigAttributes" value="true"/>
      <property name="securityMetadataSource" ref="security.objectDefinitionService"/>
      <property name="authenticationManager" ref="authenticationManager"/>
      <property name="afterInvocationManager" ref="ownership.afterInvocationManager"/>
    </bean>
    
    <bean id="webInvocationPrivilegeEvaluator" class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator">
    	<constructor-arg name="securityInterceptor" ref="filterSecurityInterceptor"/>
    </bean>    

    <bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
        <property name="rolePrefix" value="ROLE_"/>
    </bean>
    <bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter"/>
    <bean id="webExpressionVoter" class="org.springframework.security.web.access.expression.WebExpressionVoter">
    	<property name="expressionHandler" ref="expressionHandler"/>
    </bean>
    <bean id="expressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"/>

    <!--  decision managers -->
    <util:list id="ownership.decisionVoters">
    	<ref bean="ownership.aclObjectReadVoter"/>
        <ref bean="ownership.aclObjectWriteVoter"/>
        <ref bean="ownership.aclObjectCreateVoter"/>
        <ref bean="ownership.aclObjectDeleteVoter"/>
        <ref bean="roleVoter"/>
        <ref bean="authenticatedVoter"/>
    </util:list>
    <util:list id="ownership.providers">
    	<ref bean="ownership.afterAclCollectionCreate"/>
    	<ref bean="ownership.afterAclCollectionDelete"/>
    	<ref bean="ownership.afterAclCollectionRead"/>
    	<ref bean="ownership.afterAclCollectionWrite"/>
    	<ref bean="ownership.afterAclCreate"/>
    	<ref bean="ownership.afterAclDelete"/>
    	<ref bean="ownership.afterAclRead"/>
    	<ref bean="ownership.afterAclWrite"/>
    </util:list>
    <util:list id="decisionVoters">
    	<ref bean="authenticatedVoter"/>
    	<ref bean="webExpressionVoter"/>
    </util:list>
    
    <bean id="ownership.afterInvocationManager" class="org.springframework.security.access.intercept.AfterInvocationProviderManager">
        <property name="providers" ref="ownership.providers"/>
    </bean>
    <bean id="ownership.accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
        <property name="allowIfAllAbstainDecisions" value="true"/>
        <property name="decisionVoters" ref="ownership.decisionVoters"/>
    </bean>
    <bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
      <property name="decisionVoters" ref="decisionVoters"/>
      <property name="allowIfAllAbstainDecisions" value="true"/>
    </bean>



    <!--  switching user identity -->
    <bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
        <property name="switchUserUrl" value="/spring_security_switch_user"/>
        <property name="exitUserUrl" value="/spring_security_exit_user"/>
        <property name="targetUrl" value="/target"/>
        <property name="userDetailsService" ref="digest.userService"/>
    </bean>

    <!--  method security (additional) -->
    <bean id="accessListener" class="org.springframework.security.access.event.LoggerListener"/>
	<bean id="authenticateListener" class="org.springframework.security.authentication.event.LoggerListener"/>
    <bean id="ownership.methodSecurityInterceptor" class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor" autowire="byType">
      <property name="accessDecisionManager" ref="ownership.accessDecisionManager"/>
      <property name="afterInvocationManager" ref="ownership.afterInvocationManager"/>
      <property name="validateConfigAttributes" value="true"/>
      <property name="securityMetadataSource" ref="security.methodDefinitionService"/>
      <property name="authenticationManager" ref="authenticationManager"/>
    </bean>
    
    <bean id="security.urlMatcher" class="org.springframework.security.web.util.AntUrlPathMatcher"/>

[cablepuff]

-- applicationContext-digest.xml

Code:

 
    <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
      <security:filter-chain-map path-type="ant">
          <security:filter-chain pattern="/**"
                    filters="concurrentSessionFilter,httpSessionContextIntegrationFilter,logoutFilter,digestProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor,switchUserProcessingFilter"/>
      </security:filter-chain-map>
    </bean>

    <!-- handling digest authentication -->
    <bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
      <property name="providers">
        <list>
          <ref bean="daoAuthenticationProvider"/>
          <ref bean="anonymousAuthenticationProvider"/>
          <ref bean="rememberMeAuthenticationProvider"/>
        </list>
        </property>
    </bean>
    <bean id="digestProcessingFilter" class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
      <property name="userDetailsService" ref="digest.userService"/>
      <property name="authenticationEntryPoint" ref="digestAuthenticationEntryPoint"/>
    </bean>

    <bean id="digestAuthenticationEntryPoint" class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
      <property name="realmName" value="${digest.relamName}"/>
      <property name="key" value="${digest.security.key}"/>
      <property name="nonceValiditySeconds" value="3600"/>
    </bean>
    
    <security:user-service id="digest.userService">
    	<security:user name="cable" password="Nathan Cable Summers" authorities="ROLE_ADMIN"/>
         <!-- some more user -->
    </security:user-service>

after i log in successfully i get this error

Code:

authenticated principal: org.springframework.security.authentication.AnonymousAuthenticationToken@2a57f33a: Principal: Guest; Credentials: [PROTECTED]; Authenticated: true;
Granted Authorities: ROLE_ANONYMOUS; secure object: FilterInvocation: URL: /edit; configuration attributes: [hasRole('ROLE_ADMIN')

What is wrong? I mean if i enter wrong password, i get rejected by digest user authentication, but after logging in, its putting in anonymous authentication token.

[pmularien]

Please post logs spanning a full login request. Also let us know what version of Spr Sec you are using.

[cablepuff]

i am using spring security 3.0.5 release.

Code:

2011-02-27 23:11:12,234 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif at position 3 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
2011-02-27 23:11:12,235 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif at position 4 of 10 in additional filter chain; firing Filter: 'DigestAuthenticationFilter'
2011-02-27 23:11:12,235 DEBUG [org.springframework.security.web.authentication.www.DigestAuthenticationFilter]["http-bio-443"-exec-2][] Authorization header received from user agent: Digest username="adminUser", realm="localhost", nonce="MTI5ODg4MDEzNjk4NDo0YTk1NTJmYmJmNzRmMGJmNTRjZTcxNWUxMTQ5YWQ4MQ==", uri="/app/resources-0.0.1/dojo/resources/blank.gif", response="1221597f043a24e62606535fe6a8cf02", qop=auth, nc=0000004b, cnonce="8511b044274b88d9"
2011-02-27 23:11:12,236 DEBUG [org.springframework.security.web.authentication.www.DigestAuthenticationFilter]["http-bio-443"-exec-2][] Authentication success for user: 'adminUser' with response: '1221597f043a24e62606535fe6a8cf02'
2011-02-27 23:11:12,236 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif at position 5 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2011-02-27 23:11:12,236 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif at position 6 of 10 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
2011-02-27 23:11:12,236 DEBUG [org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter]["http-bio-443"-exec-2][] SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fffd1495: Principal: org.springframework.security.core.userdetails.User@3ecc3cdf: Username: adminUser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_DEVELOPER; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 85C85FF27E0CAEC09C151E5885A43B24.tomcat-cluster1; Not granted any authorities'
2011-02-27 23:11:12,236 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2011-02-27 23:11:12,236 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]["http-bio-443"-exec-2][] SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fffd1495: Principal: org.springframework.security.core.userdetails.User@3ecc3cdf: Username: adminUser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_DEVELOPER; 
Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 85C85FF27E0CAEC09C151E5885A43B24.tomcat-cluster1; Not granted any authorities'
2011-02-27 23:11:12,237 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif at position 8 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2011-02-27 23:11:12,237 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif at position 9 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2011-02-27 23:11:12,237 DEBUG [org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource]["http-bio-443"-exec-2][] Converted URL to lowercase, from: '/resources-0.0.1/dojo/resources/blank.gif'; to: '/resources-0.0.1/dojo/resources/blank.gif'
2011-02-27 23:11:12,237 DEBUG [org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource]["http-bio-443"-exec-2][] Candidate is: '/resources-0.0.1/dojo/resources/blank.gif'; pattern is /buy**; matched=false
2011-02-27 23:11:12,237 DEBUG [org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource]["http-bio-443"-exec-2][] Candidate is: '/resources-0.0.1/dojo/resources/blank.gif'; pattern is /sell**; matched=false
2011-02-27 23:11:12,237 DEBUG [org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource]["http-bio-443"-exec-2][] Candidate is: '/resources-0.0.1/dojo/resources/blank.gif'; pattern is /edit**; matched=false
2011-02-27 23:11:12,239 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor]["http-bio-443"-exec-2][] Public object - authentication not attempted
2011-02-27 23:11:12,239 INFO  [org.springframework.security.access.event.LoggerListener]["http-bio-443"-exec-2][] Security interception not required for public secure object: FilterInvocation: URL: /resources-0.0.1/dojo/resources/blank.gif
2011-02-27 23:11:12,239 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif at position 10 of 10 in additional filter chain; firing Filter: 'SwitchUserFilter'
2011-02-27 23:11:12,239 DEBUG [org.springframework.security.web.FilterChainProxy]["http-bio-443"-exec-2][] /resources-0.0.1/dojo/resources/blank.gif reached end of additional filter chain; proceeding with original chain
2011-02-27 23:11:12,243 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter]["http-bio-443"-exec-2][] Chain processed normally
2011-02-27 23:11:12,243 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter]["http-bio-443"-exec-2][] SecurityContextHolder now cleared, as request processing completed

[cablepuff]

so authentication and authorization were both working, but I just couldn't get it working with spring security EL tag. <security:authorize access="hasRole('ROLE_ADMIN')"> seems to always return false. I don't get the access denied page (via interceptor).