You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Jeff Wang <je...@plutom.com> on 2011/11/16 06:45:50 UTC
Spring-Security Sessions and CXF
Due to a variety of reasons, we decided to not secure our html pages,
but to secure the AJAX data calls. The AJAX endpoints are CXF JAX-RS
endpoints. Because we support OAuth and OpenID, we made the decision
to go with Spring Security and sessions, instead of the proper RESTful
authenticate-each-call methodology. We also transformed the Spring
Security settings. Relevant parts below:
<sec:http access-denied-page="/rest/auth?error=access-denied">
<sec:form-login authentication-failure-url="/rest/auth?error=failed-login"
login-page="/rest/auth?error=not-authenticated"
default-target-url="/rest/auth/success"/>
</sec:http>
Basically, on a auth failure or a not-authorized-yet situation, we
have spring security redirect to a REST endpoint, that responds with
the proper status code and that's it. No forwarding to the login-page
or anything of that sort (which would be pointless because all these
are AJAX calls...) On a auth sucess, we would like to redirect to
/rest/api/user/15 (or whatever ID that just successfully logged in.)
But it looks like we won't be able to dynamically change the target
URL, so we'll depend on /rest/auth/success to return the URI. From
TCPMon, we see:
HTTP/1.1 302 Moved Temporarily
Set-Cookie: JSESSIONID=C149C4F73C95BDAF33E2BED4CCC1D133;
Location: http://localhost/plutom-ws/rest/auth/success
but the call to auth/success fails (stacktrace truncated to the
relevant portion):
GET /plutom-ws/rest/auth/success HTTP/1.1
Cookie: JSESSIONID=C149C4F73C95BDAF33E2BED4CCC1D133;
java.lang.RuntimeException: org.apache.cxf.interceptor.Fault: An
Authentication object was not found in the SecurityContext
at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:107)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:323)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:118)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:208)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:166)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:113)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:184)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:112)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
So a bunch of questions:
1) I annotated the auth/success endpoint with @SECURED, is this correct?
2) Who's responsible for looking at the cookie, finding the Spring
stored session, and setting the authentication obect? Do I need an
interceptor that I didn't add?
3) Is the fact that CXFNonSpringServlet is called expected? I'm
definitely not using that anywhere...
thanks for any help
Jeff
Re: Spring-Security Sessions and CXF
Posted by Jeff Wang <je...@plutom.com>.
There's an open-id implementation of spring security. It goes through
a bunch of redirects (302s)
1) client POSTs to the open id endpoint on <myapp>, which typically is
a <myapp>/j_spring_openid_security_check
2) the endpoint in 1 responds with a 302 and a redirect to the openid
endpoint (www.google.com/<openid-endpoint) with a callback url of the
endpoint in 1.
3) after login, the response from the openid provider is a 302 to
<myapp>/j_spring_openid_security_check with the proper openid tokens
4) the spring openid endpoint authenticates the tokens, and then
issues yet another 302, to a spring security determined page (which is
usually the resource that the client was attempting to access before
the security intercept, but I've overridden to force to go to
<myapp>/auth/success
I was actually surprised that the setting of the cookies and the login
succeeded. Now I have to figure out why the session didn't take the
authentication. I'll switch this topic over to the springsource
forums, as this doesn't appear to be a CXF issue.
thanks
Jeff
On Wed, Nov 16, 2011 at 12:17 AM, Sergey Beryozkin <sb...@gmail.com> wrote:
> Hi,
>
>
> How do you manage the redirection ? Is it an OpenId JSP handler which
> redirects to /plutom-ws/rest/auth/success ? This is just a guess but I I'm
> assuming that "/plutom-ws/rest/auth/success" is secured by a Spring Security
> handler which can not understand what to do with
>
> JSESSIONID=C149C4F73C95BDAF33E2BED4CCC1D133 in order to retrieve the stored
> authenticated info if any...
>
>> at
>> org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:107)
>> at
>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:323)
>> at
>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:118)
>> at
>> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:208)
>> at
>> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223)
>> at
>> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:166)
>> at
>> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:113)
>> at
>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:184)
>> at
>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:112)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
>>
>> So a bunch of questions:
>> 1) I annotated the auth/success endpoint with @SECURED, is this correct?
>
> that is there in order to enforce RBAC
>
>> 2) Who's responsible for looking at the cookie, finding the Spring
>> stored session, and setting the authentication obect? Do I need an
>> interceptor that I didn't add?
>
> Spring Security filter ?
Re: Spring-Security Sessions and CXF
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi,
On 16/11/11 05:45, Jeff Wang wrote:
> Due to a variety of reasons, we decided to not secure our html pages,
> but to secure the AJAX data calls. The AJAX endpoints are CXF JAX-RS
> endpoints. Because we support OAuth and OpenID, we made the decision
> to go with Spring Security and sessions, instead of the proper RESTful
> authenticate-each-call methodology. We also transformed the Spring
> Security settings. Relevant parts below:
>
> <sec:http access-denied-page="/rest/auth?error=access-denied">
> <sec:form-login authentication-failure-url="/rest/auth?error=failed-login"
> login-page="/rest/auth?error=not-authenticated"
> default-target-url="/rest/auth/success"/>
> </sec:http>
>
> Basically, on a auth failure or a not-authorized-yet situation, we
> have spring security redirect to a REST endpoint, that responds with
> the proper status code and that's it. No forwarding to the login-page
> or anything of that sort (which would be pointless because all these
> are AJAX calls...) On a auth sucess, we would like to redirect to
> /rest/api/user/15 (or whatever ID that just successfully logged in.)
> But it looks like we won't be able to dynamically change the target
> URL, so we'll depend on /rest/auth/success to return the URI. From
> TCPMon, we see:
>
> HTTP/1.1 302 Moved Temporarily
> Set-Cookie: JSESSIONID=C149C4F73C95BDAF33E2BED4CCC1D133;
> Location: http://localhost/plutom-ws/rest/auth/success
>
> but the call to auth/success fails (stacktrace truncated to the
> relevant portion):
> GET /plutom-ws/rest/auth/success HTTP/1.1
> Cookie: JSESSIONID=C149C4F73C95BDAF33E2BED4CCC1D133;
>
> java.lang.RuntimeException: org.apache.cxf.interceptor.Fault: An
> Authentication object was not found in the SecurityContext
How do you manage the redirection ? Is it an OpenId JSP handler which
redirects to /plutom-ws/rest/auth/success ? This is just a guess but I
I'm assuming that "/plutom-ws/rest/auth/success" is secured by a Spring
Security handler which can not understand what to do with
JSESSIONID=C149C4F73C95BDAF33E2BED4CCC1D133 in order to retrieve the
stored authenticated info if any...
> at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:107)
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:323)
> at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:118)
> at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:208)
> at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223)
> at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:166)
> at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:113)
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:184)
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:112)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
>
> So a bunch of questions:
> 1) I annotated the auth/success endpoint with @SECURED, is this correct?
that is there in order to enforce RBAC
> 2) Who's responsible for looking at the cookie, finding the Spring
> stored session, and setting the authentication obect? Do I need an
> interceptor that I didn't add?
Spring Security filter ?
> 3) Is the fact that CXFNonSpringServlet is called expected? I'm
> definitely not using that anywhere...
>
CXFServlet now extends CXFNonSpringServlet...
Cheers, Sergey
> thanks for any help
> Jeff