Results 1 to 3 of 3

Thread: Preauthentication failing - authentication object not found in securityContextHolder

  1. Jul 9th, 2008, 11:13 AM #1
    robinbajaj
    robinbajaj is offline Member
    Join Date
    Jun 2007
    Posts
    60

    Default Preauthentication failing - authentication object not found in securityContextHolder

    --P.S: my previous post did not show up in the threadlist, so reposting ---

    I am working with a tutorial sample from spring security on websphere 6.1.0.15,
    trying to setup preauthentication (using RequestHeaderPreAuthenticatedProcessingFilter)

    In our case, we are using TAM (Tivoli Access Manager with WebSeal) that will prepopulate the request header "iv-user" before forwarding to our application.

    I have changed the applicationContext-security.xml based on the example provided for siteminder at http://static.springframework.org/sp...h.html#d4e1916

    Here's how it currently looks like
    Code:
    <beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
	 http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
     http://www.springframework.org/schema/security
     http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

	<global-method-security secured-annotations="enabled">
	</global-method-security>

	<http entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
		<intercept-url pattern="/secure/extreme/*"
			access="ROLE_SUPERVISOR" />
		<intercept-url pattern="/secure/*"
			access="ROLE_SUPERVISOR,ROLE_USER" />
		<intercept-url pattern="/faces/policysearch*"
			access="ROLE_SUPERVISOR,ROLE_USER" />
		<intercept-url pattern="/spring/*"
			access="ROLE_SUPERVISOR,ROLE_USER" />
	</http>
	
	
   <beans:bean id="preAuthenticatedProcessingFilterEntryPoint"
            class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint"/> 
            
	<beans:bean id="preAuthenticatedProcessingFilter"
		class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
		<custom-filter position="PRE_AUTH_FILTER" />
		<beans:property name="principalRequestHeader" value="iv-user" />
		<beans:property name="authenticationManager"  ref="authenticationManager" />
	</beans:bean>
	
	<authentication-manager alias="authenticationManager" />
	
	<authentication-provider>
		<user-service>
			<user name="super" password="super"
				authorities="ROLE_SUPERVISOR" />
			<user name="scott" password="scott" authorities="ROLE_USER" />
			<user name="mark" password="mark" authorities="ROLE_USER"
				disabled="true" />
			<user name="base" password="base" authorities="ROLE_BASE" />
		</user-service>
	</authentication-provider>  
</beans:beans>
    I am mocking TAM's functionality using a mock Authentication filter for working in development mode.

    This MockAuthFilter is being called first (before the springSecurityFilterChain) in the 2 filter chain in my web.xml. All it does is populate a mockRequest class with "iv-user" request header as
    Code:
    mockRequest.addHeader("iv-user","super");
    and also copy the original request's values into this mockRequest object and then it calls
    chain.doFilter(mockRequest, response) to forward to the springSecurityFilterChain.

    My problem is when I click "secure page" link on the main index page (which should go to http://localhost:9080/samples/secure/index.jsp),
    I get the following message in the browser. :
    Code:
    Error 403: Access Denied
    And I get the following exception in my logs
    Code:
    [09/07/08 11:25:37:665 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,655 [WebContainer : 2] DEBUG FilterChainProxy - Converted URL to lowercase, from: '/secure/index.jsp'; to: '/secure/index.jsp'
[09/07/08 11:25:37:665 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,665 [WebContainer : 2] DEBUG FilterChainProxy - Candidate is: '/secure/index.jsp'; pattern is /**; matched=true
[09/07/08 11:25:37:665 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,665 [WebContainer : 2] DEBUG FilterChainProxy$VirtualFilterChain - /secure/index.jsp at position 1 of 6 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]'
[09/07/08 11:25:37:665 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,665 [WebContainer : 2] DEBUG HttpSessionContextIntegrationFilter - No HttpSession currently exists
[09/07/08 11:25:37:665 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,665 [WebContainer : 2] DEBUG HttpSessionContextIntegrationFilter - New SecurityContext instance will be associated with SecurityContextHolder
[09/07/08 11:25:37:675 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,665 [WebContainer : 2] DEBUG FilterChainProxy$VirtualFilterChain - /secure/index.jsp at position 2 of 6 in additional filter chain; firing Filter: 'org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter[ order=500; ]'
[09/07/08 11:25:37:685 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,685 [WebContainer : 2] DEBUG AbstractPreAuthenticatedProcessingFilter - Checking secure context token: null
[09/07/08 11:25:37:685 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,685 [WebContainer : 2] DEBUG AbstractPreAuthenticatedProcessingFilter - preAuthenticatedPrincipal = super, trying to authenticate

[09/07/08 11:25:37:685 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,685 [WebContainer : 2] DEBUG AbstractPreAuthenticatedProcessingFilter - Cleared security context due to exception
org.springframework.security.providers.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken
	at org.springframework.security.providers.ProviderManager.doAuthentication(ProviderManager.java:221)
	at org.springframework.security.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:46)
	at org.springframework.security.ui.preauth.AbstractPreAuthenticatedProcessingFilter.doAuthenticate(AbstractPreAuthenticatedProcessingFilter.java:87)
	at org.springframework.security.ui.preauth.AbstractPreAuthenticatedProcessingFilter.doFilterHttp(AbstractPreAuthenticatedProcessingFilter.java:58)

................
....
.

[09/07/08 11:25:37:695 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,695 [WebContainer : 2] DEBUG FilterChainProxy$VirtualFilterChain - /secure/index.jsp at position 3 of 6 in additional filter chain; firing Filter: 'org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1100; ]'
[09/07/08 11:25:37:695 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,695 [WebContainer : 2] DEBUG SavedRequestAwareWrapper - Wrapper not replaced; SavedRequest was: null
[09/07/08 11:25:37:695 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,695 [WebContainer : 2] DEBUG FilterChainProxy$VirtualFilterChain - /secure/index.jsp at position 4 of 6 in additional filter chain; firing Filter: 'org.springframework.security.ui.ExceptionTranslationFilter[ order=1400; ]'
[09/07/08 11:25:37:695 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,695 [WebContainer : 2] DEBUG FilterChainProxy$VirtualFilterChain - /secure/index.jsp at position 5 of 6 in additional filter chain; firing Filter: 'org.springframework.security.ui.SessionFixationProtectionFilter[ order=1600; ]'
[09/07/08 11:25:37:705 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,695 [WebContainer : 2] DEBUG FilterChainProxy$VirtualFilterChain - /secure/index.jsp at position 6 of 6 in additional filter chain; firing Filter: 'org.springframework.security.intercept.web.FilterSecurityInterceptor@522e522e'
[09/07/08 11:25:37:705 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,705 [WebContainer : 2] DEBUG DefaultFilterInvocationDefinitionSource - Converted URL to lowercase, from: '/secure/index.jsp'; to: '/secure/index.jsp'
[09/07/08 11:25:37:705 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,705 [WebContainer : 2] DEBUG DefaultFilterInvocationDefinitionSource - Candidate is: '/secure/index.jsp'; pattern is /secure/extreme/*; matched=false
[09/07/08 11:25:37:705 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,705 [WebContainer : 2] DEBUG DefaultFilterInvocationDefinitionSource - Candidate is: '/secure/index.jsp'; pattern is /secure/*; matched=true
[09/07/08 11:25:37:715 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,715 [WebContainer : 2] DEBUG AbstractSecurityInterceptor - Secure object: FilterInvocation: URL: /secure/index.jsp; ConfigAttributes: [ROLE_SUPERVISOR, ROLE_USER]
[09/07/08 11:25:37:715 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,715 [WebContainer : 2] DEBUG ExceptionTranslationFilter - Authentication exception occurred; redirecting to authentication entry point
org.springframework.security.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
	at org.springframework.security.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:342)
	at org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:254)
	

..............
..
.
[09/07/08 11:25:37:725 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,725 [WebContainer : 2] DEBUG ExceptionTranslationFilter - Authentication entry point being called; SavedRequest added to Session: SavedRequest[http://localhost/samples/secure/index.jsp]
[09/07/08 11:25:37:725 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,725 [WebContainer : 2] DEBUG PreAuthenticatedProcessingFilterEntryPoint - Pre-authenticated entry point called. Rejecting access
[09/07/08 11:25:37:725 EDT] 00000031 SystemOut     O 2008-07-09 11:25:37,725 [WebContainer : 2] DEBUG HttpSessionContextIntegrationFilter - SecurityContextHolder now cleared, as request processing completed
    Any help will be much appreciated..
    THanks,
  2. Jul 10th, 2008, 12:31 PM #2
    robinbajaj
    robinbajaj is offline Member
    Join Date
    Jun 2007
    Posts
    60

    Default

    I had to declare a preauthAuthProvider in my springSecurityContext.xml.

    Here's my new spring context file.
    Code:
    ....
..
.
	<global-method-security secured-annotations="enabled">
	</global-method-security>

	<http
		entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
		<intercept-url pattern="/secure/extreme/*"
			access="ROLE_SUPERVISOR" />
		<intercept-url pattern="/secure/*"
			access="ROLE_SUPERVISOR,ROLE_USER" />
		<intercept-url pattern="/faces/policysearch*"
			access="ROLE_SUPERVISOR,ROLE_USER" />
		<intercept-url pattern="/spring/*"
			access="ROLE_SUPERVISOR,ROLE_USER" />
	</http>


	<beans:bean id="preAuthenticatedProcessingFilterEntryPoint"
		class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />

	<beans:bean id="preAuthenticatedProcessingFilter"
		class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
		<custom-filter position="PRE_AUTH_FILTER" />
		<beans:property name="principalRequestHeader" value="iv-user" />
		<beans:property name="credentialsRequestHeader"
			value="iv-password" />
		<beans:property name="authenticationManager"
			ref="authenticationManager" />
	</beans:bean>

	<authentication-manager alias="authenticationManager" />

	<beans:bean id="preauthAuthProvider"
		class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
		<custom-authentication-provider />
		<beans:property name="preAuthenticatedUserDetailsService">
			<beans:bean id="userDetailsServiceWrapper"
				class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
				<beans:property name="userDetailsService"
					ref="userDetailsService" />
			</beans:bean>
		</beans:property>
	</beans:bean>

	<beans:bean id="userDetailsService"
		class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
		<beans:property name="userProperties">
			<beans:bean
				class="org.springframework.beans.factory.config.PropertiesFactoryBean">
				<beans:property name="location"
					value="/WEB-INF/users.properties" />
			</beans:bean>
		</beans:property>
	</beans:bean>

    now it works.. (sorry for the double post)!
  3. Oct 27th, 2008, 03:57 AM #3
    rabside
    rabside is offline Junior Member
    Join Date
    Oct 2008
    Posts
    1

    Default

    Hi robinbajaj!
    I'm new with acegi and I have to integrate my application with WebSeal.
    I'll follow your configuration for authentication but I don't know the configuration to obain the user groups ("iv-groups") from header.

    Could you help me?

    thx
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules