I have configured spring-saml and spring security in my application. I have given different url pattern to recognize request. if I append /rest in app URL then it will create spring-security context with basic authentication. If I append /saml in app URL then it will populate IDP login page and redirect to index.html after successful login.
But I am getting redirected to login.html page again instead of index.html. After eclipse debugging and putting some logs here and there I got there is no authentication object available.
I have read this jira link and updated spring-security version to 3.1.4.RELEASE but it did not solve my issue.
After struggling a lot I find that saml security context is getting cleared by filterChainProxy doFilter method and setting authentication is null and then redirecting to the secured target url which requires authentication which is not present. hence it redirect to login page.
I googled a lot but did not find any way to use saml authentication to pass j_spring_security check.
I have attached my saml-security.xml and spring-security.xml file below
saml-security
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://ift.tt/GArMu6"
xmlns:security="http://ift.tt/1c8inpe"
xmlns:xsi="http://ift.tt/ra1lAU"
xmlns:context="http://ift.tt/GArMu7"
xsi:schemaLocation="http://ift.tt/GArMu6 http://ift.tt/1cMYE2s
http://ift.tt/1c8inpe http://ift.tt/SiGWZH http://ift.tt/GArMu7 http://ift.tt/1dfrlFf">
<!-- Enable auto-wiring -->
<context:annotation-config/>
<!-- Scan for auto-wiring classes in spring saml packages -->
<context:component-scan base-package="org.springframework.security.saml"/>
<!-- Unsecured pages -->
<security:http security="none" pattern="/favicon.ico"/>
<security:http security="none" pattern="/images/**"/>
<security:http security="none" pattern="/css/**"/>
<security:http security="none" pattern="/logout.jsp"/>
<!-- Filters for processing of SAML messages -->
<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map request-matcher="ant">
<security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
<security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
<security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
<security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
<security:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter"/>
<security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
<security:filter-chain pattern="/saml/discovery/**" filters="samlIDPDiscovery"/>
</security:filter-chain-map>
</bean>
<!-- Handler deciding where to redirect user after successful login -->
<bean id="successRedirectHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/index.html"/>
<property name="alwaysUseDefaultTargetUrl" value="true"/>
</bean>
<!--
Use the following for interpreting RelayState coming from unsolicited response as redirect URL:
<bean id="successRedirectHandler" class="org.springframework.security.saml.SAMLRelayStateSuccessHandler">
<property name="defaultTargetUrl" value="/" />
</bean>
-->
<!-- Handler for successful logout -->
<bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
<property name="defaultTargetUrl" value="/login.html"/>
</bean>
<!-- Register authentication manager with SAML provider -->
<security:authentication-manager id="samlAuthenticationManager">
<security:authentication-provider ref="samlAuthenticationProvider"/>
</security:authentication-manager>
<!-- Logger for SAML messages and events -->
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger"/>
<!-- Central storage of cryptographic keys -->
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="http://file/${user.home}/conf/samlKeyStore.jks"/>
<constructor-arg type="java.lang.String" value="nalle123"/>
<constructor-arg>
<map>
<entry key="apollo" value="nalle123"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="apollo"/>
</bean>
<!-- Entry point to initialize authentication, default values taken from properties file -->
<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
<property name="defaultProfileOptions">
<bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="includeScoping" value="false"/>
</bean>
</property>
</bean>
<!-- IDP Discovery Service -->
<bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
<!-- <property name="idpSelectionPath" value="/WEB-INF/security/idpSelection.jsp"/> -->
</bean>
<!-- Filter automatically generates default SP metadata -->
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="devenv.abc.com"/>
<property name="signMetadata" value="false"/>
</bean>
</constructor-arg>
</bean>
<!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there -->
<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<constructor-arg>
<value type="java.lang.String">http://ift.tt/Y9Q21T;
</constructor-arg>
<constructor-arg>
<value type="int">500000</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</list>
</constructor-arg>
</bean>
<!-- SAML Authentication Provider responsible for validating of received SAML messages -->
<bean id="samlAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider">
<property name="userDetails" ref="samlUserDetailsService" />
</bean>
<!-- Custom user details service to attach app specific roles to federated identities -->
<bean id="samlUserDetailsService" class="com.mercatus.security.MercatusSAMLUserDetailsService"/>
<!-- Provider of default SAML Context -->
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
<!-- Processing filter for WebSSO profile messages -->
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
<property name="authenticationManager" ref="samlAuthenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
</bean>
<!-- Processing filter for WebSSO Holder-of-Key profile -->
<bean id="samlWebSSOHoKProcessingFilter" class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter">
<property name="authenticationManager" ref="samlAuthenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
</bean>
<!-- Logout handler terminating local session -->
<bean id="logoutHandler"
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="invalidateHttpSession" value="true"/>
</bean>
<!-- Override default logout processing filter with the one processing SAML messages -->
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
<constructor-arg ref="successLogoutHandler"/>
<constructor-arg ref="logoutHandler"/>
<constructor-arg ref="logoutHandler"/>
</bean>
<!-- Filter processing incoming logout messages -->
<!-- First argument determines URL user will be redirected to after successful global logout -->
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
<constructor-arg index="0" ref="successLogoutHandler"/>
<constructor-arg index="1" ref="logoutHandler"/>
</bean>
<!-- Class loading incoming SAML messages from httpRequest stream -->
<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg>
<list>
<ref bean="redirectBinding"/>
<ref bean="postBinding"/>
<ref bean="artifactBinding"/>
<ref bean="soapBinding"/>
<ref bean="paosBinding"/>
</list>
</constructor-arg>
</bean>
<!-- SAML 2.0 WebSSO Assertion Consumer -->
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>
<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 Web SSO profile -->
<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
<!-- SAML 2.0 Holder-of-Key Web SSO profile -->
<bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 ECP profile -->
<bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/>
<!-- SAML 2.0 Logout Profile -->
<bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
<!-- Bindings, encoders and decoders used for creating and parsing messages -->
<bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
</bean>
<bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
<constructor-arg>
<bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
<constructor-arg>
<bean class="org.apache.commons.httpclient.HttpClient">
<constructor-arg>
<bean class="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/>
</constructor-arg>
</bean>
</constructor-arg>
<property name="processor">
<bean class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg ref="soapBinding"/>
</bean>
</property>
</bean>
</constructor-arg>
</bean>
<bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<!-- Initialization of OpenSAML library-->
<bean class="org.springframework.security.saml.SAMLBootstrap"/>
<!-- Initialization of the velocity engine -->
<bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/>
<!-- XML parser pool needed for OpenSAML parsing -->
<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize">
<property name="builderFeatures">
<map>
<entry key="http://ift.tt/13AsMgt" value="false"/>
</map>
</property>
</bean>
<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
</beans>
And my spring-security.xml file given below
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://ift.tt/GArMu6"
xmlns:xsi="http://ift.tt/ra1lAU"
xmlns:context="http://ift.tt/GArMu7"
xmlns:mvc="http://ift.tt/1bHqwjR"
xmlns:util="http://ift.tt/OGfeTW"
xmlns:security="http://ift.tt/1c8inpe"
xmlns:oauth2="http://ift.tt/1bBHntb"
xmlns:aop="http://ift.tt/OpNdV1"
xsi:schemaLocation="http://ift.tt/GArMu6
http://ift.tt/QEDs1e
http://ift.tt/GArMu7
http://ift.tt/QEDs1k
http://ift.tt/1bHqwjR
http://ift.tt/1bVJL9q
http://ift.tt/OGfeTW
http://ift.tt/1bFKsJT
http://ift.tt/1c8inpe
http://ift.tt/SiGWZH
http://ift.tt/OpNdV1
http://ift.tt/QEDs1g
http://ift.tt/1bBHntb
http://ift.tt/1aErTAF">
<aop:aspectj-autoproxy/>
<!-- Definition for logging aspect -->
<bean id="assumptionAuditLogAspect" class="com.mercatus.audit.AssumptionAuditLogAspect"/>
<!-- Definition for project security aspect -->
<bean id="projectSecurityAspect" class="com.mercatus.web.security.ProjectSecurityAspect"/>
<!--Definition for SavedRequestAwareAuthenticationSuccessHandler -->
<bean id="mercatusSavedRequestHandler" class="com.mercatus.security.MercatusSavedRequestHandler"/>
<bean id="mercatusLogoutSuccessHandler" class="com.mercatus.security.MercatusLogoutSuccessHandler"/>
<bean id="mercatusAjaxTimeoutFilter" class="com.mercatus.security.MercatusAjaxTimeoutFilter"/>
<security:http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<security:anonymous enabled="false" />
<security:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<security:custom-filter ref="clientCredentialsTokenEndpointFilter"
after="BASIC_AUTH_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
</security:http>
<!-- SAML starts -->
<security:http pattern="/saml/**" entry-point-ref="samlEntryPoint">
<security:intercept-url pattern="/oauth/**" access="ROLE_USER" />
<security:intercept-url pattern="/rest/**" access="ROLE_USER" />
<security:intercept-url pattern="/saml" access="IS_AUTHENTICATED_FULLY"/>
<security:anonymous enabled="false" />
<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</security:http>
<!-- SAML ends -->
<security:http pattern="/rest/**" access-decision-manager-ref="accessDecisionManager">
<security:anonymous enabled="false" />
<security:form-login login-page="/login.html" authentication-success-handler-ref="mercatusSavedRequestHandler"
authentication-failure-url="/login.jsp?login_error=true"/>
<security:intercept-url pattern="/rest/**" access="ROLE_USER" />
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="mercatusAjaxTimeoutFilter" after="EXCEPTION_TRANSLATION_FILTER"/>
<security:access-denied-handler ref="oauthAccessDeniedHandler"/>
</security:http>
<security:http access-denied-page="/login.jsp?login_error=true">
**<security:intercept-url pattern="/index.html" access="ROLE_USER" />**
<security:intercept-url pattern="/saml/**" access="ROLE_USER" />
<security:intercept-url pattern="/oauth/**" access="ROLE_USER" />
<security:intercept-url pattern="/customer/*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:form-login login-page="/login.html" authentication-success-handler-ref="mercatusSavedRequestHandler"
authentication-failure-url="/login.jsp?login_error=true"/>
<security:logout delete-cookies="true" invalidate-session="true" logout-success-url="/login.html"/>
<security:anonymous />
</security:http>
<security:authentication-manager id="clientAuthenticationManager">
<security:authentication-provider user-service-ref="clientDetailsUserService" />
</security:authentication-manager>
<oauth2:authorization-server
client-details-service-ref="clientDetails" token-services-ref="tokenServices"
user-approval-handler-ref="userApprovalHandler">
<oauth2:authorization-code />
<oauth2:implicit />
<oauth2:refresh-token />
<oauth2:client-credentials />
<oauth2:password />
</oauth2:authorization-server>
<oauth2:resource-server id="resourceServerFilter"
resource-id="mercatus" token-services-ref="tokenServices" />
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<security:global-method-security pre-post-annotations="enabled"/>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="mercatusAuthenticationProvider" />
</security:authentication-manager>
<bean id="mercatusAuthenticationProvider" class="com.mercatus.security.MercatusAuthenticationProvider" />
</beans>
Can anyone help me to solve this issue. Thanks in advance.
Aucun commentaire:
Enregistrer un commentaire