UserAuthorizationProcessingFilter intercepting requests ending in /

**Ale** · Feb 3rd, 2012, 10:16 AM

Hi,

I have two security setups for my web app: one to secure the API using 2-legged OAuth and the other to allow users to log into the admin area.

When users log into the admin area, the API no longer requries OAuth access as it is presumed they are authenticated.

Everything works as expected, bar one scenario. If I'm logged in and I request an API URL, like such:

https://www.domain.com/api/server

Everything works fine, the FilterChain proceeds past the UserAuthorizationProcessingFilter as expected (as we are already logged in) and gives me the response I'm looking for. However, if I request the API URL with a trailing slash:

https://www.domain.com/api/server/

The UserAuthorizationProcessingFilter picks up the request and trys to apply OAuth authentication to it, which obviously fails, and returns a 401. The log about:

Code:

DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] Checking match of request : '/api/service/'; against '/static/*' 
DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] Checking match of request : '/api/service/'; against '/favicon.ico' 
DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] Checking match of request : '/api/service/'; against '/api/**' 
DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 1 of 12 in additional filter chain; firing Filter: 'ChannelProcessingFilter' 
DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] Request '/api/service/' matched by universal pattern '/**' 
DEBUG [org.springframework.security.web.access.channel.ChannelProcessingFilter] Request: FilterInvocation: URL: /api/service/; ConfigAttributes: [REQUIRES_SECURE_CHANNEL] 
DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 
DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: ... 
DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 3 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 
DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 4 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 
DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 5 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 
DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] SecurityContextHolder not populated with anonymous token, as it already contained: ... 
DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 6 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter' 
DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 7 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 
DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 8 of 12 in additional filter chain; firing Filter: 'UnauthenticatedRequestTokenProcessingFilter' 
DEBUG [org.springframework.security.oauth.provider.filter.UnauthenticatedRequestTokenProcessingFilter] Request does not require authentication.  OAuth processing skipped. 
DEBUG [org.springframework.security.web.FilterChainProxy] /api/service/ at position 9 of 12 in additional filter chain; firing Filter: 'UserAuthorizationProcessingFilter' 
DEBUG [org.springframework.security.oauth.provider.filter.UserAuthorizationProcessingFilter] Request is to process authentication 
DEBUG [org.springframework.security.oauth.provider.filter.UserAuthorizationProcessingFilter] Authentication request failed: org.springframework.security.oauth.provider.InvalidOAuthParametersException: An OAuth token id is required. 
DEBUG [org.springframework.security.oauth.provider.filter.UserAuthorizationProcessingFilter] Updated SecurityContextHolder to contain null Authentication 
DEBUG [org.springframework.security.oauth.provider.filter.UserAuthorizationProcessingFilter] Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@67479784 
DEBUG [org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler] No failure URL set, sending 401 Unauthorized error 
DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 
DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] Chain processed normally 
DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] SecurityContextHolder now cleared, as request processing completed

As you can see from the log, the UserAuthorizationProcessingFilter outputs:

Request is to process authentication

Any ideas?

Thanks,
Ale

Thread: UserAuthorizationProcessingFilter intercepting requests ending in /

Thread Tools

Display

UserAuthorizationProcessingFilter intercepting requests ending in /

Posting Permissions