IllegalStateException from call to response.sendRedirect in successfulAuthentication

[cirorezende]

Hello!

I have upgraded to Security 3.0.2, and ended up with the following issue: when I place a call to response.sendRedirect() from inside the method successfulAuthentication() - in UsernamePasswordAuthenticationFilter - I receive an IllegalStateException and the system redirects to the default successful authentication page.

My requirement is that when user successfully authenticate, I must redirect him to a page according to a certain condition, and if that condition is false, I must redirect him to another page. That used to work before moving to Spring Security 3.0.

Here is relevant part of my applicationContext-Security.xml:

Code:

<beans:beans ... >

    <security:http entry-point-ref="myAuthenticationEntryPoint" auto-config="false">
		
...

		<security:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationProcessingFilter"/>

    </security:http>

	<security:authentication-manager alias="authenticationManager">
		<security:authentication-provider ref="MyCustomAuthenticationProvider"/>
	</security:authentication-manager>

	<beans:bean id="MyCustomAuthenticationProvider" class="br.com.smartnet.vrben.portal.security.CustomAuthenticationProvider">
		<beans:property name="locator">
			<beans:bean class="br.com.smartnet.vrben.portal.locator.ServiceLocator" />
		</beans:property>
	</beans:bean>	

	<beans:bean id="myAuthenticationEntryPoint" class="br.com.smartnet.vrben.portal.security.CustomAuthenticationEntryPoint" >	
		<beans:property name="loginFormUrl" value="/index.html" />
		<beans:property name="forceHttps" value="false" />
		
	</beans:bean>

	<beans:bean id="authenticationProcessingFilter" class="br.com.smartnet.vrben.portal.security.CustomAuthenticationProcessingFilter">

		<beans:property name="authenticationManager" ref="authenticationManager" />
		<beans:property name="authenticationFailureHandler" ref="failureHandler" />
		<beans:property name="authenticationSuccessHandler" ref="successHandler" />
		<beans:property name="sessionAuthenticationStrategy" ref="sessionFixationProtectionStrategy"/>
		<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
		<beans:property name="locator">
			<beans:bean class="br.com.smartnet.vrben.portal.locator.ServiceLocator" />
		</beans:property>
	</beans:bean>

	 
	 <beans:bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler" >
		<beans:property name="defaultTargetUrl" value="/index.html" /> 
	</beans:bean>
	<beans:bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" >
		<beans:property name="defaultFailureUrl" value="/index.html?authfailed=true" />
	</beans:bean>
	<beans:bean id="sessionFixationProtectionStrategy" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
		<beans:property name="migrateSessionAttributes" value="true" />
	</beans:bean>
	 
</beans:beans>

Here is the relevant part of my CustomAuthenticationProcessingFilter, which extends UsernamePasswordAuthenticationFilter:

Code:

	@Override
	protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult) throws IOException, ServletException {

		logger.info("login successful: " + authResult.getDetails());
		super.successfulAuthentication(request, response, authResult);

		// if user is a member of ROLE_PATROCINADOR, redirects them
		// to the sponsor's page

		if(isUserPatrocinador(request)) {
			logger.info("redirecting to the patrocinador's page: " + request.getContextPath() + PATROCINADOR_VIEW);
			response.sendRedirect(response.encodeRedirectURL(request.getContextPath() + PATROCINADOR_VIEW));
		} else {

			Usuario usuario = recuperarUsuarioLogado();

			if( usuario != null ){

				try {

					List<Programa> programas = locator.getProgramaInterface().selecionarProgramasdoBeneficiario(usuario.getChave());

					String redirectUrl = request.getContextPath();
					
					if( programas.size() == 1 ){
						//if size == 1 redirect to another URL 
						Programa programa = programas.iterator().next();
						String codPrograma = programa.getCodigoPrograma();
						redirectUrl = redirectUrl + PROGRAMA_VIEW + "?idPrograma=" + codPrograma;
						
					} else {
						redirectUrl = redirectUrl + MEUS_PROGRAMAS_VIEW;
					}

					String encodedUrl = response.encodeRedirectURL( redirectUrl );
					
					response.sendRedirect( encodedUrl );  ==> HERE IS WHERE THE PROBLEM HAPPENS

					
				} catch (Exception e) {

					logger.error("Erro ao tentar realizar o redirecionamento do usuario autenticado." + e.getMessage(), e);
					logger.error("Causa: " + e.getCause().getMessage() + " - Redirecionando para a página principal.");
					 
					response.sendRedirect(response.encodeRedirectURL(request.getContextPath() + MAIN_VIEW));

				}

			}

		}
		
	}

And here is the log of the error thrown:

Code:

[07/04/10 19:47:53:172 BRT] 00000025 SystemOut     O 19:47:53,172  INFO CustomAuthenticationProcessingFilter,WebContainer : 3:41 - login successful: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: gUraxa6NbqE2z3JxEe6qF6V
[07/04/10 19:47:53:188 BRT] 00000025 SystemOut     O 19:47:53,188  INFO ERROR CustomAuthenticationProcessingFilter,WebContainer : 3:80 - Error while trying to redirect authenticated user:  null
java.lang.IllegalStateException
	at com.ibm.ws.webcontainer.webapp.WebAppDispatcherContext.sendRedirectWithStatusCode(WebAppDispatcherContext.java:484)
	at com.ibm.ws.webcontainer.webapp.WebAppDispatcherContext.sendRedirect(WebAppDispatcherContext.java:441)
	at com.ibm.ws.webcontainer.srt.SRTServletResponse.sendRedirect(SRTServletResponse.java:1036)
	at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:170)
	at org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper.sendRedirect(SaveContextOnUpdateOrErrorResponseWrapper.java:74)
	at br.com.xxx.yyy.portal.security.CustomAuthenticationProcessingFilter.successfulAuthentication(CustomAuthenticationProcessingFilter.java:75)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:219)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
	at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:109)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
	at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
	at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
	at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
	at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:834)
	at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:744)
	at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:697)
	at com.ibm.ws.wswebcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:118)
	at com.ibm.ws.webcontainer.extension.DefaultExtensionProcessor.invokeFilters(DefaultExtensionProcessor.java:818)
	at com.ibm.ws.webcontainer.extension.DefaultExtensionProcessor.handleRequest(DefaultExtensionProcessor.java:768)
	at com.ibm.ws.wswebcontainer.extension.DefaultExtensionProcessor.handleRequest(DefaultExtensionProcessor.java:113)
	at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3440)
	at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:267)
	at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:815)
	at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1461)
	at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:118)
	at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:458)
	at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:387)
	at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:267)
	at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
	at 

...

Appreciate any help. Thanks IN ADVANCE!!!

[cirorezende]

Can anyone help me?? Thanks...

[Luke Taylor]

You'll need to work out why websphere is throwing IllegalStateException (with a null message, not very helpful).

I would try and replicate the error in Tomcat and see why the error is happening. Perhaps the response is already committed for some reason.

[cirorezende]

You'll need to work out why websphere is throwing IllegalStateException (with a null message, not very helpful).

I would try and replicate the error in Tomcat and see why the error is happening. Perhaps the response is already committed for some reason.

Luke, thanks for your reply!

I'll try that right now... I've been stuck in this error for the last 2 days... But is there any reason this was not happening in SSecurity 2.0 and came up just after upgrading to 3.0??

Thanks....

[Luke Taylor]

Not that I'm aware of. The net result should be the same - a redirect from the authentication filter.

[cirorezende]

Luke, it keeps failing under Tomcat 6. Same error.

Here is the stack:

Code:

08/04/2010 12:00:00 org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet default threw exception
Throwable occurred: java.lang.IllegalStateException
	at org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:435)
	at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:126)
	at org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper.sendRedirect(SaveContextOnUpdateOrErrorResponseWrapper.java:74)
	at br.com.xxx.yyy.portal.security.CustomAuthenticationProcessingFilter.successfulAuthentication(CustomAuthenticationProcessingFilter.java:93)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:219)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
	at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:109)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
	at java.lang.Thread.run(Thread.java:735)
11:59:59,998 DEBUG HttpSessionSecurityContextRepository,http-8080-1:351 - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@8db7d479: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@8db7d479: Principal: br.com.smartnet.vrben.domain.Usuario@525d525d; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: E28621072DA9FD15B7DB8362AA221C76; Granted Authorities: br.com.smartnet.vrben.domain.Role@526e526e'
12:00:00,014 ERROR CustomAuthenticationProcessingFilter,http-8080-1:90 - Erro ao tentar realizar o redirecionamento do usuario autenticado.null
java.lang.IllegalStateException
	at org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:435)
	at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:126)
	at org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper.sendRedirect(SaveContextOnUpdateOrErrorResponseWrapper.java:74)
	at br.com.xxx.yyy.portal.security.CustomAuthenticationProcessingFilter.successfulAuthentication(CustomAuthenticationProcessingFilter.java:85)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:219)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
	at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:109)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
	at java.lang.Thread.run(Thread.java:735)

As we know it is not because of WebSphere, is there any other possibility, any other filter to use, to try putting the redirect somewhere AFTER unsuccessfulAuthentication() ???

[Luke Taylor]

Since you can look at the source for tomcat (unlike websphere), you can see that the response has already been committed, so an IllegalStateException is raised as per the servlet spec.

You need to work out why that is. Sending the redirect later won't make any difference.

[cirorezende]

Man, I spent the whole day trying to locate the problem, but after lots of debugging and source checking, all I can say is that, in the moment the sendRedirect() is called, it raises the IllegalStateException. During the debug process, when I stop on the 'sendRedirect()' as I press F5 (debug step) it goes directly to the IllegalArgumentException constructor, and the cause and message are null.

Is there any difference if I use RequestDispatcher.dispatch(request, response)?

I'll continue trying next monday, when I get back to the office...

But tell me: is the work being done in the right place??? I mean, is "UsernamePasswordAuthenticationFilter" - successfulAuthentication() the best place to call sendRedirect() ???

Thanks in advance...

[Luke Taylor]

It's not really a question of what is the right place - more about what has been done with the response prior to that point. Something must have been written to it to cause it to be committed. You could either debug the response object directly or create a response wrapper which will allow you to monitor calls on the object.

[fsoares]

It's not really a question of what is the right place - more about what has been done with the response prior to that point. Something must have been written to it to cause it to be committed. You could either debug the response object directly or create a response wrapper which will allow you to monitor calls on the object.

This change from version 2 to 3.
I have the some problem.
On version 2.x it was possible to implement the interface TargetUrlResolver with our custom code.
The only way I found to implement this custom behaviour in 3.0.2 - redirect to a specific page by a condition after authentication - was to apply the some technique used with filters: a request wrapper.
That state illegal exception appear in my opinion from the some reason that we can't modify the request in a filter, without a wrapper.
So if someone has another solution I would appreciate. Mine, was to extend the SimpleUrlAuthenticationSuccessHandler with the some code of the the SavedRequestAwareAuthenticationSuccessHandler and put my condition in a wrapper, like this

PHP Code:

public class RoleBasedAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {

    protected final Log logger = LogFactory.getLog(this.getClass());
    private RequestCache requestCache = new HttpSessionRequestCache();

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
            Authentication authentication) throws ServletException, IOException {
        SavedRequest savedRequest = requestCache.getRequest(request, response);

        if (containsAdminAuthority(authentication)) {
            HttpServletRequestWrapper wrapper =
                    new HttpServletRequestWrapper((HttpServletRequest) request) {
                        @Override
                        public String getParameter(String parameter) {
                            if (parameter.equals("spring-security-redirect")) {
                                return "/admin.htm";
                            }
                            return null;
                        }
                    };

            requestCache.removeRequest(request, response);
            super.onAuthenticationSuccess(wrapper, response, authentication);
            return;
        }

        if (savedRequest == null) {
            super.onAuthenticationSuccess(request, response, authentication);

            return;
        }

        if (isAlwaysUseDefaultTargetUrl() || StringUtils.hasText(request.getParameter(getTargetUrlParameter()))) {
            requestCache.removeRequest(request, response);
            super.onAuthenticationSuccess(request, response, authentication);

            return;
        }

        // Use the DefaultSavedRequest URL
        String targetUrl = savedRequest.getRedirectUrl();
        logger.debug("Redirecting to DefaultSavedRequest Url: " + targetUrl);
        getRedirectStrategy().sendRedirect(request, response, targetUrl);
    }

    public void setRequestCache(RequestCache requestCache) {
        this.requestCache = requestCache;
    }

    private boolean containsAdminAuthority(final Authentication auth) {
        for (final GrantedAuthority grantedAuthority : auth.getAuthorities()) {
            if (grantedAuthority.getAuthority().equals(
                    MyRoles.ADMIN_ROLE.roleName())) {
                return true;
            }
        }
        return false;
    }
} 


In my case I'm using a enum(MyRoles) to get the condition and then I change the original with a wrapper. When the targetUrl is evaluated upstream it calls the getParameter("spring-security-redirect") - see the source.
It works. Of course that inner class of the wrapper can be a autonomous method with other parameters.
I dont use namespace so I cant help in that matter. In my bean for the UsernamePasswordAuthenticationFilter I put may custom authenticationSuccessHandler like this:

PHP Code:

<bean id="formLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="rememberMeServices" ref="rememberMeServices" />
        <property name="authenticationSuccessHandler">
            <!--<bean class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">-->
            <bean class="org.anarca.springsecuritytest.RoleBasedAuthenticationSuccessHandler">
                <property name="defaultTargetUrl" value="/home.htm" />
            </bean>
        </property>
... 


Again: If someone has a better way...