SessionIdentifierAware did not return a Session ID

[Hyunbae Shin]

Hi Guru,

I'm testing Pre-Authentication Scenario with Weblogic 10.0 MP1 and Spring Security 2.0.5.

And I'm not solving the problem that 500 error occurs with traces below.

But the strange thing is that pre-authentication is successful after visiting the pages filters is 'none', of course before the authentication.

My Pre-Authentication scenario follows orders below

1) access to the application root '/'

2) if pre-authentication is successful logged user get the user account of previous application. (for examples, SAP EP User)

3) But, if pre-authentication is failed, he or she should login to the application with his principle and credential.

Thanks for your help in advance.

========== Traces ===========

2010-01-26 13:15:37,859 DEBUG [com.cj.caf.common.security.SapLogonTicketProcessin gFilter] - Checking secure context token: null
2010-01-26 13:15:37,859 DEBUG [com.cj.caf.common.security.SapLogonTicketProcessin gFilter] - ######################
2010-01-26 13:15:37,859 DEBUG [com.cj.caf.common.security.SapLogonTicketProcessin gFilter] - SapLogonTicketProcessingFilter
2010-01-26 13:15:37,859 DEBUG [com.cj.caf.common.security.SapLogonTicketProcessin gFilter] - ######################
2010-01-26 13:15:37,859 DEBUG [com.cj.caf.common.security.SapLogonTicketProcessin gFilter] - preAuthenticatedPrincipal = greatshin, trying to authenticate
2010-01-26 13:15:37,859 DEBUG [org.springframework.security.providers.ProviderMan ager] - Authentication attempt using org.springframework.security.providers.preauth.Pre AuthenticatedAuthenticationProvider
2010-01-26 13:15:37,859 DEBUG [org.springframework.security.providers.preauth.Pre AuthenticatedAuthenticationProvider] - PreAuthenticated authentication request: org.springframework.security.providers.preauth.Pre AuthenticatedAuthenticationToken@74c20f26: Principal: greatshin; Password: [PROTECTED]; Authenticated: false; Details: org.springframework.security.ui.WebAuthenticationD etails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities
2010-01-26 13:15:38,078 DEBUG [org.springframework.jdbc.core.JdbcTemplate] - Executing prepared SQL query
2010-01-26 13:15:38,203 DEBUG [org.springframework.jdbc.core.JdbcTemplate] - Executing prepared SQL statement [
SELECT user_id, password, enabled
FROM CAF_USER
WHERE user_id = ?
]
2010-01-26 13:15:38,297 DEBUG [org.springframework.jdbc.datasource.DataSourceUtil s] - Fetching JDBC Connection from DataSource
2010-01-26 13:15:38,797 DEBUG [org.springframework.jdbc.datasource.DataSourceUtil s] - Returning JDBC Connection to DataSource
2010-01-26 13:15:38,812 DEBUG [org.springframework.jdbc.core.JdbcTemplate] - Executing prepared SQL query
2010-01-26 13:15:38,812 DEBUG [org.springframework.jdbc.core.JdbcTemplate] - Executing prepared SQL statement [
SELECT user_id, authority
FROM CAF_AUTHORITY
WHERE user_id = ?
]
2010-01-26 13:15:38,812 DEBUG [org.springframework.jdbc.datasource.DataSourceUtil s] - Fetching JDBC Connection from DataSource
2010-01-26 13:15:38,812 DEBUG [org.springframework.jdbc.datasource.DataSourceUtil s] - Returning JDBC Connection to DataSource
2010-01-26 13:15:38,828 DEBUG [org.springframework.security.context.HttpSessionCo ntextIntegrationFilter] - HttpSession is null, but SecurityContextHolder has not changed from default: ' org.springframework.security.context.SecurityConte xtImpl@ffffffff: Null authentication'; not creating HttpSession or storing SecurityContextHolder contents
2010-01-26 13:15:38,828 DEBUG [org.springframework.security.context.HttpSessionCo ntextIntegrationFilter] - SecurityContextHolder now cleared, as request processing completed
<2010. 1. 26 ???? 1?? 15?? 38?? KST> <Error> <HTTP> <BEA-101020> <[weblogic.servlet.internal.WebAppServletContext@1ee 66ab - appName: 'com.cj.caf.sample.web', name: 'com.cj.caf.sample.web', context-path: '/com.cj.caf.sample.web'] Servlet failed with Exception
java.lang.IllegalArgumentException: SessionIdentifierAware did not return a Session ID (org.springframework.security.ui.WebAuthentication Details@957e: RemoteIpAddress: 127.0.0.1; SessionId: null)
at org.springframework.util.Assert.hasText(Assert.jav a:162)
at org.springframework.security.concurrent.SessionReg istryUtils.obtainSessionIdFromAuthentication(Sessi onRegistryUtils.java:56)
at org.springframework.security.concurrent.Concurrent SessionControllerImpl.checkAuthenticationAllowed(C oncurrentSessionControllerImpl.java:92)
at org.springframework.security.providers.ProviderMan ager.doAuthentication(ProviderManager.java:192)
at org.springframework.security.AbstractAuthenticatio nManager.authenticate(AbstractAuthenticationManage r.java:46)
at org.springframework.security.ui.preauth.AbstractPr eAuthenticatedProcessingFilter.doAuthenticate(Abst ractPreAuthenticatedProcessingFilter.java:96)
at org.springframework.security.ui.preauth.AbstractPr eAuthenticatedProcessingFilter.doFilterHttp(Abstra ctPreAuthenticatedProcessingFilter.java:67)
at org.springframework.security.ui.SpringSecurityFilt er.doFilter(SpringSecurityFilter.java:53)
at org.springframework.security.util.FilterChainProxy $VirtualFilterChain.doFilter(FilterChainProxy.java :390)
at org.springframework.security.ui.logout.LogoutFilte r.doFilterHttp(LogoutFilter.java:89)
at org.springframework.security.ui.SpringSecurityFilt er.doFilter(SpringSecurityFilter.java:53)
at org.springframework.security.util.FilterChainProxy $VirtualFilterChain.doFilter(FilterChainProxy.java :390)
at org.springframework.security.context.HttpSessionCo ntextIntegrationFilter.doFilterHttp(HttpSessionCon textIntegrationFilter.java:235)
at org.springframework.security.ui.SpringSecurityFilt er.doFilter(SpringSecurityFilter.java:53)
at org.springframework.security.util.FilterChainProxy $VirtualFilterChain.doFilter(FilterChainProxy.java :390)
at org.springframework.security.util.FilterChainProxy .doFilter(FilterChainProxy.java:175)
at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:236)
at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:167)
at weblogic.servlet.internal.FilterChainImpl.doFilter (FilterChainImpl.java:42)
at org.springframework.web.filter.CharacterEncodingFi lter.doFilterInternal(CharacterEncodingFilter.java :96)
at org.springframework.web.filter.OncePerRequestFilte r.doFilter(OncePerRequestFilter.java:76)
at weblogic.servlet.internal.FilterChainImpl.doFilter (FilterChainImpl.java:42)
at weblogic.servlet.internal.WebAppServletContext$Ser vletInvocationAction.run(WebAppServletContext.java :3393)
at weblogic.security.acl.internal.AuthenticatedSubjec t.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Un known Source)
at weblogic.servlet.internal.WebAppServletContext.sec uredExecute(WebAppServletContext.java:2140)
at weblogic.servlet.internal.WebAppServletContext.exe cute(WebAppServletContext.java:2046)
at weblogic.servlet.internal.ServletRequestImpl.run(S ervletRequestImpl.java:1366)
at weblogic.work.ExecuteThread.execute(ExecuteThread. java:200)
at weblogic.work.ExecuteThread.run(ExecuteThread.java :172)

[Hyunbae Shin]

======== security configuration =========



<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">

<!-- ================================================== ============ -->
<!-- Global Method Security -->
<!-- ================================================== ============ -->
<sec:global-method-security secured-annotations="disabled" />

<!-- ================================================== ============ -->
<!-- Authentication Provider -->
<!-- ================================================== ============ -->

<bean id="daoAuthenticationProvider"
class="org.springframework.security.providers.dao. DaoAuthenticationProvider">
<property name="userDetailsService" ref="authenticationDao" />
<property name="hideUserNotFoundExceptions" value="false" />
</bean>

<bean id="authenticationDao" class="org.springframework.security.userdetails.jd bc.JdbcDaoImpl">
<property name="dataSource" ref="dataSource" />
<property name="usersByUsernameQuery">
<value>
SELECT user_id, password, enabled
FROM CAF_USER
WHERE user_id = ?
</value>
</property>
<property name="authoritiesByUsernameQuery">
<value>
SELECT user_id, authority
FROM CAF_AUTHORITY
WHERE user_id = ?
</value>
</property>
</bean>

<sec:authentication-provider user-service-ref='authenticationDao'/>

<!-- ================================================== ============ -->
<!-- Authentication Manager -->
<!-- ================================================== ============ -->
<bean id="authenticationManager" class="org.springframework.security.providers.Prov iderManager">
<property name="providers">
<list>
<ref local="preauthAuthProvider" />
<ref local="daoAuthenticationProvider" />
</list>
</property>
<property name="sessionController" ref="concurrentSessionController" />
</bean>

<!-- ================================================== ============ -->
<!-- Authentication Entry Point -->
<!-- ================================================== ============ -->
<bean id="myAuthenticationEntryPoint"
class="org.springframework.security.ui.webapp.Auth enticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/login.jsp" />
</bean>
<sec:http entry-point-ref="myAuthenticationEntryPoint" session-fixation-protection="newSession" auto-config="false">
<sec:intercept-url pattern="/login.jsp" filters="none"/>
<sec:intercept-url pattern="/main" access="ROLE_USER, ROLE_ADMIN" />
<sec:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
<sec:intercept-url pattern="/user/**" access="ROLE_USER, ROLE_ADMIN" />
<sec:logout invalidate-session="true" logout-success-url="/login.jsp?loggedout=true" />
<!--
<sec:session-management invalid-session-url="/sessionTimeout.htm" />
-->
</sec:http>

<!-- ================================================== ============ -->
<!-- Spring Security Filter Chain -->
<!-- ================================================== ============ -->
<bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterCha inProxy">
<sec:filter-chain-map path-type="ant">
<!--
<sec:filter-chain pattern="/css/**" filters="none" />
<sec:filter-chain pattern="/images/**" filters="none" />
<sec:filter-chain pattern="/script/**" filters="none" />
<sec:filter-chain pattern="/admin/denied.action" filters="none" />
<sec:filter-chain pattern="/denied.action" filters="none" />
<sec:filter-chain pattern="/admin/**"
filters="concurrentSessionFilter, httpSessionContextIntegrationFilter, logoutFilter, adminAuthenticationProcessingFilter, basicProcessingFilter, securityContextHolderAwareRequestFilter, rememberMeProcessingFilter, anonymousProcessingFilter, adminExceptionTranslationFilter, sessionFixationProtectionFilter, adminFilterSecurityInterceptor" />
-->
<sec:filter-chain pattern="/**"
filters="concurrentSessionFilter, httpSessionContextIntegrationFilter, sapLogonTicketProcessingFilter, customAuthenticationProcessingFilter" />
</sec:filter-chain-map>
</bean>

<!-- ================================================== ============ -->
<!-- ConcurrentSessionFilter & Session Registry & Session Control -->
<!-- ================================================== ============ -->
<bean id="concurrentSessionFilter" class="org.springframework.security.concurrent.Con currentSessionFilter">
<property name="sessionRegistry">
<ref local="sessionRegistry"/>
</property>
<property name="expiredUrl">
<value>/sessionExpired.jsp</value>
</property>
</bean>

<bean id="sessionRegistry" class="org.springframework.security.concurrent.Ses sionRegistryImpl" />

<bean id="concurrentSessionController"
class="org.springframework.security.concurrent.Con currentSessionControllerImpl">
<property name="maximumSessions" value="1" />
<property name="sessionRegistry" ref="sessionRegistry" />
<property name="exceptionIfMaximumExceeded" value="true" />
</bean>

<!-- ================================================== ============ -->
<!-- HTTP SessionContext Integration Filter -->
<!-- ================================================== ============ -->
<bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context.HttpSe ssionContextIntegrationFilter">
<property name="forceEagerSessionCreation">
<value>1</value>
</property>
</bean>

<!-- ================================================== ============ -->
<!-- Authentication Processing Filter -->
<!-- ================================================== ============ -->
<bean id="customAuthenticationProcessingFilter" class="org.springframework.security.ui.webapp.Auth enticationProcessingFilter">
<sec:custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
<property name="defaultTargetUrl" value="/main" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationFailureUrl" value="/login.jsp?authfailed=true" />
<!-- property name="allowSessionCreation" value="true" /-->
<property name="filterProcessesUrl" value="/j_spring_security_check" />
<property name="exceptionMappings">
<props>
<prop key="org.springframework.security.CredentialsExpir edException">/login.jsp?newpassword=true</prop>
<prop key="org.springframework.security.LockedException" >/login.jsp?acclocked=true</prop>
<prop key="org.springframework.security.DisabledExceptio n">/login.jsp?accdisabled=true</prop>
</props>
</property>
</bean>

<!-- ================================================== ============ -->
<!-- PreAuthenticatedProcessingFilter -->
<!-- ================================================== ============ -->
<bean id="sapLogonTicketProcessingFilter" class="com.cj.caf.common.security.SapLogonTicketPr ocessingFilter">
<sec:custom-filter position="PRE_AUTH_FILTER" />
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="preauthAuthProvider"
class="org.springframework.security.providers.prea uth.PreAuthenticatedAuthenticationProvider">
<sec:custom-authentication-provider />
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper" class="org.springframework.security.userdetails.Us erDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="authenticationDao"/>
</bean>
</property>
</bean>

<!-- ================================================== ============ -->
<!-- SecurityContextHolderAwareRequestFilter -->
<!-- ================================================== ============ -->
<bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.wrapper.Securi tyContextHolderAwareRequestFilter">
<property name="wrapperClass" value="org.springframework.security.wrapper.Securi tyContextHolderAwareRequestWrapper"/>
</bean>

</beans>