4

I am using Spring Security Oauth1.0a to authenticate requests. It's expected that once a user is authenticated, s/he will gain the privileges to explore around in a website. The authenticated user's very first landing page include some js and img's. Weird enough that during the loading of those tiny pieces, some files are loaded successfully with the right authentication. But split of milliseconds later, other tiny pieces will fail to load due to null authentication. Note that, I have my servlet context/session/attribute listeners turned on. No changes were detected. 

10/24'16 13:44:23> DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@3f8eaa51: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@3f8eaa51: Principal: com.my.connected.spring.User@148c0257; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: TEACHER' stored to HttpSession: 'org.apache.catalina.session.StandardSessionFacade@f3abb79 (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-11) [1256269]

Until now security Context populated in the session as expected. My customized context/session/attribute level listeners detected no changes thereafter. All debug level logs are printed out below.

10/24'16 13:44:23> DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] Chain processed normally (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-11) [1256269]
10/24'16 13:44:23> DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] SecurityContextHolder now cleared, as request processing completed (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-11) [1256269]
10/24'16 13:44:23> DEBUG [org.springframework.security.web.FilterChainProxy] /home.png at position 1 of 15 in additional filter chain; firing Filter: 'MetadataGeneratorFilter' (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-4) [1256274]
10/24'16 13:44:23> DEBUG [org.springframework.security.web.FilterChainProxy] /home.png at position 2 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-4) [1256274]
10/24'16 13:44:23> DEBUG [org.springframework.security.web.FilterChainProxy] /home.png at position 3 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-4) [1256274]
10/24'16 13:46:37> DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@ffffffff: Null authentication' (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-4) [1391041]

However, debug and log both show a new null authentication for the session attribute SPRING_SECURITY_CONTEXT. The context itself is not null.

More coding details: 

//the controller method
@RequestMapping(value = {"/ssoep.lti.do"}, method = {RequestMethod.GET, RequestMethod.POST})
public void ltiEndpoint(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, SSOValidationException{
    request.getRequestDispatcher("/").forward(request, response);
}

//the configuration class
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

protected void configureOAuth(HttpSecurity http) throws Exception {
    http
            .csrf()
            .disable();
    http
            .addFilterAfter(oauthFilter(), BasicAuthenticationFilter.class)
            .authorizeRequests()
            .antMatchers("/ssoep.lti.do*").authenticated();
}

@Bean
public ProtectedResourceProcessingFilter oauthFilter() {
    ProtectedResourceProcessingFilter result = new MheOauthProcessingFilter();
    result.setAuthHandler(mheUserOauthAuthenticationHandler);
    result.setConsumerDetailsService(mheOauthConsumerDetailsService);
    return result;
}
}

I am using the following pom versions. 

<spring.version>4.3.2.RELEASE</spring.version>
<spring.boot.version>1.4.0.RELEASE</spring.boot.version>
<spring.security.version>4.1.1.RELEASE</spring.security.version>
<spring.security.oauth.version>2.0.11.RELEASE</spring.security.oauth.version>
<spring.security.saml2>1.0.2.RELEASE</spring.security.saml2>
Denis Wang
  • 965
  • 12
  • 13

3 Answers3

0

Probably is that you might have not add spring security filter chain to intercept all requests

import org.springframework.security.web.context.*;

public class SecurityWebApplicationInitializer
    extends AbstractSecurityWebApplicationInitializer {

    public SecurityWebApplicationInitializer() {
        super(SecurityConfig.class);
    }
}

http://docs.spring.io/spring-security/site/docs/current/reference/html/jc.html#abstractsecuritywebapplicationinitializer-without-existing-spring

kuhajeyan
  • 10,727
  • 10
  • 46
  • 71
  • 1
    As the log implied the Spring Security chain has been in effective all the time. And the change triggered: java.lang.IllegalStateException: Cannot initialize context because there is already a root application context present - check whether you have multiple ContextLoader* definitions in your web.xml! – Denis Wang Oct 26 '16 at 13:24
0

When I debugged into the Spring Security Oauth code, OAuthProviderProcessingFilter, I found that the context will always reset by the previousAuthentication. I am not sure what the purpose is there and this is the root reason of my lose of authentication.

The following code to override the default behavior fixed the problem.

public class MyOauthProcessingFilter extends ProtectedResourceProcessingFilter {

    @Override
    protected void resetPreviousAuthentication(Authentication previousAuthentication) {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        if (null != auth && null != auth.getPrincipal() ) {
            return;
        }
        super.resetPreviousAuthentication(previousAuthentication);
    }

}
Denis Wang
  • 965
  • 12
  • 13
0

you can change priority of your filters calling.

protected void configureOAuth(HttpSecurity http) throws Exception {
    http
            .csrf()
            .disable();
    http
            .addFilterAfter(oauthFilter(), BasicAuthenticationFilter.class)
            .authorizeRequests()
            .antMatchers("/ssoep.lti.do*").authenticated();

    http.addFilterAfter(YOUR_FILTER, SecurityContextPersistenceFilter.class);
}

because SecurityContextPersistenceFilter reset context and authenticated user is clear from context.

Amir Azizkhani
  • 1,662
  • 17
  • 30