How to specify an AuthProvider in Spring Sec 2? Trying to backport Kerb / SPNEGO ext

[jimbethancourt]

Hi all,
I'm backporting Mike Weisner's great Kerberos / SPNEGO extension to work with Spring Security 2.0.4 to allow SPNEGO authentication for Atlassian Crowd products. I'd use NTLM, but I have the requirement of redirecting the user to the login page if they're outside of the network, which the Kerberos / SPNEGO enables. I've been able to backport all Sprin g Security 3 classes and am able to get SSO within the network and the login form outside of the network working with the Roo Petclinic app. I run into trouble with the form login authentication provider. It worked fine for Spring Security 3, but I get into a redirect loop with Spring Security 2, and the exception generated in the console is:

Code:

org.springframework.security.providers.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.extensions.kerberos.KerberosServiceRequestToken
        at org.springframework.security.providers.ProviderManager.doAuthentication(ProviderManager.java:214)
        at org.springframework.security.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:46)
        at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:131)
        at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
        at org.springframework.security.ui.logout.LogoutFilter.doFilterHttp(LogoutFilter.java:89)
        at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
        at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
        at org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
        at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
        at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
        at org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:175)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
        at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:864)
        at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
        at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1665)
        at java.lang.Thread.run(Thread.java:662)

The only line of code that I really have control over is
org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter.doFilter(S pnegoAuthenticationProcessingFilter.java:131)
where the AuthenticationManager.authenticate(authenticationR equest) method is called. However, I don't really seem to have control over how the Authentication Manager is injected...

I came across Preauthentication failing - authentication object not found in securityContextHolder but the preauth provider is already specified. Others I've come across are
http://forum.springsource.org/showth...ation-provider
and http://stackoverflow.com/questions/9...ation-provider


My config file is

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:sec="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">

	<!-- HTTP security configurations -->
    <sec:http entry-point-ref="spnegoEntryPoint">
    	<sec:form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t"/>
        <sec:logout logout-url="/resources/j_spring_security_logout"/>
        <sec:intercept-url pattern="/owners/**" access="IS_AUTHENTICATED_FULLY" />
        <sec:intercept-url pattern="/pets/**" access="IS_AUTHENTICATED_FULLY" />
        <sec:intercept-url pattern="/vets/**" access="IS_AUTHENTICATED_FULLY" />
        <sec:intercept-url pattern="/visits/**" access="IS_AUTHENTICATED_FULLY" />
        <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    </sec:http>

    <beans:bean id="spnegoEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />

    <beans:bean id="spnegoAuthenticationProcessingFilter"
                class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
        <custom-filter position="PRE_AUTH_FILTER" />
        <beans:property name="authenticationManager" ref="authenticationManager"/>
        <beans:property name="failureHandler">
            <beans:bean
                    class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
                <beans:property name="defaultFailureUrl" value="/login"/>
                <beans:property name="allowSessionCreation" value="true"/>
            </beans:bean>
        </beans:property>
    </beans:bean>

	<!-- Configure Authentication mechanism -->
    <sec:authentication-manager alias="authenticationManager"/>


    <beans:bean id="kerberosAuthenticationProvider"
		class="org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider">
        <sec:custom-authentication-provider/>
		<beans:property name="kerberosClient">
			<beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosClient">
				<beans:property name="debug" value="true"/>
			</beans:bean>
		</beans:property>
		<beans:property name="userDetailsService" ref="dummyUserDetailsService"/>
	</beans:bean>

	<beans:bean id="kerberosServiceAuthenticationProvider"
		class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
        <sec:custom-authentication-provider/>
		<beans:property name="ticketValidator">
			<beans:bean
				class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
				<beans:property name="servicePrincipal" value="spnego_test" />
				<!-- Setting keyTabLocation to a classpath resource will most likely not work in a Java EE application Server -->
				<!-- See the Javadoc for more information on that -->
				<beans:property name="keyTabLocation" value="file:///C:\\apache-tomcat-6.0.32\\petclinic.keytab" />
				<beans:property name="debug" value="true" />
			</beans:bean>
		</beans:property>
		<beans:property name="userDetailsService" ref="dummyUserDetailsService" />
	</beans:bean>

    <beans:bean id="dummyUserDetailsService" class="com.springsource.petclinic.security.DummyUserDetailsService"/>

</beans:beans>

and I've tried

Code:

    <beans:bean id="authenticationManager"
                class="org.springframework.security.providers.ProviderManager">
        <beans:property name="providers">
            <beans:list>
                <beans:ref local="kerberosAuthenticationProvider"/>
                <beans:ref local="kerberosServiceAuthenticationProvider"/>
            </beans:list>
        </beans:property>
    </beans:bean>

as the authentication manager declaration as well with the same results.


This may very well be a Spring Security 2 issue that I'm unaware of -- I'm new to Spring Security and any help on what I need to do to set the AuthenticationProvider on the AuthenticationManager to get this resolved would be greatly appreciated.