You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "Burton, Tom F (DOR)" <to...@alaska.gov> on 2013/06/18 21:15:05 UTC
FEDIZ Authentication problems
I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an RP to an existing .NET ADFS IDP.
If I subclass `` to authenticate on my desired URL path `myAlaska`
I end up with the following log entries when I try to log in:
06-18@09:56:56 INFO [] Spring Security Debugger -
************************************************************
Request received for '/myAlaska':
org.apache.catalina.connector.RequestFacade@a2f68b
servletPath:/myAlaska
pathInfo:null
Security filter chain: [
SecurityContextPersistenceFilter
MyAlaskaAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06-18@09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession currently exists
06-18@09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared: path=/myAlaska, and /j_spring_fediz_security_check
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath Authentication: true
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to process authentication
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging.
wa: null
wresult: null
full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
Method: GET
06-18@09:56:56 DEBUG [] ProviderManager - Authentication attempt using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider
06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1dacb29: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities
06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct: null Result: null Cert Count: 0
06-18@09:56:56 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
06-18@09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null'
06-18@09:56:56 ERROR [] tionAuthenticationProvider - Failed to validate SignIn request
org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed
at org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93)
at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121)
at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: The request was invalid or malformed
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@1508a8b
06-18@09:56:56 DEBUG [] thenticationFailureHandler - No failure URL set, sending 401 Unauthorized error
06-18@09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
06-18@09:56:56 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check
I get the following error instead:
06-18@10:57:19 INFO [] Spring Security Debugger -
************************************************************
Request received for '/myAlaska':
org.apache.catalina.connector.RequestFacade@1cdedd4
servletPath:/myAlaska
pathInfo:null
Security filter chain: [
SecurityContextPersistenceFilter
MyAlaskaAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06-18@10:57:19 DEBUG [] nSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
06-18@10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@3d3f6f. A new one will be created.
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
06-18@10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication = false
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
06-18@10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURI: arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443; arg2=8443 (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURL: arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska; arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https; arg2=https (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverName: arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - contextPath: arg1=/newhirereporting; arg2=/newhirereporting (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - servletPath: arg1=/myAlaska; arg2=/myAlaska (property equals)
06-18@10:57:19 DEBUG [] HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
06-18@10:57:19 DEBUG [] nymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/'
06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/myalaska'
06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()]
06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS
06-18@10:57:19 DEBUG [] AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@200930, returned: -1
06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
06-18@10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska]
06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication entry point.
06-18@10:57:19 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
06-18@10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context: org.apache.cxf.fediz.core.config.FederationContext@a302f2
06-18@10:57:19 INFO [] FederationProcessorImpl - Issuer url: https://mydev.alaska.gov/adfs/ls/
06-18@10:57:19 INFO [] FederationProcessorImpl - WAuth:
06-18@10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null
06-18@10:57:19 INFO [] FederationProcessorImpl - Freshness: null
06-18@10:57:19 DEBUG [] FederationProcessorImpl - wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
06-18@10:57:19 DEBUG [] FederationProcessorImpl - wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/
06-18@10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP: https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska&wtrealm=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F&wct=2013-06-18T18%3A57%3A19.790Z&pubId=enhr
06-18@10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
06-18@10:57:19 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information
It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
I have spring security configured like so:
<sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
<sec:intercept-url pattern="/" access="permitAll"/>
<sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
<sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
<sec:session-management session-authentication-strategy-ref="sas"/>
</sec:http>
The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
Thank you for any help,
Tom Burton
Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
RE: FEDIZ Authentication problems
Posted by Oliver Wulff <ow...@talend.com>.
Hi Tom
In theory, you can set any query parameter in this callback handler but I'd recommend to avoid using the wctx parameter as it's intended use is for the federation plugin on the relying party side. Even the IDP must ignore it and resend as is with the signin response. In case, the fediz plugin requires this plugin in the future you might have a migration issue. What is the reason to use the wctx?
It should be deployed now at maven snapshot.
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
Sent: 22 June 2013 19:23
To: users@cxf.apache.org
Subject: Re: FEDIZ Authentication problems
Hi Oliver,
I've been pulled to another project It's going to be a few days before I can implement a callback to test your changes. Will I need one callback for pubid and a separate one for wctx or will one callback handle both?
Also will the changes be in the snapshot from the apache snapshots repo or will I need to build from source? (I should probably grab the source anyway so I can see about adding some more debug logging in that patch you asked for.)
I'll let you know when I've created the patch or implemented and tested the callback.
Thanks so much,
Tom
Sent from my HTC Oneā¢ V
----- Reply message -----
From: "Oliver Wulff" <ow...@talend.com>
To: "users@cxf.apache.org" <us...@cxf.apache.org>
Subject: FEDIZ Authentication problems
Date: Fri, Jun 21, 2013 2:01 PM
Hi Tom
I've committed a fix for FEDIZ-62. You have two options (like for wauth). Either you configure a static string or a class name which implements callbackhandler and updates the SignInQueryCallback object. You can pass a Map<String,String> where the encoding of the values is handled by fediz.
See here a sample in the unit test:
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/TestCallbackHandler.java?view=markup
WDYT?
________________________________________
From: Oliver Wulff [owulff@talend.com]
Sent: 21 June 2013 16:06
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
Hi Tom
I've raised the following JIRA to customize the sign in query string:
https://issues.apache.org/jira/browse/FEDIZ-62
I'll look into this within the next days.
Could you maybe raise a JIRA and apply a patch as a proposal for the extended logging?
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
Sent: 20 June 2013 20:22
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
The system I'm hooking into is an upgrade of an older system.
The older system passed a GUID in an HTTP header. (All web applications were behind a shared proxy.)
The GUID was then run through a web service to retrieve a matching user account.
There were other Web Services as well (That I'm personally not using that use the GUID.)
All of these web service locations have been changed, with minimal other interface changes,
And the actual implementations have changed as well. It is my understanding (Not my systems)
that they went from a Solaris LDAP/Oracle backend to a Active Directory/SQL Server backend.
I've pasted the token below. It has one attribute MyAlaskaId, it's the value of that attribute
that I pass to a web service to actually get back a user object. Unless that's how SAML responses are
designed to work and I still need to configure something.
They have supplied a .NET(C#) sample application. On our dev system I can even see it in action.
I decided to try dev sample application. I snagged the URL out of my address bar when I saw it.
Then I split it apart to figure out what was different between the URL the sample application
generated and mine. That's when I came across the "&wctx=...." bit.
The wctx for the .NET application is probably generated by this bit in the Sample applications Web.config
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" requireHttps="false"
issuer="https://mydev.alaska.gov/adfs/ls/" realm="[ TODO ]"
signInQueryString="pubid=[ TODO ]" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
The "&pubid=" is a custom extension they've implemented. When I use it the login page says:
"'Website Name' has sent you here to sign in."
Honestly you probably know more about ADFS then I do. I'm just flailing about trying to get it to work.
Also if you don't like subclassing could you please add more logging to your classes.
It's the single biggest reason I was subclassing.
I think a callback could work. Or what about a system like the maven compiler plugin has
Unknown xml options just get appended?
So for example
In the maven compiler plugin I can do
<configuration>
<compilerarguments>
<foo>
bash
</foo>
</compilerarguments>
</configuration>
Then it just blindly passes -foo=bash to javac and hopes for the best. (or that's what it looks like.)
With such a system for fediz
I could have:
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="federationProtocolType" version="1.0.0">
<!-- normal options here -->
<!-- demarcation for Sign-In Only special arguments,
wrap them, no special processing(except escaping?) -->
<signInArgments>
<pubId>myId</pubId>
</signInArguments>
</protocol>
And redirect Url whould end up as with &pubId=myId appended
or "&pubId=" + URLEncoder.encode("id=passive&ru=", "ISO-8859-1"); if escaping.
--- here is my SAML Response (is that the right term?) ---
<t:RequestSecurityTokenResponse
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2013-06-18T21:25:30.147Z
</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2013-06-18T22:25:30.147Z
</wsu:Expires>
</t:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>
https://cssdappstst.state.ak.us:8443/newhirereporting/
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<saml:Assertion MajorVersion="1" MinorVersion="1"
AssertionID="_517cee33-3b6b-40cc-82cd-a2e10ce61925"
Issuer="http://MYDEV.ALASKA.GOV/adfs/services/trust"
IssueInstant="2013-06-18T21:25:30.147Z"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2013-06-18T21:25:30.147Z"
NotOnOrAfter="2013-06-18T22:25:30.147Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>
https://cssdappstst.state.ak.us:8443/newhirereporting/
</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="MyAlaskaId"
AttributeNamespace="http://my.alaska.gov/claims">
<saml:AttributeValue>
0d0ad010-d27b-4b53-a8bc-ba85a704e083
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
AuthenticationInstant="2013-06-18T20:06:58.819Z">
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256">
</ds:SignatureMethod>
<ds:Reference URI="#_517cee33-3b6b-40cc-82cd-a2e10ce61925">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
</ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256">
</ds:DigestMethod>
<ds:DigestValue>
RtzUZBhY6myvUAWpwGfXbRrqzLU5pydSxa8uq9TlGnM=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
[Long Signature hash value was Here ]
</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
[Certificate hash was here]
</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</t:RequestedSecurityToken>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
</t:RequestType>
<t:KeyType>
http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
</t:KeyType>
</t:RequestSecurityTokenResponse>
Thank you again,
Tom
-----Original Message-----
From: Oliver Wulff [mailto:owulff@talend.com]
Sent: Wednesday, June 19, 2013 10:36 PM
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
Hi Tom
>>>
I needed to mangle the redirect URL with more options than it looks like are available in the fediz_config file.
I basically had to add:
redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
+ "%252Fnewhirereporting%252FmyAlaska" //double encoded /contextpath/page
I also copied it to add
redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID; pubId is a URL parameter to add a friendly message to the login page for the user.
>>>
I'm not a big fan of subclassing in general. Mostly it indicates that there is a missing extension point in the framework. Do you have to extend the redirect URL because of ADFS or because of your application? I could add a callback handler to fill the wctx or even extend the URL. The original request is cached by spring security thus you don't have to cache any request specific information in the redirect url. I would like to understand first what the use case is as this requirement never came up so far.
>>>
So now I do actually get a "SAML Token" but all it contains is a GUID.
I then have to call a SOAP web Service to actually convert that GUID into a real user object.
>>>
Is this by intension? ADFS is able to add user information from AD. Can you share the issued SAML token? One of the purposes of WS-Federation is to centralize (in the IDP/STS) the code to retrieve user information from all possible user directories and provide this information in a tranparent way to the application instead of having to pull this information in each application individually.
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
Sent: 20 June 2013 03:09
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
Turns out I had mis-read an important piece of the document.
I had put my cxf.xml in src/main/webapp/WEB-INF/ next to my web.xml instead of in src/main/resources/
moving it to the appropriate directory cleared up my certificate issue.
Tom
-----Original Message-----
From: Burton, Tom F (DOR) [mailto:tom.burton@alaska.gov]
Sent: Wednesday, June 19, 2013 3:40 PM
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
I just tried
- name=".*"
- name="https://.*.state.ak.us:444/.*"
- name="https://mydev-svc.state.ak.us:444/.*"
I got the same error for all three.
Tom
-----Original Message-----
From: Daniel Kulp [mailto:dkulp@apache.org]
Sent: Wednesday, June 19, 2013 2:59 PM
To: users@cxf.apache.org
Cc: owulff@talend.com
Subject: Re: FEDIZ Authentication problems
Change the conduit name so something like:
name="https://mydev-svc.state.ak.us:444/.*"
Using the service name can only apply those settings after the service is created and the name and namespace and such is known. To have it apply for wsdl loading as well, use a URL format (and the .* at the end for the regex expansion).
Dan
On Jun 19, 2013, at 6:49 PM, "Burton, Tom F (DOR)" <to...@alaska.gov> wrote:
> I've actually made it past these issues. :) but now I have new ones :(
>
> The initial class I was talking about sub-classing was:
> FederationAuthenticationFilter
>
> The "additional Authentication checks" were in my subclass.
>
> The java code looked like so:
>
> boolean required = false;
> //should this be equals or some fancy ** matching type stuff?
> String path = request.getServletPath();
> required = path.contains(getFilterProcessesUrl());
>
> //getRequestURI().contains(getFilterProcessesUrl());
>
> //TODO: look up an "easy" way to read the spring config
> //PageMapHolder manually parses the Spring xml files on deploy
>
> if ( !required ) { required =
> PageMapHolder.getPages().containsKey(path); }
>
> if ( log.isDebugEnabled() )
> {
> log.debug( "Compared: path=" + request.getServletPath()
> + ", and " + getFilterProcessesUrl() );
> log.debug("ServletPath Authentication: " + required);
> }
> if (!required)
> { required = super.requiresAuthentication(request, response); }
> return required;
>
> They have been disabled.
>
> The solution ended up requiring me to copy the implementation of
> FederationAuthenticationEntryPoint,
> as MyAlaskaEntryPoint. I needed to mangle the redirect URL with more
> options than it looks like are available in the fediz_config file.
> I basically had to add:
>
> redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
> + "%252Fnewhirereporting%252FmyAlaska"
> //double encoded /contextpath/page
>
>
> I also copied it to add
> redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID;
>
> pubId is a URL parameter to add a friendly message to the login page for the user.
>
> So now I do actually get a "SAML Token" but all it contains is a GUID.
> I then have to call a SOAP web Service to actually convert that GUID into a real user object.
>
>
> MyAlaskaAuthProvider is a subclass of FederationAuthenticationProvider
>
> It overrides #authenticate to add some logging before calling super It
> overrides #loadUserByFederationResponse to find the myAkUsername
> BEFORE calling super
>
> The current Error I'm getting is a certificate error while trying to access the GUID based web service.
>
> So in doing some research I found this:
> http://cxf.apache.org/docs/client-http-transport-including-ssl-support
> .html#ClientHTTPTransport%28includingSSLsupport%29-Howtooverridetheser
> viceaddress%3F
>
> I've followed the page and created a cxf.xml I've added it as another
> file to be parsed as part of my Spring Config.
>
> cxf.xml has an http:conduit like so:
>
> <http:conduit
> name="{http://cxf.apache.org/}TransportURIResolver.http-conduit">
> <!-- magic value for https -->
>
> <!--name="{http://myalaska.state.ak.us/wsdl/MyAlaskaService}WSHttpBind
> ing_MyAlaskaService.http-conduit">-->
>
> <!-- duplicates values from <certificateStores> in Fediz config -->
> <http:tlsClientParameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:trustManagers>
> <sec:cipherSuitesFilter>
> <!-- these filters ensure that a ciphersuite with
> export-suitable or null encryption is used,
> but exclude anonymous Diffie-Hellman key change as
> this is vulnerable to man-in-the-middle attacks -->
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
> </sec:cipherSuitesFilter>
> </http:tlsClientParameters>
> <http:client AutoRedirect="true" Connection="Keep-Alive"/>
> </http:conduit>
>
> However when I try and actually create an instance of my soap service, I get the a stack trace in my log file. Pasted in full below.
> To me the Interestring bit is probably:
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing
> 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl
> '.: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
> So am I defining my conduit name right? How can I tell if the conduit wrapping is even happening?
>
>
> Thank you again,
> Tom Burton
>
>
>
> --------------- Full Stack Trace -------------
>
> 06-19@14:27:45 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:149)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:100)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> ... 33 more
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl'.: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> at sun.security.validator.Validator.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> ... 60 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
> at java.security.cert.CertPathBuilder.build(Unknown Source)
> ... 66 more
>
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> ... 35 more
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@8c9de8
> 06-19@14:27:45 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-19@14:27:45 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-19@14:27:45 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
>
> -----Original Message-----
> From: Oliver Wulff [mailto:owulff@talend.com]
> Sent: Tuesday, June 18, 2013 11:11 PM
> To: users@cxf.apache.org
> Subject: RE: FEDIZ Authentication problems
>
> Hi Tom
>
>>>>
> If I subclass `` to authenticate on my desired URL path `myAlaska`
>>>>
> Which class do you want to subclass?
>
>>>>
> MyAlaskaAuthProvider
>>>>
> What kind of AuthProvider is this?
>
>>>>
> If I remove the additional Authentication checks so it only checks on
> /j_spring_fediz_security_check
>>>>
> Can you point me in your configuration what you mean?
>
>>>>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>>>>
> This is kind of strange. Did you really get redirected to the IDP? Could you share the browser traffic (httpfox, findbugs, etc).
>
>>>>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>>>>
> This is per WS-Federation spec. The SAML assertion is sent in the wresult parameter. Fediz works with ADFS but keep in mind that ADFS uses an older WS-Trust and SAML 1.1 assertion which is supported by Fediz as well.
>
>
>>>>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>>>>
> The following definintion requires that you're authenticated (without the requirement for any roles):
> <sec:intercept-url pattern="/secure/fedservlet"
> access="isAuthenticated()"/>
>
> There is an example available for spring security. Here is the spring security documentation of it:
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src
> /main/webapp/WEB-INF/applicationContext-security.xml?view=markup
>
> HTH
>
> Oli
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
> Sent: 18 June 2013 21:15
> To: users@cxf.apache.org
> Subject: FEDIZ Authentication problems
>
> I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an RP to an existing .NET ADFS IDP.
>
> If I subclass `` to authenticate on my desired URL path `myAlaska` I end up with the following log entries when I try to log in:
>
> 06-18@09:56:56 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@a2f68b
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession
> currently exists
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared:
> path=/myAlaska, and /j_spring_fediz_security_check
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath
> Authentication: true
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to
> process authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging.
> wa: null
> wresult: null
> full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> Method: GET
> 06-18@09:56:56 DEBUG [] ProviderManager - Authentication attempt using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1dacb29: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct: null Result: null Cert Count: 0
> 06-18@09:56:56 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null'
> 06-18@09:56:56 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed
> at org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication
> request failed:
> org.springframework.security.authentication.BadCredentialsException:
> The request was invalid or malformed
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@1508a8b
> 06-18@09:56:56 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@09:56:56 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check I get the following error instead:
>
> 06-18@10:57:19 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@1cdedd4
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - HttpSession
> returned null object for SPRING_SECURITY_CONTEXT
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@3d3f6f. A new one will be created.
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication = false
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURI: arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443; arg2=8443 (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURL: arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska; arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https; arg2=https (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverName: arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - contextPath: arg1=/newhirereporting; arg2=/newhirereporting (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - servletPath: arg1=/myAlaska; arg2=/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] nymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/myalaska'
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object:
> FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()]
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS
> 06-18@10:57:19 DEBUG [] AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@200930, returned: -1
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied
> (user is anonymous); redirecting to authentication entry point
> org.springframework.security.access.AccessDeniedException: Access is denied
> at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
> at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska]
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication entry point.
> 06-18@10:57:19 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context: org.apache.cxf.fediz.core.config.FederationContext@a302f2
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Issuer url: https://mydev.alaska.gov/adfs/ls/
> 06-18@10:57:19 INFO [] FederationProcessorImpl - WAuth:
> 06-18@10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Freshness: null
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/
> 06-18@10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP: https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska&wtrealm=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F&wct=2013-06-18T18%3A57%3A19.790Z&pubId=enhr
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@10:57:19 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>
> Thank you for any help,
> Tom Burton
>
> Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
--
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
Re: FEDIZ Authentication problems
Posted by "Burton, Tom F (DOR)" <to...@alaska.gov>.
Hi Oliver,
I've been pulled to another project It's going to be a few days before I can implement a callback to test your changes. Will I need one callback for pubid and a separate one for wctx or will one callback handle both?
Also will the changes be in the snapshot from the apache snapshots repo or will I need to build from source? (I should probably grab the source anyway so I can see about adding some more debug logging in that patch you asked for.)
I'll let you know when I've created the patch or implemented and tested the callback.
Thanks so much,
Tom
Sent from my HTC Oneā¢ V
----- Reply message -----
From: "Oliver Wulff" <ow...@talend.com>
To: "users@cxf.apache.org" <us...@cxf.apache.org>
Subject: FEDIZ Authentication problems
Date: Fri, Jun 21, 2013 2:01 PM
Hi Tom
I've committed a fix for FEDIZ-62. You have two options (like for wauth). Either you configure a static string or a class name which implements callbackhandler and updates the SignInQueryCallback object. You can pass a Map<String,String> where the encoding of the values is handled by fediz.
See here a sample in the unit test:
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/TestCallbackHandler.java?view=markup
WDYT?
________________________________________
From: Oliver Wulff [owulff@talend.com]
Sent: 21 June 2013 16:06
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
Hi Tom
I've raised the following JIRA to customize the sign in query string:
https://issues.apache.org/jira/browse/FEDIZ-62
I'll look into this within the next days.
Could you maybe raise a JIRA and apply a patch as a proposal for the extended logging?
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
Sent: 20 June 2013 20:22
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
The system I'm hooking into is an upgrade of an older system.
The older system passed a GUID in an HTTP header. (All web applications were behind a shared proxy.)
The GUID was then run through a web service to retrieve a matching user account.
There were other Web Services as well (That I'm personally not using that use the GUID.)
All of these web service locations have been changed, with minimal other interface changes,
And the actual implementations have changed as well. It is my understanding (Not my systems)
that they went from a Solaris LDAP/Oracle backend to a Active Directory/SQL Server backend.
I've pasted the token below. It has one attribute MyAlaskaId, it's the value of that attribute
that I pass to a web service to actually get back a user object. Unless that's how SAML responses are
designed to work and I still need to configure something.
They have supplied a .NET(C#) sample application. On our dev system I can even see it in action.
I decided to try dev sample application. I snagged the URL out of my address bar when I saw it.
Then I split it apart to figure out what was different between the URL the sample application
generated and mine. That's when I came across the "&wctx=...." bit.
The wctx for the .NET application is probably generated by this bit in the Sample applications Web.config
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" requireHttps="false"
issuer="https://mydev.alaska.gov/adfs/ls/" realm="[ TODO ]"
signInQueryString="pubid=[ TODO ]" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
The "&pubid=" is a custom extension they've implemented. When I use it the login page says:
"'Website Name' has sent you here to sign in."
Honestly you probably know more about ADFS then I do. I'm just flailing about trying to get it to work.
Also if you don't like subclassing could you please add more logging to your classes.
It's the single biggest reason I was subclassing.
I think a callback could work. Or what about a system like the maven compiler plugin has
Unknown xml options just get appended?
So for example
In the maven compiler plugin I can do
<configuration>
<compilerarguments>
<foo>
bash
</foo>
</compilerarguments>
</configuration>
Then it just blindly passes -foo=bash to javac and hopes for the best. (or that's what it looks like.)
With such a system for fediz
I could have:
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="federationProtocolType" version="1.0.0">
<!-- normal options here -->
<!-- demarcation for Sign-In Only special arguments,
wrap them, no special processing(except escaping?) -->
<signInArgments>
<pubId>myId</pubId>
</signInArguments>
</protocol>
And redirect Url whould end up as with &pubId=myId appended
or "&pubId=" + URLEncoder.encode("id=passive&ru=", "ISO-8859-1"); if escaping.
--- here is my SAML Response (is that the right term?) ---
<t:RequestSecurityTokenResponse
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2013-06-18T21:25:30.147Z
</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2013-06-18T22:25:30.147Z
</wsu:Expires>
</t:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>
https://cssdappstst.state.ak.us:8443/newhirereporting/
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<saml:Assertion MajorVersion="1" MinorVersion="1"
AssertionID="_517cee33-3b6b-40cc-82cd-a2e10ce61925"
Issuer="http://MYDEV.ALASKA.GOV/adfs/services/trust"
IssueInstant="2013-06-18T21:25:30.147Z"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2013-06-18T21:25:30.147Z"
NotOnOrAfter="2013-06-18T22:25:30.147Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>
https://cssdappstst.state.ak.us:8443/newhirereporting/
</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="MyAlaskaId"
AttributeNamespace="http://my.alaska.gov/claims">
<saml:AttributeValue>
0d0ad010-d27b-4b53-a8bc-ba85a704e083
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
AuthenticationInstant="2013-06-18T20:06:58.819Z">
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256">
</ds:SignatureMethod>
<ds:Reference URI="#_517cee33-3b6b-40cc-82cd-a2e10ce61925">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
</ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256">
</ds:DigestMethod>
<ds:DigestValue>
RtzUZBhY6myvUAWpwGfXbRrqzLU5pydSxa8uq9TlGnM=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
[Long Signature hash value was Here ]
</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
[Certificate hash was here]
</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</t:RequestedSecurityToken>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
</t:RequestType>
<t:KeyType>
http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
</t:KeyType>
</t:RequestSecurityTokenResponse>
Thank you again,
Tom
-----Original Message-----
From: Oliver Wulff [mailto:owulff@talend.com]
Sent: Wednesday, June 19, 2013 10:36 PM
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
Hi Tom
>>>
I needed to mangle the redirect URL with more options than it looks like are available in the fediz_config file.
I basically had to add:
redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
+ "%252Fnewhirereporting%252FmyAlaska" //double encoded /contextpath/page
I also copied it to add
redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID; pubId is a URL parameter to add a friendly message to the login page for the user.
>>>
I'm not a big fan of subclassing in general. Mostly it indicates that there is a missing extension point in the framework. Do you have to extend the redirect URL because of ADFS or because of your application? I could add a callback handler to fill the wctx or even extend the URL. The original request is cached by spring security thus you don't have to cache any request specific information in the redirect url. I would like to understand first what the use case is as this requirement never came up so far.
>>>
So now I do actually get a "SAML Token" but all it contains is a GUID.
I then have to call a SOAP web Service to actually convert that GUID into a real user object.
>>>
Is this by intension? ADFS is able to add user information from AD. Can you share the issued SAML token? One of the purposes of WS-Federation is to centralize (in the IDP/STS) the code to retrieve user information from all possible user directories and provide this information in a tranparent way to the application instead of having to pull this information in each application individually.
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
Sent: 20 June 2013 03:09
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
Turns out I had mis-read an important piece of the document.
I had put my cxf.xml in src/main/webapp/WEB-INF/ next to my web.xml instead of in src/main/resources/
moving it to the appropriate directory cleared up my certificate issue.
Tom
-----Original Message-----
From: Burton, Tom F (DOR) [mailto:tom.burton@alaska.gov]
Sent: Wednesday, June 19, 2013 3:40 PM
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
I just tried
- name=".*"
- name="https://.*.state.ak.us:444/.*"
- name="https://mydev-svc.state.ak.us:444/.*"
I got the same error for all three.
Tom
-----Original Message-----
From: Daniel Kulp [mailto:dkulp@apache.org]
Sent: Wednesday, June 19, 2013 2:59 PM
To: users@cxf.apache.org
Cc: owulff@talend.com
Subject: Re: FEDIZ Authentication problems
Change the conduit name so something like:
name="https://mydev-svc.state.ak.us:444/.*"
Using the service name can only apply those settings after the service is created and the name and namespace and such is known. To have it apply for wsdl loading as well, use a URL format (and the .* at the end for the regex expansion).
Dan
On Jun 19, 2013, at 6:49 PM, "Burton, Tom F (DOR)" <to...@alaska.gov> wrote:
> I've actually made it past these issues. :) but now I have new ones :(
>
> The initial class I was talking about sub-classing was:
> FederationAuthenticationFilter
>
> The "additional Authentication checks" were in my subclass.
>
> The java code looked like so:
>
> boolean required = false;
> //should this be equals or some fancy ** matching type stuff?
> String path = request.getServletPath();
> required = path.contains(getFilterProcessesUrl());
>
> //getRequestURI().contains(getFilterProcessesUrl());
>
> //TODO: look up an "easy" way to read the spring config
> //PageMapHolder manually parses the Spring xml files on deploy
>
> if ( !required ) { required =
> PageMapHolder.getPages().containsKey(path); }
>
> if ( log.isDebugEnabled() )
> {
> log.debug( "Compared: path=" + request.getServletPath()
> + ", and " + getFilterProcessesUrl() );
> log.debug("ServletPath Authentication: " + required);
> }
> if (!required)
> { required = super.requiresAuthentication(request, response); }
> return required;
>
> They have been disabled.
>
> The solution ended up requiring me to copy the implementation of
> FederationAuthenticationEntryPoint,
> as MyAlaskaEntryPoint. I needed to mangle the redirect URL with more
> options than it looks like are available in the fediz_config file.
> I basically had to add:
>
> redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
> + "%252Fnewhirereporting%252FmyAlaska"
> //double encoded /contextpath/page
>
>
> I also copied it to add
> redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID;
>
> pubId is a URL parameter to add a friendly message to the login page for the user.
>
> So now I do actually get a "SAML Token" but all it contains is a GUID.
> I then have to call a SOAP web Service to actually convert that GUID into a real user object.
>
>
> MyAlaskaAuthProvider is a subclass of FederationAuthenticationProvider
>
> It overrides #authenticate to add some logging before calling super It
> overrides #loadUserByFederationResponse to find the myAkUsername
> BEFORE calling super
>
> The current Error I'm getting is a certificate error while trying to access the GUID based web service.
>
> So in doing some research I found this:
> http://cxf.apache.org/docs/client-http-transport-including-ssl-support
> .html#ClientHTTPTransport%28includingSSLsupport%29-Howtooverridetheser
> viceaddress%3F
>
> I've followed the page and created a cxf.xml I've added it as another
> file to be parsed as part of my Spring Config.
>
> cxf.xml has an http:conduit like so:
>
> <http:conduit
> name="{http://cxf.apache.org/}TransportURIResolver.http-conduit">
> <!-- magic value for https -->
>
> <!--name="{http://myalaska.state.ak.us/wsdl/MyAlaskaService}WSHttpBind
> ing_MyAlaskaService.http-conduit">-->
>
> <!-- duplicates values from <certificateStores> in Fediz config -->
> <http:tlsClientParameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:trustManagers>
> <sec:cipherSuitesFilter>
> <!-- these filters ensure that a ciphersuite with
> export-suitable or null encryption is used,
> but exclude anonymous Diffie-Hellman key change as
> this is vulnerable to man-in-the-middle attacks -->
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
> </sec:cipherSuitesFilter>
> </http:tlsClientParameters>
> <http:client AutoRedirect="true" Connection="Keep-Alive"/>
> </http:conduit>
>
> However when I try and actually create an instance of my soap service, I get the a stack trace in my log file. Pasted in full below.
> To me the Interestring bit is probably:
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing
> 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl
> '.: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
> So am I defining my conduit name right? How can I tell if the conduit wrapping is even happening?
>
>
> Thank you again,
> Tom Burton
>
>
>
> --------------- Full Stack Trace -------------
>
> 06-19@14:27:45 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:149)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:100)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> ... 33 more
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl'.: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> at sun.security.validator.Validator.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> ... 60 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
> at java.security.cert.CertPathBuilder.build(Unknown Source)
> ... 66 more
>
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> ... 35 more
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@8c9de8
> 06-19@14:27:45 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-19@14:27:45 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-19@14:27:45 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
>
> -----Original Message-----
> From: Oliver Wulff [mailto:owulff@talend.com]
> Sent: Tuesday, June 18, 2013 11:11 PM
> To: users@cxf.apache.org
> Subject: RE: FEDIZ Authentication problems
>
> Hi Tom
>
>>>>
> If I subclass `` to authenticate on my desired URL path `myAlaska`
>>>>
> Which class do you want to subclass?
>
>>>>
> MyAlaskaAuthProvider
>>>>
> What kind of AuthProvider is this?
>
>>>>
> If I remove the additional Authentication checks so it only checks on
> /j_spring_fediz_security_check
>>>>
> Can you point me in your configuration what you mean?
>
>>>>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>>>>
> This is kind of strange. Did you really get redirected to the IDP? Could you share the browser traffic (httpfox, findbugs, etc).
>
>>>>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>>>>
> This is per WS-Federation spec. The SAML assertion is sent in the wresult parameter. Fediz works with ADFS but keep in mind that ADFS uses an older WS-Trust and SAML 1.1 assertion which is supported by Fediz as well.
>
>
>>>>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>>>>
> The following definintion requires that you're authenticated (without the requirement for any roles):
> <sec:intercept-url pattern="/secure/fedservlet"
> access="isAuthenticated()"/>
>
> There is an example available for spring security. Here is the spring security documentation of it:
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src
> /main/webapp/WEB-INF/applicationContext-security.xml?view=markup
>
> HTH
>
> Oli
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
> Sent: 18 June 2013 21:15
> To: users@cxf.apache.org
> Subject: FEDIZ Authentication problems
>
> I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an RP to an existing .NET ADFS IDP.
>
> If I subclass `` to authenticate on my desired URL path `myAlaska` I end up with the following log entries when I try to log in:
>
> 06-18@09:56:56 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@a2f68b
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession
> currently exists
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared:
> path=/myAlaska, and /j_spring_fediz_security_check
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath
> Authentication: true
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to
> process authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging.
> wa: null
> wresult: null
> full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> Method: GET
> 06-18@09:56:56 DEBUG [] ProviderManager - Authentication attempt using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1dacb29: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct: null Result: null Cert Count: 0
> 06-18@09:56:56 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null'
> 06-18@09:56:56 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed
> at org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication
> request failed:
> org.springframework.security.authentication.BadCredentialsException:
> The request was invalid or malformed
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@1508a8b
> 06-18@09:56:56 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@09:56:56 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check I get the following error instead:
>
> 06-18@10:57:19 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@1cdedd4
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - HttpSession
> returned null object for SPRING_SECURITY_CONTEXT
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@3d3f6f. A new one will be created.
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication = false
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURI: arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443; arg2=8443 (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURL: arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska; arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https; arg2=https (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverName: arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - contextPath: arg1=/newhirereporting; arg2=/newhirereporting (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - servletPath: arg1=/myAlaska; arg2=/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] nymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/myalaska'
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object:
> FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()]
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS
> 06-18@10:57:19 DEBUG [] AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@200930, returned: -1
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied
> (user is anonymous); redirecting to authentication entry point
> org.springframework.security.access.AccessDeniedException: Access is denied
> at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
> at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska]
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication entry point.
> 06-18@10:57:19 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context: org.apache.cxf.fediz.core.config.FederationContext@a302f2
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Issuer url: https://mydev.alaska.gov/adfs/ls/
> 06-18@10:57:19 INFO [] FederationProcessorImpl - WAuth:
> 06-18@10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Freshness: null
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/
> 06-18@10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP: https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska&wtrealm=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F&wct=2013-06-18T18%3A57%3A19.790Z&pubId=enhr
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@10:57:19 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>
> Thank you for any help,
> Tom Burton
>
> Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
--
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
RE: FEDIZ Authentication problems
Posted by Oliver Wulff <ow...@talend.com>.
Hi Tom
I've committed a fix for FEDIZ-62. You have two options (like for wauth). Either you configure a static string or a class name which implements callbackhandler and updates the SignInQueryCallback object. You can pass a Map<String,String> where the encoding of the values is handled by fediz.
See here a sample in the unit test:
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/TestCallbackHandler.java?view=markup
WDYT?
________________________________________
From: Oliver Wulff [owulff@talend.com]
Sent: 21 June 2013 16:06
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
Hi Tom
I've raised the following JIRA to customize the sign in query string:
https://issues.apache.org/jira/browse/FEDIZ-62
I'll look into this within the next days.
Could you maybe raise a JIRA and apply a patch as a proposal for the extended logging?
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
Sent: 20 June 2013 20:22
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
The system I'm hooking into is an upgrade of an older system.
The older system passed a GUID in an HTTP header. (All web applications were behind a shared proxy.)
The GUID was then run through a web service to retrieve a matching user account.
There were other Web Services as well (That I'm personally not using that use the GUID.)
All of these web service locations have been changed, with minimal other interface changes,
And the actual implementations have changed as well. It is my understanding (Not my systems)
that they went from a Solaris LDAP/Oracle backend to a Active Directory/SQL Server backend.
I've pasted the token below. It has one attribute MyAlaskaId, it's the value of that attribute
that I pass to a web service to actually get back a user object. Unless that's how SAML responses are
designed to work and I still need to configure something.
They have supplied a .NET(C#) sample application. On our dev system I can even see it in action.
I decided to try dev sample application. I snagged the URL out of my address bar when I saw it.
Then I split it apart to figure out what was different between the URL the sample application
generated and mine. That's when I came across the "&wctx=...." bit.
The wctx for the .NET application is probably generated by this bit in the Sample applications Web.config
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" requireHttps="false"
issuer="https://mydev.alaska.gov/adfs/ls/" realm="[ TODO ]"
signInQueryString="pubid=[ TODO ]" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
The "&pubid=" is a custom extension they've implemented. When I use it the login page says:
"'Website Name' has sent you here to sign in."
Honestly you probably know more about ADFS then I do. I'm just flailing about trying to get it to work.
Also if you don't like subclassing could you please add more logging to your classes.
It's the single biggest reason I was subclassing.
I think a callback could work. Or what about a system like the maven compiler plugin has
Unknown xml options just get appended?
So for example
In the maven compiler plugin I can do
<configuration>
<compilerarguments>
<foo>
bash
</foo>
</compilerarguments>
</configuration>
Then it just blindly passes -foo=bash to javac and hopes for the best. (or that's what it looks like.)
With such a system for fediz
I could have:
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="federationProtocolType" version="1.0.0">
<!-- normal options here -->
<!-- demarcation for Sign-In Only special arguments,
wrap them, no special processing(except escaping?) -->
<signInArgments>
<pubId>myId</pubId>
</signInArguments>
</protocol>
And redirect Url whould end up as with &pubId=myId appended
or "&pubId=" + URLEncoder.encode("id=passive&ru=", "ISO-8859-1"); if escaping.
--- here is my SAML Response (is that the right term?) ---
<t:RequestSecurityTokenResponse
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2013-06-18T21:25:30.147Z
</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2013-06-18T22:25:30.147Z
</wsu:Expires>
</t:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>
https://cssdappstst.state.ak.us:8443/newhirereporting/
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<saml:Assertion MajorVersion="1" MinorVersion="1"
AssertionID="_517cee33-3b6b-40cc-82cd-a2e10ce61925"
Issuer="http://MYDEV.ALASKA.GOV/adfs/services/trust"
IssueInstant="2013-06-18T21:25:30.147Z"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2013-06-18T21:25:30.147Z"
NotOnOrAfter="2013-06-18T22:25:30.147Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>
https://cssdappstst.state.ak.us:8443/newhirereporting/
</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="MyAlaskaId"
AttributeNamespace="http://my.alaska.gov/claims">
<saml:AttributeValue>
0d0ad010-d27b-4b53-a8bc-ba85a704e083
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
AuthenticationInstant="2013-06-18T20:06:58.819Z">
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256">
</ds:SignatureMethod>
<ds:Reference URI="#_517cee33-3b6b-40cc-82cd-a2e10ce61925">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
</ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256">
</ds:DigestMethod>
<ds:DigestValue>
RtzUZBhY6myvUAWpwGfXbRrqzLU5pydSxa8uq9TlGnM=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
[Long Signature hash value was Here ]
</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
[Certificate hash was here]
</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</t:RequestedSecurityToken>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
</t:RequestType>
<t:KeyType>
http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
</t:KeyType>
</t:RequestSecurityTokenResponse>
Thank you again,
Tom
-----Original Message-----
From: Oliver Wulff [mailto:owulff@talend.com]
Sent: Wednesday, June 19, 2013 10:36 PM
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
Hi Tom
>>>
I needed to mangle the redirect URL with more options than it looks like are available in the fediz_config file.
I basically had to add:
redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
+ "%252Fnewhirereporting%252FmyAlaska" //double encoded /contextpath/page
I also copied it to add
redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID; pubId is a URL parameter to add a friendly message to the login page for the user.
>>>
I'm not a big fan of subclassing in general. Mostly it indicates that there is a missing extension point in the framework. Do you have to extend the redirect URL because of ADFS or because of your application? I could add a callback handler to fill the wctx or even extend the URL. The original request is cached by spring security thus you don't have to cache any request specific information in the redirect url. I would like to understand first what the use case is as this requirement never came up so far.
>>>
So now I do actually get a "SAML Token" but all it contains is a GUID.
I then have to call a SOAP web Service to actually convert that GUID into a real user object.
>>>
Is this by intension? ADFS is able to add user information from AD. Can you share the issued SAML token? One of the purposes of WS-Federation is to centralize (in the IDP/STS) the code to retrieve user information from all possible user directories and provide this information in a tranparent way to the application instead of having to pull this information in each application individually.
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
Sent: 20 June 2013 03:09
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
Turns out I had mis-read an important piece of the document.
I had put my cxf.xml in src/main/webapp/WEB-INF/ next to my web.xml instead of in src/main/resources/
moving it to the appropriate directory cleared up my certificate issue.
Tom
-----Original Message-----
From: Burton, Tom F (DOR) [mailto:tom.burton@alaska.gov]
Sent: Wednesday, June 19, 2013 3:40 PM
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
I just tried
- name=".*"
- name="https://.*.state.ak.us:444/.*"
- name="https://mydev-svc.state.ak.us:444/.*"
I got the same error for all three.
Tom
-----Original Message-----
From: Daniel Kulp [mailto:dkulp@apache.org]
Sent: Wednesday, June 19, 2013 2:59 PM
To: users@cxf.apache.org
Cc: owulff@talend.com
Subject: Re: FEDIZ Authentication problems
Change the conduit name so something like:
name="https://mydev-svc.state.ak.us:444/.*"
Using the service name can only apply those settings after the service is created and the name and namespace and such is known. To have it apply for wsdl loading as well, use a URL format (and the .* at the end for the regex expansion).
Dan
On Jun 19, 2013, at 6:49 PM, "Burton, Tom F (DOR)" <to...@alaska.gov> wrote:
> I've actually made it past these issues. :) but now I have new ones :(
>
> The initial class I was talking about sub-classing was:
> FederationAuthenticationFilter
>
> The "additional Authentication checks" were in my subclass.
>
> The java code looked like so:
>
> boolean required = false;
> //should this be equals or some fancy ** matching type stuff?
> String path = request.getServletPath();
> required = path.contains(getFilterProcessesUrl());
>
> //getRequestURI().contains(getFilterProcessesUrl());
>
> //TODO: look up an "easy" way to read the spring config
> //PageMapHolder manually parses the Spring xml files on deploy
>
> if ( !required ) { required =
> PageMapHolder.getPages().containsKey(path); }
>
> if ( log.isDebugEnabled() )
> {
> log.debug( "Compared: path=" + request.getServletPath()
> + ", and " + getFilterProcessesUrl() );
> log.debug("ServletPath Authentication: " + required);
> }
> if (!required)
> { required = super.requiresAuthentication(request, response); }
> return required;
>
> They have been disabled.
>
> The solution ended up requiring me to copy the implementation of
> FederationAuthenticationEntryPoint,
> as MyAlaskaEntryPoint. I needed to mangle the redirect URL with more
> options than it looks like are available in the fediz_config file.
> I basically had to add:
>
> redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
> + "%252Fnewhirereporting%252FmyAlaska"
> //double encoded /contextpath/page
>
>
> I also copied it to add
> redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID;
>
> pubId is a URL parameter to add a friendly message to the login page for the user.
>
> So now I do actually get a "SAML Token" but all it contains is a GUID.
> I then have to call a SOAP web Service to actually convert that GUID into a real user object.
>
>
> MyAlaskaAuthProvider is a subclass of FederationAuthenticationProvider
>
> It overrides #authenticate to add some logging before calling super It
> overrides #loadUserByFederationResponse to find the myAkUsername
> BEFORE calling super
>
> The current Error I'm getting is a certificate error while trying to access the GUID based web service.
>
> So in doing some research I found this:
> http://cxf.apache.org/docs/client-http-transport-including-ssl-support
> .html#ClientHTTPTransport%28includingSSLsupport%29-Howtooverridetheser
> viceaddress%3F
>
> I've followed the page and created a cxf.xml I've added it as another
> file to be parsed as part of my Spring Config.
>
> cxf.xml has an http:conduit like so:
>
> <http:conduit
> name="{http://cxf.apache.org/}TransportURIResolver.http-conduit">
> <!-- magic value for https -->
>
> <!--name="{http://myalaska.state.ak.us/wsdl/MyAlaskaService}WSHttpBind
> ing_MyAlaskaService.http-conduit">-->
>
> <!-- duplicates values from <certificateStores> in Fediz config -->
> <http:tlsClientParameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:trustManagers>
> <sec:cipherSuitesFilter>
> <!-- these filters ensure that a ciphersuite with
> export-suitable or null encryption is used,
> but exclude anonymous Diffie-Hellman key change as
> this is vulnerable to man-in-the-middle attacks -->
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
> </sec:cipherSuitesFilter>
> </http:tlsClientParameters>
> <http:client AutoRedirect="true" Connection="Keep-Alive"/>
> </http:conduit>
>
> However when I try and actually create an instance of my soap service, I get the a stack trace in my log file. Pasted in full below.
> To me the Interestring bit is probably:
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing
> 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl
> '.: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
> So am I defining my conduit name right? How can I tell if the conduit wrapping is even happening?
>
>
> Thank you again,
> Tom Burton
>
>
>
> --------------- Full Stack Trace -------------
>
> 06-19@14:27:45 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:149)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:100)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> ... 33 more
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl'.: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> at sun.security.validator.Validator.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> ... 60 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
> at java.security.cert.CertPathBuilder.build(Unknown Source)
> ... 66 more
>
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> ... 35 more
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@8c9de8
> 06-19@14:27:45 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-19@14:27:45 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-19@14:27:45 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
>
> -----Original Message-----
> From: Oliver Wulff [mailto:owulff@talend.com]
> Sent: Tuesday, June 18, 2013 11:11 PM
> To: users@cxf.apache.org
> Subject: RE: FEDIZ Authentication problems
>
> Hi Tom
>
>>>>
> If I subclass `` to authenticate on my desired URL path `myAlaska`
>>>>
> Which class do you want to subclass?
>
>>>>
> MyAlaskaAuthProvider
>>>>
> What kind of AuthProvider is this?
>
>>>>
> If I remove the additional Authentication checks so it only checks on
> /j_spring_fediz_security_check
>>>>
> Can you point me in your configuration what you mean?
>
>>>>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>>>>
> This is kind of strange. Did you really get redirected to the IDP? Could you share the browser traffic (httpfox, findbugs, etc).
>
>>>>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>>>>
> This is per WS-Federation spec. The SAML assertion is sent in the wresult parameter. Fediz works with ADFS but keep in mind that ADFS uses an older WS-Trust and SAML 1.1 assertion which is supported by Fediz as well.
>
>
>>>>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>>>>
> The following definintion requires that you're authenticated (without the requirement for any roles):
> <sec:intercept-url pattern="/secure/fedservlet"
> access="isAuthenticated()"/>
>
> There is an example available for spring security. Here is the spring security documentation of it:
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src
> /main/webapp/WEB-INF/applicationContext-security.xml?view=markup
>
> HTH
>
> Oli
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
> Sent: 18 June 2013 21:15
> To: users@cxf.apache.org
> Subject: FEDIZ Authentication problems
>
> I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an RP to an existing .NET ADFS IDP.
>
> If I subclass `` to authenticate on my desired URL path `myAlaska` I end up with the following log entries when I try to log in:
>
> 06-18@09:56:56 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@a2f68b
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession
> currently exists
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared:
> path=/myAlaska, and /j_spring_fediz_security_check
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath
> Authentication: true
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to
> process authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging.
> wa: null
> wresult: null
> full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> Method: GET
> 06-18@09:56:56 DEBUG [] ProviderManager - Authentication attempt using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1dacb29: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct: null Result: null Cert Count: 0
> 06-18@09:56:56 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null'
> 06-18@09:56:56 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed
> at org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication
> request failed:
> org.springframework.security.authentication.BadCredentialsException:
> The request was invalid or malformed
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@1508a8b
> 06-18@09:56:56 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@09:56:56 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check I get the following error instead:
>
> 06-18@10:57:19 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@1cdedd4
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - HttpSession
> returned null object for SPRING_SECURITY_CONTEXT
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@3d3f6f. A new one will be created.
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication = false
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURI: arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443; arg2=8443 (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURL: arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska; arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https; arg2=https (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverName: arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - contextPath: arg1=/newhirereporting; arg2=/newhirereporting (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - servletPath: arg1=/myAlaska; arg2=/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] nymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/myalaska'
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object:
> FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()]
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS
> 06-18@10:57:19 DEBUG [] AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@200930, returned: -1
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied
> (user is anonymous); redirecting to authentication entry point
> org.springframework.security.access.AccessDeniedException: Access is denied
> at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
> at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska]
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication entry point.
> 06-18@10:57:19 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context: org.apache.cxf.fediz.core.config.FederationContext@a302f2
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Issuer url: https://mydev.alaska.gov/adfs/ls/
> 06-18@10:57:19 INFO [] FederationProcessorImpl - WAuth:
> 06-18@10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Freshness: null
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/
> 06-18@10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP: https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska&wtrealm=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F&wct=2013-06-18T18%3A57%3A19.790Z&pubId=enhr
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@10:57:19 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>
> Thank you for any help,
> Tom Burton
>
> Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
--
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
RE: FEDIZ Authentication problems
Posted by Oliver Wulff <ow...@talend.com>.
Hi Tom
I've raised the following JIRA to customize the sign in query string:
https://issues.apache.org/jira/browse/FEDIZ-62
I'll look into this within the next days.
Could you maybe raise a JIRA and apply a patch as a proposal for the extended logging?
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
Sent: 20 June 2013 20:22
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
The system I'm hooking into is an upgrade of an older system.
The older system passed a GUID in an HTTP header. (All web applications were behind a shared proxy.)
The GUID was then run through a web service to retrieve a matching user account.
There were other Web Services as well (That I'm personally not using that use the GUID.)
All of these web service locations have been changed, with minimal other interface changes,
And the actual implementations have changed as well. It is my understanding (Not my systems)
that they went from a Solaris LDAP/Oracle backend to a Active Directory/SQL Server backend.
I've pasted the token below. It has one attribute MyAlaskaId, it's the value of that attribute
that I pass to a web service to actually get back a user object. Unless that's how SAML responses are
designed to work and I still need to configure something.
They have supplied a .NET(C#) sample application. On our dev system I can even see it in action.
I decided to try dev sample application. I snagged the URL out of my address bar when I saw it.
Then I split it apart to figure out what was different between the URL the sample application
generated and mine. That's when I came across the "&wctx=...." bit.
The wctx for the .NET application is probably generated by this bit in the Sample applications Web.config
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" requireHttps="false"
issuer="https://mydev.alaska.gov/adfs/ls/" realm="[ TODO ]"
signInQueryString="pubid=[ TODO ]" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
The "&pubid=" is a custom extension they've implemented. When I use it the login page says:
"'Website Name' has sent you here to sign in."
Honestly you probably know more about ADFS then I do. I'm just flailing about trying to get it to work.
Also if you don't like subclassing could you please add more logging to your classes.
It's the single biggest reason I was subclassing.
I think a callback could work. Or what about a system like the maven compiler plugin has
Unknown xml options just get appended?
So for example
In the maven compiler plugin I can do
<configuration>
<compilerarguments>
<foo>
bash
</foo>
</compilerarguments>
</configuration>
Then it just blindly passes -foo=bash to javac and hopes for the best. (or that's what it looks like.)
With such a system for fediz
I could have:
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="federationProtocolType" version="1.0.0">
<!-- normal options here -->
<!-- demarcation for Sign-In Only special arguments,
wrap them, no special processing(except escaping?) -->
<signInArgments>
<pubId>myId</pubId>
</signInArguments>
</protocol>
And redirect Url whould end up as with &pubId=myId appended
or "&pubId=" + URLEncoder.encode("id=passive&ru=", "ISO-8859-1"); if escaping.
--- here is my SAML Response (is that the right term?) ---
<t:RequestSecurityTokenResponse
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2013-06-18T21:25:30.147Z
</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2013-06-18T22:25:30.147Z
</wsu:Expires>
</t:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>
https://cssdappstst.state.ak.us:8443/newhirereporting/
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<saml:Assertion MajorVersion="1" MinorVersion="1"
AssertionID="_517cee33-3b6b-40cc-82cd-a2e10ce61925"
Issuer="http://MYDEV.ALASKA.GOV/adfs/services/trust"
IssueInstant="2013-06-18T21:25:30.147Z"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2013-06-18T21:25:30.147Z"
NotOnOrAfter="2013-06-18T22:25:30.147Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>
https://cssdappstst.state.ak.us:8443/newhirereporting/
</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="MyAlaskaId"
AttributeNamespace="http://my.alaska.gov/claims">
<saml:AttributeValue>
0d0ad010-d27b-4b53-a8bc-ba85a704e083
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
AuthenticationInstant="2013-06-18T20:06:58.819Z">
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256">
</ds:SignatureMethod>
<ds:Reference URI="#_517cee33-3b6b-40cc-82cd-a2e10ce61925">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
</ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256">
</ds:DigestMethod>
<ds:DigestValue>
RtzUZBhY6myvUAWpwGfXbRrqzLU5pydSxa8uq9TlGnM=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
[Long Signature hash value was Here ]
</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
[Certificate hash was here]
</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</t:RequestedSecurityToken>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
</t:RequestType>
<t:KeyType>
http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
</t:KeyType>
</t:RequestSecurityTokenResponse>
Thank you again,
Tom
-----Original Message-----
From: Oliver Wulff [mailto:owulff@talend.com]
Sent: Wednesday, June 19, 2013 10:36 PM
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
Hi Tom
>>>
I needed to mangle the redirect URL with more options than it looks like are available in the fediz_config file.
I basically had to add:
redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
+ "%252Fnewhirereporting%252FmyAlaska" //double encoded /contextpath/page
I also copied it to add
redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID; pubId is a URL parameter to add a friendly message to the login page for the user.
>>>
I'm not a big fan of subclassing in general. Mostly it indicates that there is a missing extension point in the framework. Do you have to extend the redirect URL because of ADFS or because of your application? I could add a callback handler to fill the wctx or even extend the URL. The original request is cached by spring security thus you don't have to cache any request specific information in the redirect url. I would like to understand first what the use case is as this requirement never came up so far.
>>>
So now I do actually get a "SAML Token" but all it contains is a GUID.
I then have to call a SOAP web Service to actually convert that GUID into a real user object.
>>>
Is this by intension? ADFS is able to add user information from AD. Can you share the issued SAML token? One of the purposes of WS-Federation is to centralize (in the IDP/STS) the code to retrieve user information from all possible user directories and provide this information in a tranparent way to the application instead of having to pull this information in each application individually.
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
Sent: 20 June 2013 03:09
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
Turns out I had mis-read an important piece of the document.
I had put my cxf.xml in src/main/webapp/WEB-INF/ next to my web.xml instead of in src/main/resources/
moving it to the appropriate directory cleared up my certificate issue.
Tom
-----Original Message-----
From: Burton, Tom F (DOR) [mailto:tom.burton@alaska.gov]
Sent: Wednesday, June 19, 2013 3:40 PM
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
I just tried
- name=".*"
- name="https://.*.state.ak.us:444/.*"
- name="https://mydev-svc.state.ak.us:444/.*"
I got the same error for all three.
Tom
-----Original Message-----
From: Daniel Kulp [mailto:dkulp@apache.org]
Sent: Wednesday, June 19, 2013 2:59 PM
To: users@cxf.apache.org
Cc: owulff@talend.com
Subject: Re: FEDIZ Authentication problems
Change the conduit name so something like:
name="https://mydev-svc.state.ak.us:444/.*"
Using the service name can only apply those settings after the service is created and the name and namespace and such is known. To have it apply for wsdl loading as well, use a URL format (and the .* at the end for the regex expansion).
Dan
On Jun 19, 2013, at 6:49 PM, "Burton, Tom F (DOR)" <to...@alaska.gov> wrote:
> I've actually made it past these issues. :) but now I have new ones :(
>
> The initial class I was talking about sub-classing was:
> FederationAuthenticationFilter
>
> The "additional Authentication checks" were in my subclass.
>
> The java code looked like so:
>
> boolean required = false;
> //should this be equals or some fancy ** matching type stuff?
> String path = request.getServletPath();
> required = path.contains(getFilterProcessesUrl());
>
> //getRequestURI().contains(getFilterProcessesUrl());
>
> //TODO: look up an "easy" way to read the spring config
> //PageMapHolder manually parses the Spring xml files on deploy
>
> if ( !required ) { required =
> PageMapHolder.getPages().containsKey(path); }
>
> if ( log.isDebugEnabled() )
> {
> log.debug( "Compared: path=" + request.getServletPath()
> + ", and " + getFilterProcessesUrl() );
> log.debug("ServletPath Authentication: " + required);
> }
> if (!required)
> { required = super.requiresAuthentication(request, response); }
> return required;
>
> They have been disabled.
>
> The solution ended up requiring me to copy the implementation of
> FederationAuthenticationEntryPoint,
> as MyAlaskaEntryPoint. I needed to mangle the redirect URL with more
> options than it looks like are available in the fediz_config file.
> I basically had to add:
>
> redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
> + "%252Fnewhirereporting%252FmyAlaska"
> //double encoded /contextpath/page
>
>
> I also copied it to add
> redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID;
>
> pubId is a URL parameter to add a friendly message to the login page for the user.
>
> So now I do actually get a "SAML Token" but all it contains is a GUID.
> I then have to call a SOAP web Service to actually convert that GUID into a real user object.
>
>
> MyAlaskaAuthProvider is a subclass of FederationAuthenticationProvider
>
> It overrides #authenticate to add some logging before calling super It
> overrides #loadUserByFederationResponse to find the myAkUsername
> BEFORE calling super
>
> The current Error I'm getting is a certificate error while trying to access the GUID based web service.
>
> So in doing some research I found this:
> http://cxf.apache.org/docs/client-http-transport-including-ssl-support
> .html#ClientHTTPTransport%28includingSSLsupport%29-Howtooverridetheser
> viceaddress%3F
>
> I've followed the page and created a cxf.xml I've added it as another
> file to be parsed as part of my Spring Config.
>
> cxf.xml has an http:conduit like so:
>
> <http:conduit
> name="{http://cxf.apache.org/}TransportURIResolver.http-conduit">
> <!-- magic value for https -->
>
> <!--name="{http://myalaska.state.ak.us/wsdl/MyAlaskaService}WSHttpBind
> ing_MyAlaskaService.http-conduit">-->
>
> <!-- duplicates values from <certificateStores> in Fediz config -->
> <http:tlsClientParameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:trustManagers>
> <sec:cipherSuitesFilter>
> <!-- these filters ensure that a ciphersuite with
> export-suitable or null encryption is used,
> but exclude anonymous Diffie-Hellman key change as
> this is vulnerable to man-in-the-middle attacks -->
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
> </sec:cipherSuitesFilter>
> </http:tlsClientParameters>
> <http:client AutoRedirect="true" Connection="Keep-Alive"/>
> </http:conduit>
>
> However when I try and actually create an instance of my soap service, I get the a stack trace in my log file. Pasted in full below.
> To me the Interestring bit is probably:
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing
> 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl
> '.: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
> So am I defining my conduit name right? How can I tell if the conduit wrapping is even happening?
>
>
> Thank you again,
> Tom Burton
>
>
>
> --------------- Full Stack Trace -------------
>
> 06-19@14:27:45 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:149)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:100)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> ... 33 more
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl'.: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> at sun.security.validator.Validator.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> ... 60 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
> at java.security.cert.CertPathBuilder.build(Unknown Source)
> ... 66 more
>
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> ... 35 more
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@8c9de8
> 06-19@14:27:45 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-19@14:27:45 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-19@14:27:45 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
>
> -----Original Message-----
> From: Oliver Wulff [mailto:owulff@talend.com]
> Sent: Tuesday, June 18, 2013 11:11 PM
> To: users@cxf.apache.org
> Subject: RE: FEDIZ Authentication problems
>
> Hi Tom
>
>>>>
> If I subclass `` to authenticate on my desired URL path `myAlaska`
>>>>
> Which class do you want to subclass?
>
>>>>
> MyAlaskaAuthProvider
>>>>
> What kind of AuthProvider is this?
>
>>>>
> If I remove the additional Authentication checks so it only checks on
> /j_spring_fediz_security_check
>>>>
> Can you point me in your configuration what you mean?
>
>>>>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>>>>
> This is kind of strange. Did you really get redirected to the IDP? Could you share the browser traffic (httpfox, findbugs, etc).
>
>>>>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>>>>
> This is per WS-Federation spec. The SAML assertion is sent in the wresult parameter. Fediz works with ADFS but keep in mind that ADFS uses an older WS-Trust and SAML 1.1 assertion which is supported by Fediz as well.
>
>
>>>>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>>>>
> The following definintion requires that you're authenticated (without the requirement for any roles):
> <sec:intercept-url pattern="/secure/fedservlet"
> access="isAuthenticated()"/>
>
> There is an example available for spring security. Here is the spring security documentation of it:
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src
> /main/webapp/WEB-INF/applicationContext-security.xml?view=markup
>
> HTH
>
> Oli
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
> Sent: 18 June 2013 21:15
> To: users@cxf.apache.org
> Subject: FEDIZ Authentication problems
>
> I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an RP to an existing .NET ADFS IDP.
>
> If I subclass `` to authenticate on my desired URL path `myAlaska` I end up with the following log entries when I try to log in:
>
> 06-18@09:56:56 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@a2f68b
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession
> currently exists
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared:
> path=/myAlaska, and /j_spring_fediz_security_check
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath
> Authentication: true
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to
> process authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging.
> wa: null
> wresult: null
> full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> Method: GET
> 06-18@09:56:56 DEBUG [] ProviderManager - Authentication attempt using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1dacb29: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct: null Result: null Cert Count: 0
> 06-18@09:56:56 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null'
> 06-18@09:56:56 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed
> at org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication
> request failed:
> org.springframework.security.authentication.BadCredentialsException:
> The request was invalid or malformed
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@1508a8b
> 06-18@09:56:56 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@09:56:56 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check I get the following error instead:
>
> 06-18@10:57:19 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@1cdedd4
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - HttpSession
> returned null object for SPRING_SECURITY_CONTEXT
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@3d3f6f. A new one will be created.
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication = false
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURI: arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443; arg2=8443 (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURL: arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska; arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https; arg2=https (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverName: arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - contextPath: arg1=/newhirereporting; arg2=/newhirereporting (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - servletPath: arg1=/myAlaska; arg2=/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] nymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/myalaska'
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object:
> FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()]
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS
> 06-18@10:57:19 DEBUG [] AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@200930, returned: -1
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied
> (user is anonymous); redirecting to authentication entry point
> org.springframework.security.access.AccessDeniedException: Access is denied
> at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
> at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska]
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication entry point.
> 06-18@10:57:19 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context: org.apache.cxf.fediz.core.config.FederationContext@a302f2
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Issuer url: https://mydev.alaska.gov/adfs/ls/
> 06-18@10:57:19 INFO [] FederationProcessorImpl - WAuth:
> 06-18@10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Freshness: null
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/
> 06-18@10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP: https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska&wtrealm=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F&wct=2013-06-18T18%3A57%3A19.790Z&pubId=enhr
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@10:57:19 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>
> Thank you for any help,
> Tom Burton
>
> Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
--
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
RE: FEDIZ Authentication problems
Posted by "Burton, Tom F (DOR)" <to...@alaska.gov>.
The system I'm hooking into is an upgrade of an older system.
The older system passed a GUID in an HTTP header. (All web applications were behind a shared proxy.)
The GUID was then run through a web service to retrieve a matching user account.
There were other Web Services as well (That I'm personally not using that use the GUID.)
All of these web service locations have been changed, with minimal other interface changes,
And the actual implementations have changed as well. It is my understanding (Not my systems)
that they went from a Solaris LDAP/Oracle backend to a Active Directory/SQL Server backend.
I've pasted the token below. It has one attribute MyAlaskaId, it's the value of that attribute
that I pass to a web service to actually get back a user object. Unless that's how SAML responses are
designed to work and I still need to configure something.
They have supplied a .NET(C#) sample application. On our dev system I can even see it in action.
I decided to try dev sample application. I snagged the URL out of my address bar when I saw it.
Then I split it apart to figure out what was different between the URL the sample application
generated and mine. That's when I came across the "&wctx=...." bit.
The wctx for the .NET application is probably generated by this bit in the Sample applications Web.config
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" requireHttps="false"
issuer="https://mydev.alaska.gov/adfs/ls/" realm="[ TODO ]"
signInQueryString="pubid=[ TODO ]" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
The "&pubid=" is a custom extension they've implemented. When I use it the login page says:
"'Website Name' has sent you here to sign in."
Honestly you probably know more about ADFS then I do. I'm just flailing about trying to get it to work.
Also if you don't like subclassing could you please add more logging to your classes.
It's the single biggest reason I was subclassing.
I think a callback could work. Or what about a system like the maven compiler plugin has
Unknown xml options just get appended?
So for example
In the maven compiler plugin I can do
<configuration>
<compilerarguments>
<foo>
bash
</foo>
</compilerarguments>
</configuration>
Then it just blindly passes -foo=bash to javac and hopes for the best. (or that's what it looks like.)
With such a system for fediz
I could have:
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="federationProtocolType" version="1.0.0">
<!-- normal options here -->
<!-- demarcation for Sign-In Only special arguments,
wrap them, no special processing(except escaping?) -->
<signInArgments>
<pubId>myId</pubId>
</signInArguments>
</protocol>
And redirect Url whould end up as with &pubId=myId appended
or "&pubId=" + URLEncoder.encode("id=passive&ru=", "ISO-8859-1"); if escaping.
--- here is my SAML Response (is that the right term?) ---
<t:RequestSecurityTokenResponse
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2013-06-18T21:25:30.147Z
</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2013-06-18T22:25:30.147Z
</wsu:Expires>
</t:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>
https://cssdappstst.state.ak.us:8443/newhirereporting/
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<saml:Assertion MajorVersion="1" MinorVersion="1"
AssertionID="_517cee33-3b6b-40cc-82cd-a2e10ce61925"
Issuer="http://MYDEV.ALASKA.GOV/adfs/services/trust"
IssueInstant="2013-06-18T21:25:30.147Z"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2013-06-18T21:25:30.147Z"
NotOnOrAfter="2013-06-18T22:25:30.147Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>
https://cssdappstst.state.ak.us:8443/newhirereporting/
</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="MyAlaskaId"
AttributeNamespace="http://my.alaska.gov/claims">
<saml:AttributeValue>
0d0ad010-d27b-4b53-a8bc-ba85a704e083
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
AuthenticationInstant="2013-06-18T20:06:58.819Z">
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256">
</ds:SignatureMethod>
<ds:Reference URI="#_517cee33-3b6b-40cc-82cd-a2e10ce61925">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
</ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256">
</ds:DigestMethod>
<ds:DigestValue>
RtzUZBhY6myvUAWpwGfXbRrqzLU5pydSxa8uq9TlGnM=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
[Long Signature hash value was Here ]
</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
[Certificate hash was here]
</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</t:RequestedSecurityToken>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
</t:RequestType>
<t:KeyType>
http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
</t:KeyType>
</t:RequestSecurityTokenResponse>
Thank you again,
Tom
-----Original Message-----
From: Oliver Wulff [mailto:owulff@talend.com]
Sent: Wednesday, June 19, 2013 10:36 PM
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
Hi Tom
>>>
I needed to mangle the redirect URL with more options than it looks like are available in the fediz_config file.
I basically had to add:
redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
+ "%252Fnewhirereporting%252FmyAlaska" //double encoded /contextpath/page
I also copied it to add
redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID; pubId is a URL parameter to add a friendly message to the login page for the user.
>>>
I'm not a big fan of subclassing in general. Mostly it indicates that there is a missing extension point in the framework. Do you have to extend the redirect URL because of ADFS or because of your application? I could add a callback handler to fill the wctx or even extend the URL. The original request is cached by spring security thus you don't have to cache any request specific information in the redirect url. I would like to understand first what the use case is as this requirement never came up so far.
>>>
So now I do actually get a "SAML Token" but all it contains is a GUID.
I then have to call a SOAP web Service to actually convert that GUID into a real user object.
>>>
Is this by intension? ADFS is able to add user information from AD. Can you share the issued SAML token? One of the purposes of WS-Federation is to centralize (in the IDP/STS) the code to retrieve user information from all possible user directories and provide this information in a tranparent way to the application instead of having to pull this information in each application individually.
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
Sent: 20 June 2013 03:09
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
Turns out I had mis-read an important piece of the document.
I had put my cxf.xml in src/main/webapp/WEB-INF/ next to my web.xml instead of in src/main/resources/
moving it to the appropriate directory cleared up my certificate issue.
Tom
-----Original Message-----
From: Burton, Tom F (DOR) [mailto:tom.burton@alaska.gov]
Sent: Wednesday, June 19, 2013 3:40 PM
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
I just tried
- name=".*"
- name="https://.*.state.ak.us:444/.*"
- name="https://mydev-svc.state.ak.us:444/.*"
I got the same error for all three.
Tom
-----Original Message-----
From: Daniel Kulp [mailto:dkulp@apache.org]
Sent: Wednesday, June 19, 2013 2:59 PM
To: users@cxf.apache.org
Cc: owulff@talend.com
Subject: Re: FEDIZ Authentication problems
Change the conduit name so something like:
name="https://mydev-svc.state.ak.us:444/.*"
Using the service name can only apply those settings after the service is created and the name and namespace and such is known. To have it apply for wsdl loading as well, use a URL format (and the .* at the end for the regex expansion).
Dan
On Jun 19, 2013, at 6:49 PM, "Burton, Tom F (DOR)" <to...@alaska.gov> wrote:
> I've actually made it past these issues. :) but now I have new ones :(
>
> The initial class I was talking about sub-classing was:
> FederationAuthenticationFilter
>
> The "additional Authentication checks" were in my subclass.
>
> The java code looked like so:
>
> boolean required = false;
> //should this be equals or some fancy ** matching type stuff?
> String path = request.getServletPath();
> required = path.contains(getFilterProcessesUrl());
>
> //getRequestURI().contains(getFilterProcessesUrl());
>
> //TODO: look up an "easy" way to read the spring config
> //PageMapHolder manually parses the Spring xml files on deploy
>
> if ( !required ) { required =
> PageMapHolder.getPages().containsKey(path); }
>
> if ( log.isDebugEnabled() )
> {
> log.debug( "Compared: path=" + request.getServletPath()
> + ", and " + getFilterProcessesUrl() );
> log.debug("ServletPath Authentication: " + required);
> }
> if (!required)
> { required = super.requiresAuthentication(request, response); }
> return required;
>
> They have been disabled.
>
> The solution ended up requiring me to copy the implementation of
> FederationAuthenticationEntryPoint,
> as MyAlaskaEntryPoint. I needed to mangle the redirect URL with more
> options than it looks like are available in the fediz_config file.
> I basically had to add:
>
> redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
> + "%252Fnewhirereporting%252FmyAlaska"
> //double encoded /contextpath/page
>
>
> I also copied it to add
> redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID;
>
> pubId is a URL parameter to add a friendly message to the login page for the user.
>
> So now I do actually get a "SAML Token" but all it contains is a GUID.
> I then have to call a SOAP web Service to actually convert that GUID into a real user object.
>
>
> MyAlaskaAuthProvider is a subclass of FederationAuthenticationProvider
>
> It overrides #authenticate to add some logging before calling super It
> overrides #loadUserByFederationResponse to find the myAkUsername
> BEFORE calling super
>
> The current Error I'm getting is a certificate error while trying to access the GUID based web service.
>
> So in doing some research I found this:
> http://cxf.apache.org/docs/client-http-transport-including-ssl-support
> .html#ClientHTTPTransport%28includingSSLsupport%29-Howtooverridetheser
> viceaddress%3F
>
> I've followed the page and created a cxf.xml I've added it as another
> file to be parsed as part of my Spring Config.
>
> cxf.xml has an http:conduit like so:
>
> <http:conduit
> name="{http://cxf.apache.org/}TransportURIResolver.http-conduit">
> <!-- magic value for https -->
>
> <!--name="{http://myalaska.state.ak.us/wsdl/MyAlaskaService}WSHttpBind
> ing_MyAlaskaService.http-conduit">-->
>
> <!-- duplicates values from <certificateStores> in Fediz config -->
> <http:tlsClientParameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:trustManagers>
> <sec:cipherSuitesFilter>
> <!-- these filters ensure that a ciphersuite with
> export-suitable or null encryption is used,
> but exclude anonymous Diffie-Hellman key change as
> this is vulnerable to man-in-the-middle attacks -->
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
> </sec:cipherSuitesFilter>
> </http:tlsClientParameters>
> <http:client AutoRedirect="true" Connection="Keep-Alive"/>
> </http:conduit>
>
> However when I try and actually create an instance of my soap service, I get the a stack trace in my log file. Pasted in full below.
> To me the Interestring bit is probably:
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing
> 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl
> '.: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
> So am I defining my conduit name right? How can I tell if the conduit wrapping is even happening?
>
>
> Thank you again,
> Tom Burton
>
>
>
> --------------- Full Stack Trace -------------
>
> 06-19@14:27:45 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:149)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:100)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> ... 33 more
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl'.: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> at sun.security.validator.Validator.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> ... 60 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
> at java.security.cert.CertPathBuilder.build(Unknown Source)
> ... 66 more
>
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> ... 35 more
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@8c9de8
> 06-19@14:27:45 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-19@14:27:45 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-19@14:27:45 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
>
> -----Original Message-----
> From: Oliver Wulff [mailto:owulff@talend.com]
> Sent: Tuesday, June 18, 2013 11:11 PM
> To: users@cxf.apache.org
> Subject: RE: FEDIZ Authentication problems
>
> Hi Tom
>
>>>>
> If I subclass `` to authenticate on my desired URL path `myAlaska`
>>>>
> Which class do you want to subclass?
>
>>>>
> MyAlaskaAuthProvider
>>>>
> What kind of AuthProvider is this?
>
>>>>
> If I remove the additional Authentication checks so it only checks on
> /j_spring_fediz_security_check
>>>>
> Can you point me in your configuration what you mean?
>
>>>>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>>>>
> This is kind of strange. Did you really get redirected to the IDP? Could you share the browser traffic (httpfox, findbugs, etc).
>
>>>>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>>>>
> This is per WS-Federation spec. The SAML assertion is sent in the wresult parameter. Fediz works with ADFS but keep in mind that ADFS uses an older WS-Trust and SAML 1.1 assertion which is supported by Fediz as well.
>
>
>>>>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>>>>
> The following definintion requires that you're authenticated (without the requirement for any roles):
> <sec:intercept-url pattern="/secure/fedservlet"
> access="isAuthenticated()"/>
>
> There is an example available for spring security. Here is the spring security documentation of it:
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src
> /main/webapp/WEB-INF/applicationContext-security.xml?view=markup
>
> HTH
>
> Oli
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
> Sent: 18 June 2013 21:15
> To: users@cxf.apache.org
> Subject: FEDIZ Authentication problems
>
> I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an RP to an existing .NET ADFS IDP.
>
> If I subclass `` to authenticate on my desired URL path `myAlaska` I end up with the following log entries when I try to log in:
>
> 06-18@09:56:56 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@a2f68b
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession
> currently exists
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared:
> path=/myAlaska, and /j_spring_fediz_security_check
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath
> Authentication: true
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to
> process authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging.
> wa: null
> wresult: null
> full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> Method: GET
> 06-18@09:56:56 DEBUG [] ProviderManager - Authentication attempt using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1dacb29: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct: null Result: null Cert Count: 0
> 06-18@09:56:56 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null'
> 06-18@09:56:56 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed
> at org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication
> request failed:
> org.springframework.security.authentication.BadCredentialsException:
> The request was invalid or malformed
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@1508a8b
> 06-18@09:56:56 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@09:56:56 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check I get the following error instead:
>
> 06-18@10:57:19 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@1cdedd4
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - HttpSession
> returned null object for SPRING_SECURITY_CONTEXT
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@3d3f6f. A new one will be created.
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication = false
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURI: arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443; arg2=8443 (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURL: arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska; arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https; arg2=https (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverName: arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - contextPath: arg1=/newhirereporting; arg2=/newhirereporting (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - servletPath: arg1=/myAlaska; arg2=/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] nymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/myalaska'
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object:
> FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()]
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS
> 06-18@10:57:19 DEBUG [] AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@200930, returned: -1
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied
> (user is anonymous); redirecting to authentication entry point
> org.springframework.security.access.AccessDeniedException: Access is denied
> at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
> at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska]
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication entry point.
> 06-18@10:57:19 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context: org.apache.cxf.fediz.core.config.FederationContext@a302f2
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Issuer url: https://mydev.alaska.gov/adfs/ls/
> 06-18@10:57:19 INFO [] FederationProcessorImpl - WAuth:
> 06-18@10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Freshness: null
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/
> 06-18@10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP: https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska&wtrealm=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F&wct=2013-06-18T18%3A57%3A19.790Z&pubId=enhr
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@10:57:19 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>
> Thank you for any help,
> Tom Burton
>
> Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
--
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
RE: FEDIZ Authentication problems
Posted by Oliver Wulff <ow...@talend.com>.
Hi Tom
>>>
I needed to mangle the redirect URL with more options than it looks like are
available in the fediz_config file.
I basically had to add:
redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
+ "%252Fnewhirereporting%252FmyAlaska" //double encoded /contextpath/page
I also copied it to add
redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID;
pubId is a URL parameter to add a friendly message to the login page for the user.
>>>
I'm not a big fan of subclassing in general. Mostly it indicates that there is a missing extension point in the framework. Do you have to extend the redirect URL because of ADFS or because of your application? I could add a callback handler to fill the wctx or even extend the URL. The original request is cached by spring security thus you don't have to cache any request specific information in the redirect url. I would like to understand first what the use case is as this requirement never came up so far.
>>>
So now I do actually get a "SAML Token" but all it contains is a GUID.
I then have to call a SOAP web Service to actually convert that GUID into a real user object.
>>>
Is this by intension? ADFS is able to add user information from AD. Can you share the issued SAML token? One of the purposes of WS-Federation is to centralize (in the IDP/STS) the code to retrieve user information from all possible user directories and provide this information in a tranparent way to the application instead of having to pull this information in each application individually.
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
Sent: 20 June 2013 03:09
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
Turns out I had mis-read an important piece of the document.
I had put my cxf.xml in src/main/webapp/WEB-INF/ next to my web.xml
instead of in src/main/resources/
moving it to the appropriate directory cleared up my certificate issue.
Tom
-----Original Message-----
From: Burton, Tom F (DOR) [mailto:tom.burton@alaska.gov]
Sent: Wednesday, June 19, 2013 3:40 PM
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
I just tried
- name=".*"
- name="https://.*.state.ak.us:444/.*"
- name="https://mydev-svc.state.ak.us:444/.*"
I got the same error for all three.
Tom
-----Original Message-----
From: Daniel Kulp [mailto:dkulp@apache.org]
Sent: Wednesday, June 19, 2013 2:59 PM
To: users@cxf.apache.org
Cc: owulff@talend.com
Subject: Re: FEDIZ Authentication problems
Change the conduit name so something like:
name="https://mydev-svc.state.ak.us:444/.*"
Using the service name can only apply those settings after the service is created and the name and namespace and such is known. To have it apply for wsdl loading as well, use a URL format (and the .* at the end for the regex expansion).
Dan
On Jun 19, 2013, at 6:49 PM, "Burton, Tom F (DOR)" <to...@alaska.gov> wrote:
> I've actually made it past these issues. :) but now I have new ones :(
>
> The initial class I was talking about sub-classing was:
> FederationAuthenticationFilter
>
> The "additional Authentication checks" were in my subclass.
>
> The java code looked like so:
>
> boolean required = false;
> //should this be equals or some fancy ** matching type stuff?
> String path = request.getServletPath();
> required = path.contains(getFilterProcessesUrl());
>
> //getRequestURI().contains(getFilterProcessesUrl());
>
> //TODO: look up an "easy" way to read the spring config
> //PageMapHolder manually parses the Spring xml files on deploy
>
> if ( !required ) { required =
> PageMapHolder.getPages().containsKey(path); }
>
> if ( log.isDebugEnabled() )
> {
> log.debug( "Compared: path=" + request.getServletPath()
> + ", and " + getFilterProcessesUrl() );
> log.debug("ServletPath Authentication: " + required);
> }
> if (!required)
> { required = super.requiresAuthentication(request, response); }
> return required;
>
> They have been disabled.
>
> The solution ended up requiring me to copy the implementation of
> FederationAuthenticationEntryPoint,
> as MyAlaskaEntryPoint. I needed to mangle the redirect URL with more
> options than it looks like are available in the fediz_config file.
> I basically had to add:
>
> redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
> + "%252Fnewhirereporting%252FmyAlaska"
> //double encoded /contextpath/page
>
>
> I also copied it to add
> redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID;
>
> pubId is a URL parameter to add a friendly message to the login page for the user.
>
> So now I do actually get a "SAML Token" but all it contains is a GUID.
> I then have to call a SOAP web Service to actually convert that GUID into a real user object.
>
>
> MyAlaskaAuthProvider is a subclass of FederationAuthenticationProvider
>
> It overrides #authenticate to add some logging before calling super It
> overrides #loadUserByFederationResponse to find the myAkUsername
> BEFORE calling super
>
> The current Error I'm getting is a certificate error while trying to access the GUID based web service.
>
> So in doing some research I found this:
> http://cxf.apache.org/docs/client-http-transport-including-ssl-support
> .html#ClientHTTPTransport%28includingSSLsupport%29-Howtooverridetheser
> viceaddress%3F
>
> I've followed the page and created a cxf.xml I've added it as another
> file to be parsed as part of my Spring Config.
>
> cxf.xml has an http:conduit like so:
>
> <http:conduit
> name="{http://cxf.apache.org/}TransportURIResolver.http-conduit"> <!-- magic value for https -->
>
> <!--name="{http://myalaska.state.ak.us/wsdl/MyAlaskaService}WSHttpBind
> ing_MyAlaskaService.http-conduit">-->
>
> <!-- duplicates values from <certificateStores> in Fediz config -->
> <http:tlsClientParameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:trustManagers>
> <sec:cipherSuitesFilter>
> <!-- these filters ensure that a ciphersuite with
> export-suitable or null encryption is used,
> but exclude anonymous Diffie-Hellman key change as
> this is vulnerable to man-in-the-middle attacks -->
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
> </sec:cipherSuitesFilter>
> </http:tlsClientParameters>
> <http:client AutoRedirect="true" Connection="Keep-Alive"/>
> </http:conduit>
>
> However when I try and actually create an instance of my soap service, I get the a stack trace in my log file. Pasted in full below.
> To me the Interestring bit is probably:
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing
> 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl
> '.: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
> So am I defining my conduit name right? How can I tell if the conduit wrapping is even happening?
>
>
> Thank you again,
> Tom Burton
>
>
>
> --------------- Full Stack Trace -------------
>
> 06-19@14:27:45 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:149)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:100)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> ... 33 more
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl'.: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> at sun.security.validator.Validator.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> ... 60 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
> at java.security.cert.CertPathBuilder.build(Unknown Source)
> ... 66 more
>
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> ... 35 more
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@8c9de8
> 06-19@14:27:45 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-19@14:27:45 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-19@14:27:45 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
>
> -----Original Message-----
> From: Oliver Wulff [mailto:owulff@talend.com]
> Sent: Tuesday, June 18, 2013 11:11 PM
> To: users@cxf.apache.org
> Subject: RE: FEDIZ Authentication problems
>
> Hi Tom
>
>>>>
> If I subclass `` to authenticate on my desired URL path `myAlaska`
>>>>
> Which class do you want to subclass?
>
>>>>
> MyAlaskaAuthProvider
>>>>
> What kind of AuthProvider is this?
>
>>>>
> If I remove the additional Authentication checks so it only checks on
> /j_spring_fediz_security_check
>>>>
> Can you point me in your configuration what you mean?
>
>>>>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>>>>
> This is kind of strange. Did you really get redirected to the IDP? Could you share the browser traffic (httpfox, findbugs, etc).
>
>>>>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>>>>
> This is per WS-Federation spec. The SAML assertion is sent in the wresult parameter. Fediz works with ADFS but keep in mind that ADFS uses an older WS-Trust and SAML 1.1 assertion which is supported by Fediz as well.
>
>
>>>>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>>>>
> The following definintion requires that you're authenticated (without the requirement for any roles):
> <sec:intercept-url pattern="/secure/fedservlet"
> access="isAuthenticated()"/>
>
> There is an example available for spring security. Here is the spring security documentation of it:
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src
> /main/webapp/WEB-INF/applicationContext-security.xml?view=markup
>
> HTH
>
> Oli
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
> Sent: 18 June 2013 21:15
> To: users@cxf.apache.org
> Subject: FEDIZ Authentication problems
>
> I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an RP to an existing .NET ADFS IDP.
>
> If I subclass `` to authenticate on my desired URL path `myAlaska` I end up with the following log entries when I try to log in:
>
> 06-18@09:56:56 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@a2f68b
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession
> currently exists
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared:
> path=/myAlaska, and /j_spring_fediz_security_check
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath
> Authentication: true
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to
> process authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging.
> wa: null
> wresult: null
> full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> Method: GET
> 06-18@09:56:56 DEBUG [] ProviderManager - Authentication attempt using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1dacb29: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct: null Result: null Cert Count: 0
> 06-18@09:56:56 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null'
> 06-18@09:56:56 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed
> at org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication
> request failed:
> org.springframework.security.authentication.BadCredentialsException:
> The request was invalid or malformed
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@1508a8b
> 06-18@09:56:56 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@09:56:56 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check I get the following error instead:
>
> 06-18@10:57:19 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@1cdedd4
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - HttpSession
> returned null object for SPRING_SECURITY_CONTEXT
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@3d3f6f. A new one will be created.
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication = false
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURI: arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443; arg2=8443 (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURL: arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska; arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https; arg2=https (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverName: arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - contextPath: arg1=/newhirereporting; arg2=/newhirereporting (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - servletPath: arg1=/myAlaska; arg2=/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] nymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/myalaska'
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object:
> FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()]
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS
> 06-18@10:57:19 DEBUG [] AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@200930, returned: -1
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied
> (user is anonymous); redirecting to authentication entry point
> org.springframework.security.access.AccessDeniedException: Access is denied
> at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
> at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska]
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication entry point.
> 06-18@10:57:19 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context: org.apache.cxf.fediz.core.config.FederationContext@a302f2
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Issuer url: https://mydev.alaska.gov/adfs/ls/
> 06-18@10:57:19 INFO [] FederationProcessorImpl - WAuth:
> 06-18@10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Freshness: null
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/
> 06-18@10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP: https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska&wtrealm=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F&wct=2013-06-18T18%3A57%3A19.790Z&pubId=enhr
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@10:57:19 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>
> Thank you for any help,
> Tom Burton
>
> Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
--
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
RE: FEDIZ Authentication problems
Posted by "Burton, Tom F (DOR)" <to...@alaska.gov>.
Turns out I had mis-read an important piece of the document.
I had put my cxf.xml in src/main/webapp/WEB-INF/ next to my web.xml
instead of in src/main/resources/
moving it to the appropriate directory cleared up my certificate issue.
Tom
-----Original Message-----
From: Burton, Tom F (DOR) [mailto:tom.burton@alaska.gov]
Sent: Wednesday, June 19, 2013 3:40 PM
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
I just tried
- name=".*"
- name="https://.*.state.ak.us:444/.*"
- name="https://mydev-svc.state.ak.us:444/.*"
I got the same error for all three.
Tom
-----Original Message-----
From: Daniel Kulp [mailto:dkulp@apache.org]
Sent: Wednesday, June 19, 2013 2:59 PM
To: users@cxf.apache.org
Cc: owulff@talend.com
Subject: Re: FEDIZ Authentication problems
Change the conduit name so something like:
name="https://mydev-svc.state.ak.us:444/.*"
Using the service name can only apply those settings after the service is created and the name and namespace and such is known. To have it apply for wsdl loading as well, use a URL format (and the .* at the end for the regex expansion).
Dan
On Jun 19, 2013, at 6:49 PM, "Burton, Tom F (DOR)" <to...@alaska.gov> wrote:
> I've actually made it past these issues. :) but now I have new ones :(
>
> The initial class I was talking about sub-classing was:
> FederationAuthenticationFilter
>
> The "additional Authentication checks" were in my subclass.
>
> The java code looked like so:
>
> boolean required = false;
> //should this be equals or some fancy ** matching type stuff?
> String path = request.getServletPath();
> required = path.contains(getFilterProcessesUrl());
>
> //getRequestURI().contains(getFilterProcessesUrl());
>
> //TODO: look up an "easy" way to read the spring config
> //PageMapHolder manually parses the Spring xml files on deploy
>
> if ( !required ) { required =
> PageMapHolder.getPages().containsKey(path); }
>
> if ( log.isDebugEnabled() )
> {
> log.debug( "Compared: path=" + request.getServletPath()
> + ", and " + getFilterProcessesUrl() );
> log.debug("ServletPath Authentication: " + required);
> }
> if (!required)
> { required = super.requiresAuthentication(request, response); }
> return required;
>
> They have been disabled.
>
> The solution ended up requiring me to copy the implementation of
> FederationAuthenticationEntryPoint,
> as MyAlaskaEntryPoint. I needed to mangle the redirect URL with more
> options than it looks like are available in the fediz_config file.
> I basically had to add:
>
> redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
> + "%252Fnewhirereporting%252FmyAlaska"
> //double encoded /contextpath/page
>
>
> I also copied it to add
> redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID;
>
> pubId is a URL parameter to add a friendly message to the login page for the user.
>
> So now I do actually get a "SAML Token" but all it contains is a GUID.
> I then have to call a SOAP web Service to actually convert that GUID into a real user object.
>
>
> MyAlaskaAuthProvider is a subclass of FederationAuthenticationProvider
>
> It overrides #authenticate to add some logging before calling super It
> overrides #loadUserByFederationResponse to find the myAkUsername
> BEFORE calling super
>
> The current Error I'm getting is a certificate error while trying to access the GUID based web service.
>
> So in doing some research I found this:
> http://cxf.apache.org/docs/client-http-transport-including-ssl-support
> .html#ClientHTTPTransport%28includingSSLsupport%29-Howtooverridetheser
> viceaddress%3F
>
> I've followed the page and created a cxf.xml I've added it as another
> file to be parsed as part of my Spring Config.
>
> cxf.xml has an http:conduit like so:
>
> <http:conduit
> name="{http://cxf.apache.org/}TransportURIResolver.http-conduit"> <!-- magic value for https -->
>
> <!--name="{http://myalaska.state.ak.us/wsdl/MyAlaskaService}WSHttpBind
> ing_MyAlaskaService.http-conduit">-->
>
> <!-- duplicates values from <certificateStores> in Fediz config -->
> <http:tlsClientParameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:trustManagers>
> <sec:cipherSuitesFilter>
> <!-- these filters ensure that a ciphersuite with
> export-suitable or null encryption is used,
> but exclude anonymous Diffie-Hellman key change as
> this is vulnerable to man-in-the-middle attacks -->
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
> </sec:cipherSuitesFilter>
> </http:tlsClientParameters>
> <http:client AutoRedirect="true" Connection="Keep-Alive"/>
> </http:conduit>
>
> However when I try and actually create an instance of my soap service, I get the a stack trace in my log file. Pasted in full below.
> To me the Interestring bit is probably:
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing
> 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl
> '.: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
> So am I defining my conduit name right? How can I tell if the conduit wrapping is even happening?
>
>
> Thank you again,
> Tom Burton
>
>
>
> --------------- Full Stack Trace -------------
>
> 06-19@14:27:45 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:149)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:100)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> ... 33 more
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl'.: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> at sun.security.validator.Validator.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> ... 60 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
> at java.security.cert.CertPathBuilder.build(Unknown Source)
> ... 66 more
>
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> ... 35 more
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@8c9de8
> 06-19@14:27:45 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-19@14:27:45 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-19@14:27:45 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
>
> -----Original Message-----
> From: Oliver Wulff [mailto:owulff@talend.com]
> Sent: Tuesday, June 18, 2013 11:11 PM
> To: users@cxf.apache.org
> Subject: RE: FEDIZ Authentication problems
>
> Hi Tom
>
>>>>
> If I subclass `` to authenticate on my desired URL path `myAlaska`
>>>>
> Which class do you want to subclass?
>
>>>>
> MyAlaskaAuthProvider
>>>>
> What kind of AuthProvider is this?
>
>>>>
> If I remove the additional Authentication checks so it only checks on
> /j_spring_fediz_security_check
>>>>
> Can you point me in your configuration what you mean?
>
>>>>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>>>>
> This is kind of strange. Did you really get redirected to the IDP? Could you share the browser traffic (httpfox, findbugs, etc).
>
>>>>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>>>>
> This is per WS-Federation spec. The SAML assertion is sent in the wresult parameter. Fediz works with ADFS but keep in mind that ADFS uses an older WS-Trust and SAML 1.1 assertion which is supported by Fediz as well.
>
>
>>>>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>>>>
> The following definintion requires that you're authenticated (without the requirement for any roles):
> <sec:intercept-url pattern="/secure/fedservlet"
> access="isAuthenticated()"/>
>
> There is an example available for spring security. Here is the spring security documentation of it:
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src
> /main/webapp/WEB-INF/applicationContext-security.xml?view=markup
>
> HTH
>
> Oli
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
> Sent: 18 June 2013 21:15
> To: users@cxf.apache.org
> Subject: FEDIZ Authentication problems
>
> I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an RP to an existing .NET ADFS IDP.
>
> If I subclass `` to authenticate on my desired URL path `myAlaska` I end up with the following log entries when I try to log in:
>
> 06-18@09:56:56 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@a2f68b
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession
> currently exists
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared:
> path=/myAlaska, and /j_spring_fediz_security_check
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath
> Authentication: true
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to
> process authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging.
> wa: null
> wresult: null
> full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> Method: GET
> 06-18@09:56:56 DEBUG [] ProviderManager - Authentication attempt using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1dacb29: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct: null Result: null Cert Count: 0
> 06-18@09:56:56 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null'
> 06-18@09:56:56 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed
> at org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication
> request failed:
> org.springframework.security.authentication.BadCredentialsException:
> The request was invalid or malformed
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@1508a8b
> 06-18@09:56:56 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@09:56:56 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check I get the following error instead:
>
> 06-18@10:57:19 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@1cdedd4
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - HttpSession
> returned null object for SPRING_SECURITY_CONTEXT
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@3d3f6f. A new one will be created.
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication = false
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURI: arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443; arg2=8443 (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURL: arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska; arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https; arg2=https (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverName: arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - contextPath: arg1=/newhirereporting; arg2=/newhirereporting (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - servletPath: arg1=/myAlaska; arg2=/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] nymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/myalaska'
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object:
> FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()]
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS
> 06-18@10:57:19 DEBUG [] AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@200930, returned: -1
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied
> (user is anonymous); redirecting to authentication entry point
> org.springframework.security.access.AccessDeniedException: Access is denied
> at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
> at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska]
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication entry point.
> 06-18@10:57:19 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context: org.apache.cxf.fediz.core.config.FederationContext@a302f2
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Issuer url: https://mydev.alaska.gov/adfs/ls/
> 06-18@10:57:19 INFO [] FederationProcessorImpl - WAuth:
> 06-18@10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Freshness: null
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/
> 06-18@10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP: https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska&wtrealm=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F&wct=2013-06-18T18%3A57%3A19.790Z&pubId=enhr
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@10:57:19 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>
> Thank you for any help,
> Tom Burton
>
> Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
--
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
RE: FEDIZ Authentication problems
Posted by "Burton, Tom F (DOR)" <to...@alaska.gov>.
I just tried
- name=".*"
- name="https://.*.state.ak.us:444/.*"
- name="https://mydev-svc.state.ak.us:444/.*"
I got the same error for all three.
Tom
-----Original Message-----
From: Daniel Kulp [mailto:dkulp@apache.org]
Sent: Wednesday, June 19, 2013 2:59 PM
To: users@cxf.apache.org
Cc: owulff@talend.com
Subject: Re: FEDIZ Authentication problems
Change the conduit name so something like:
name="https://mydev-svc.state.ak.us:444/.*"
Using the service name can only apply those settings after the service is created and the name and namespace and such is known. To have it apply for wsdl loading as well, use a URL format (and the .* at the end for the regex expansion).
Dan
On Jun 19, 2013, at 6:49 PM, "Burton, Tom F (DOR)" <to...@alaska.gov> wrote:
> I've actually made it past these issues. :) but now I have new ones :(
>
> The initial class I was talking about sub-classing was:
> FederationAuthenticationFilter
>
> The "additional Authentication checks" were in my subclass.
>
> The java code looked like so:
>
> boolean required = false;
> //should this be equals or some fancy ** matching type stuff?
> String path = request.getServletPath();
> required = path.contains(getFilterProcessesUrl());
>
> //getRequestURI().contains(getFilterProcessesUrl());
>
> //TODO: look up an "easy" way to read the spring config
> //PageMapHolder manually parses the Spring xml files on deploy
>
> if ( !required ) { required =
> PageMapHolder.getPages().containsKey(path); }
>
> if ( log.isDebugEnabled() )
> {
> log.debug( "Compared: path=" + request.getServletPath()
> + ", and " + getFilterProcessesUrl() );
> log.debug("ServletPath Authentication: " + required);
> }
> if (!required)
> { required = super.requiresAuthentication(request, response); }
> return required;
>
> They have been disabled.
>
> The solution ended up requiring me to copy the implementation of
> FederationAuthenticationEntryPoint,
> as MyAlaskaEntryPoint. I needed to mangle the redirect URL with more
> options than it looks like are available in the fediz_config file.
> I basically had to add:
>
> redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
> + "%252Fnewhirereporting%252FmyAlaska"
> //double encoded /contextpath/page
>
>
> I also copied it to add
> redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID;
>
> pubId is a URL parameter to add a friendly message to the login page for the user.
>
> So now I do actually get a "SAML Token" but all it contains is a GUID.
> I then have to call a SOAP web Service to actually convert that GUID into a real user object.
>
>
> MyAlaskaAuthProvider is a subclass of FederationAuthenticationProvider
>
> It overrides #authenticate to add some logging before calling super It
> overrides #loadUserByFederationResponse to find the myAkUsername
> BEFORE calling super
>
> The current Error I'm getting is a certificate error while trying to access the GUID based web service.
>
> So in doing some research I found this:
> http://cxf.apache.org/docs/client-http-transport-including-ssl-support
> .html#ClientHTTPTransport%28includingSSLsupport%29-Howtooverridetheser
> viceaddress%3F
>
> I've followed the page and created a cxf.xml I've added it as another
> file to be parsed as part of my Spring Config.
>
> cxf.xml has an http:conduit like so:
>
> <http:conduit
> name="{http://cxf.apache.org/}TransportURIResolver.http-conduit"> <!-- magic value for https -->
>
> <!--name="{http://myalaska.state.ak.us/wsdl/MyAlaskaService}WSHttpBind
> ing_MyAlaskaService.http-conduit">-->
>
> <!-- duplicates values from <certificateStores> in Fediz config -->
> <http:tlsClientParameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:trustManagers>
> <sec:cipherSuitesFilter>
> <!-- these filters ensure that a ciphersuite with
> export-suitable or null encryption is used,
> but exclude anonymous Diffie-Hellman key change as
> this is vulnerable to man-in-the-middle attacks -->
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
> </sec:cipherSuitesFilter>
> </http:tlsClientParameters>
> <http:client AutoRedirect="true" Connection="Keep-Alive"/>
> </http:conduit>
>
> However when I try and actually create an instance of my soap service, I get the a stack trace in my log file. Pasted in full below.
> To me the Interestring bit is probably:
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing
> 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl
> '.: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
> So am I defining my conduit name right? How can I tell if the conduit wrapping is even happening?
>
>
> Thank you again,
> Tom Burton
>
>
>
> --------------- Full Stack Trace -------------
>
> 06-19@14:27:45 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:149)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:100)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> ... 33 more
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl'.: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source) Caused by:
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> at sun.security.validator.Validator.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> ... 60 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
> at java.security.cert.CertPathBuilder.build(Unknown Source)
> ... 66 more
>
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> ... 35 more
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@8c9de8
> 06-19@14:27:45 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-19@14:27:45 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-19@14:27:45 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
>
> -----Original Message-----
> From: Oliver Wulff [mailto:owulff@talend.com]
> Sent: Tuesday, June 18, 2013 11:11 PM
> To: users@cxf.apache.org
> Subject: RE: FEDIZ Authentication problems
>
> Hi Tom
>
>>>>
> If I subclass `` to authenticate on my desired URL path `myAlaska`
>>>>
> Which class do you want to subclass?
>
>>>>
> MyAlaskaAuthProvider
>>>>
> What kind of AuthProvider is this?
>
>>>>
> If I remove the additional Authentication checks so it only checks on
> /j_spring_fediz_security_check
>>>>
> Can you point me in your configuration what you mean?
>
>>>>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>>>>
> This is kind of strange. Did you really get redirected to the IDP? Could you share the browser traffic (httpfox, findbugs, etc).
>
>>>>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>>>>
> This is per WS-Federation spec. The SAML assertion is sent in the wresult parameter. Fediz works with ADFS but keep in mind that ADFS uses an older WS-Trust and SAML 1.1 assertion which is supported by Fediz as well.
>
>
>>>>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>>>>
> The following definintion requires that you're authenticated (without the requirement for any roles):
> <sec:intercept-url pattern="/secure/fedservlet"
> access="isAuthenticated()"/>
>
> There is an example available for spring security. Here is the spring security documentation of it:
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src
> /main/webapp/WEB-INF/applicationContext-security.xml?view=markup
>
> HTH
>
> Oli
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
> Sent: 18 June 2013 21:15
> To: users@cxf.apache.org
> Subject: FEDIZ Authentication problems
>
> I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an RP to an existing .NET ADFS IDP.
>
> If I subclass `` to authenticate on my desired URL path `myAlaska` I end up with the following log entries when I try to log in:
>
> 06-18@09:56:56 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@a2f68b
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession
> currently exists
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared:
> path=/myAlaska, and /j_spring_fediz_security_check
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath
> Authentication: true
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to
> process authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging.
> wa: null
> wresult: null
> full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> Method: GET
> 06-18@09:56:56 DEBUG [] ProviderManager - Authentication attempt using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1dacb29: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct: null Result: null Cert Count: 0
> 06-18@09:56:56 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null'
> 06-18@09:56:56 ERROR [] tionAuthenticationProvider - Failed to
> validate SignIn request
> org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed
> at org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication
> request failed:
> org.springframework.security.authentication.BadCredentialsException:
> The request was invalid or malformed
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated
> SecurityContextHolder to contain null Authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to
> authentication failure handler
> org.springframework.security.web.authentication.SimpleUrlAuthenticatio
> nFailureHandler@1508a8b
> 06-18@09:56:56 DEBUG [] thenticationFailureHandler - No failure URL
> set, sending 401 Unauthorized error
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@09:56:56 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check I get the following error instead:
>
> 06-18@10:57:19 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@1cdedd4
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - HttpSession
> returned null object for SPRING_SECURITY_CONTEXT
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@3d3f6f. A new one will be created.
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication = false
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURI: arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443; arg2=8443 (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURL: arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska; arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https; arg2=https (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverName: arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - contextPath: arg1=/newhirereporting; arg2=/newhirereporting (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - servletPath: arg1=/myAlaska; arg2=/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] nymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/myalaska'
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object:
> FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()]
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS
> 06-18@10:57:19 DEBUG [] AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@200930, returned: -1
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied
> (user is anonymous); redirecting to authentication entry point
> org.springframework.security.access.AccessDeniedException: Access is denied
> at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
> at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska]
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication entry point.
> 06-18@10:57:19 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context: org.apache.cxf.fediz.core.config.FederationContext@a302f2
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Issuer url: https://mydev.alaska.gov/adfs/ls/
> 06-18@10:57:19 INFO [] FederationProcessorImpl - WAuth:
> 06-18@10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Freshness: null
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/
> 06-18@10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP: https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska&wtrealm=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F&wct=2013-06-18T18%3A57%3A19.790Z&pubId=enhr
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@10:57:19 DEBUG [] tyContextPersistenceFilter -
> SecurityContextHolder now cleared, as request processing completed
>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>
> Thank you for any help,
> Tom Burton
>
> Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
--
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
Re: FEDIZ Authentication problems
Posted by Daniel Kulp <dk...@apache.org>.
Change the conduit name so something like:
name="https://mydev-svc.state.ak.us:444/.*"
Using the service name can only apply those settings after the service is created and the name and namespace and such is known. To have it apply for wsdl loading as well, use a URL format (and the .* at the end for the regex expansion).
Dan
On Jun 19, 2013, at 6:49 PM, "Burton, Tom F (DOR)" <to...@alaska.gov> wrote:
> I've actually made it past these issues. :) but now I have new ones :(
>
> The initial class I was talking about sub-classing was: FederationAuthenticationFilter
>
> The "additional Authentication checks" were in my subclass.
>
> The java code looked like so:
>
> boolean required = false;
> //should this be equals or some fancy ** matching type stuff?
> String path = request.getServletPath();
> required = path.contains(getFilterProcessesUrl());
> //getRequestURI().contains(getFilterProcessesUrl());
>
> //TODO: look up an "easy" way to read the spring config
> //PageMapHolder manually parses the Spring xml files on deploy
>
> if ( !required ) { required = PageMapHolder.getPages().containsKey(path); }
>
> if ( log.isDebugEnabled() )
> {
> log.debug( "Compared: path=" + request.getServletPath()
> + ", and " + getFilterProcessesUrl() );
> log.debug("ServletPath Authentication: " + required);
> }
> if (!required)
> { required = super.requiresAuthentication(request, response); }
> return required;
>
> They have been disabled.
>
> The solution ended up requiring me to copy the implementation of FederationAuthenticationEntryPoint,
> as MyAlaskaEntryPoint. I needed to mangle the redirect URL with more options than it looks like are
> available in the fediz_config file.
> I basically had to add:
>
> redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
> + "%252Fnewhirereporting%252FmyAlaska" //double encoded /contextpath/page
>
>
> I also copied it to add
> redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID;
>
> pubId is a URL parameter to add a friendly message to the login page for the user.
>
> So now I do actually get a "SAML Token" but all it contains is a GUID.
> I then have to call a SOAP web Service to actually convert that GUID into a real user object.
>
>
> MyAlaskaAuthProvider is a subclass of FederationAuthenticationProvider
>
> It overrides #authenticate to add some logging before calling super
> It overrides #loadUserByFederationResponse to find the myAkUsername BEFORE calling super
>
> The current Error I'm getting is a certificate error while trying to access the GUID based web service.
>
> So in doing some research I found this:
> http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-Howtooverridetheserviceaddress%3F
>
> I've followed the page and created a cxf.xml I've added it as another file to be parsed as part
> of my Spring Config.
>
> cxf.xml has an http:conduit like so:
>
> <http:conduit
> name="{http://cxf.apache.org/}TransportURIResolver.http-conduit"> <!-- magic value for https -->
> <!--name="{http://myalaska.state.ak.us/wsdl/MyAlaskaService}WSHttpBinding_MyAlaskaService.http-conduit">-->
>
> <!-- duplicates values from <certificateStores> in Fediz config -->
> <http:tlsClientParameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
> </sec:trustManagers>
> <sec:cipherSuitesFilter>
> <!-- these filters ensure that a ciphersuite with
> export-suitable or null encryption is used,
> but exclude anonymous Diffie-Hellman key change as
> this is vulnerable to man-in-the-middle attacks -->
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
> </sec:cipherSuitesFilter>
> </http:tlsClientParameters>
> <http:client AutoRedirect="true" Connection="Keep-Alive"/>
> </http:conduit>
>
> However when I try and actually create an instance of my soap service, I get the a stack trace in my log file. Pasted in full below.
> To me the Interestring bit is probably:
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl'.: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>
> So am I defining my conduit name right? How can I tell if the conduit wrapping is even happening?
>
>
> Thank you again,
> Tom Burton
>
>
>
> --------------- Full Stack Trace -------------
>
> 06-19@14:27:45 ERROR [] tionAuthenticationProvider - Failed to validate SignIn request
> javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:149)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> Caused by: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:100)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> ... 33 more
> Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl'.: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
> at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source)
> at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
> at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
> at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
> at javax.xml.ws.Service.<init>(Unknown Source)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> at sun.security.validator.Validator.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> ... 60 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
> at java.security.cert.CertPathBuilder.build(Unknown Source)
> ... 66 more
>
> at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
> at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
> at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
> ... 35 more
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
> 06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@8c9de8
> 06-19@14:27:45 DEBUG [] thenticationFailureHandler - No failure URL set, sending 401 Unauthorized error
> 06-19@14:27:45 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-19@14:27:45 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
>
>
> -----Original Message-----
> From: Oliver Wulff [mailto:owulff@talend.com]
> Sent: Tuesday, June 18, 2013 11:11 PM
> To: users@cxf.apache.org
> Subject: RE: FEDIZ Authentication problems
>
> Hi Tom
>
>>>>
> If I subclass `` to authenticate on my desired URL path `myAlaska`
>>>>
> Which class do you want to subclass?
>
>>>>
> MyAlaskaAuthProvider
>>>>
> What kind of AuthProvider is this?
>
>>>>
> If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check
>>>>
> Can you point me in your configuration what you mean?
>
>>>>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>>>>
> This is kind of strange. Did you really get redirected to the IDP? Could you share the browser traffic (httpfox, findbugs, etc).
>
>>>>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>>>>
> This is per WS-Federation spec. The SAML assertion is sent in the wresult parameter. Fediz works with ADFS but keep in mind that ADFS uses an older WS-Trust and SAML 1.1 assertion which is supported by Fediz as well.
>
>
>>>>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>>>>
> The following definintion requires that you're authenticated (without the requirement for any roles):
> <sec:intercept-url pattern="/secure/fedservlet" access="isAuthenticated()"/>
>
> There is an example available for spring security. Here is the spring security documentation of it:
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml?view=markup
>
> HTH
>
> Oli
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
> Sent: 18 June 2013 21:15
> To: users@cxf.apache.org
> Subject: FEDIZ Authentication problems
>
> I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an RP to an existing .NET ADFS IDP.
>
> If I subclass `` to authenticate on my desired URL path `myAlaska` I end up with the following log entries when I try to log in:
>
> 06-18@09:56:56 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@a2f68b
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession currently exists
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
> 06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared: path=/myAlaska, and /j_spring_fediz_security_check
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath Authentication: true
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to process authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging.
> wa: null
> wresult: null
> full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> Method: GET
> 06-18@09:56:56 DEBUG [] ProviderManager - Authentication attempt using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1dacb29: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities
> 06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct: null Result: null Cert Count: 0
> 06-18@09:56:56 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null'
> 06-18@09:56:56 ERROR [] tionAuthenticationProvider - Failed to validate SignIn request
> org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed
> at org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121)
> at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
> at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: The request was invalid or malformed
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
> 06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@1508a8b
> 06-18@09:56:56 DEBUG [] thenticationFailureHandler - No failure URL set, sending 401 Unauthorized error
> 06-18@09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@09:56:56 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
>
> If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check I get the following error instead:
>
> 06-18@10:57:19 INFO [] Spring Security Debugger -
>
> ************************************************************
>
> Request received for '/myAlaska':
>
> org.apache.catalina.connector.RequestFacade@1cdedd4
>
> servletPath:/myAlaska
> pathInfo:null
>
> Security filter chain: [
> SecurityContextPersistenceFilter
> MyAlaskaAuthenticationFilter
> RequestCacheAwareFilter
> SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter
> SessionManagementFilter
> ExceptionTranslationFilter
> FilterSecurityInterceptor
> ]
>
>
> ************************************************************
>
>
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@3d3f6f. A new one will be created.
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication = false
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURI: arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443; arg2=8443 (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURL: arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska; arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https; arg2=https (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverName: arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - contextPath: arg1=/newhirereporting; arg2=/newhirereporting (property equals)
> 06-18@10:57:19 DEBUG [] DefaultSavedRequest - servletPath: arg1=/myAlaska; arg2=/myAlaska (property equals)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
> 06-18@10:57:19 DEBUG [] nymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
> 06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/'
> 06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/myalaska'
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()]
> 06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS
> 06-18@10:57:19 DEBUG [] AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@200930, returned: -1
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
> org.springframework.security.access.AccessDeniedException: Access is denied
> at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
> at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
> at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Unknown Source)
> 06-18@10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska]
> 06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication entry point.
> 06-18@10:57:19 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
> 06-18@10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context: org.apache.cxf.fediz.core.config.FederationContext@a302f2
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Issuer url: https://mydev.alaska.gov/adfs/ls/
> 06-18@10:57:19 INFO [] FederationProcessorImpl - WAuth:
> 06-18@10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null
> 06-18@10:57:19 INFO [] FederationProcessorImpl - Freshness: null
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
> 06-18@10:57:19 DEBUG [] FederationProcessorImpl - wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/
> 06-18@10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP: https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska&wtrealm=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F&wct=2013-06-18T18%3A57%3A19.790Z&pubId=enhr
> 06-18@10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
> 06-18@10:57:19 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
>
> The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>
> The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
> In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
> But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
> When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
> It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>
> I have spring security configured like so:
> <sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
> <sec:intercept-url pattern="/" access="permitAll"/>
> <sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
> <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
> <sec:session-management session-authentication-strategy-ref="sas"/>
> </sec:http>
> The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
> Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>
> Thank you for any help,
> Tom Burton
>
> Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
--
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com
RE: FEDIZ Authentication problems
Posted by "Burton, Tom F (DOR)" <to...@alaska.gov>.
I've actually made it past these issues. :) but now I have new ones :(
The initial class I was talking about sub-classing was: FederationAuthenticationFilter
The "additional Authentication checks" were in my subclass.
The java code looked like so:
boolean required = false;
//should this be equals or some fancy ** matching type stuff?
String path = request.getServletPath();
required = path.contains(getFilterProcessesUrl());
//getRequestURI().contains(getFilterProcessesUrl());
//TODO: look up an "easy" way to read the spring config
//PageMapHolder manually parses the Spring xml files on deploy
if ( !required ) { required = PageMapHolder.getPages().containsKey(path); }
if ( log.isDebugEnabled() )
{
log.debug( "Compared: path=" + request.getServletPath()
+ ", and " + getFilterProcessesUrl() );
log.debug("ServletPath Authentication: " + required);
}
if (!required)
{ required = super.requiresAuthentication(request, response); }
return required;
They have been disabled.
The solution ended up requiring me to copy the implementation of FederationAuthenticationEntryPoint,
as MyAlaskaEntryPoint. I needed to mangle the redirect URL with more options than it looks like are
available in the fediz_config file.
I basically had to add:
redirectUrl += "&wctx="+ URLEncoder.encode("id=passive&ru=", "ISO-8859-1")
+ "%252Fnewhirereporting%252FmyAlaska" //double encoded /contextpath/page
I also copied it to add
redirectUrl += "&pubId=" + QuickStartApplication.MYAK_PUBID;
pubId is a URL parameter to add a friendly message to the login page for the user.
So now I do actually get a "SAML Token" but all it contains is a GUID.
I then have to call a SOAP web Service to actually convert that GUID into a real user object.
MyAlaskaAuthProvider is a subclass of FederationAuthenticationProvider
It overrides #authenticate to add some logging before calling super
It overrides #loadUserByFederationResponse to find the myAkUsername BEFORE calling super
The current Error I'm getting is a certificate error while trying to access the GUID based web service.
So in doing some research I found this:
http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-Howtooverridetheserviceaddress%3F
I've followed the page and created a cxf.xml I've added it as another file to be parsed as part
of my Spring Config.
cxf.xml has an http:conduit like so:
<http:conduit
name="{http://cxf.apache.org/}TransportURIResolver.http-conduit"> <!-- magic value for https -->
<!--name="{http://myalaska.state.ak.us/wsdl/MyAlaskaService}WSHttpBinding_MyAlaskaService.http-conduit">-->
<!-- duplicates values from <certificateStores> in Fediz config -->
<http:tlsClientParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="XXXXXX" resource="stsstore.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http:conduit>
However when I try and actually create an instance of my soap service, I get the a stack trace in my log file. Pasted in full below.
To me the Interestring bit is probably:
Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl'.: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
So am I defining my conduit name right? How can I tell if the conduit wrapping is even happening?
Thank you again,
Tom Burton
--------------- Full Stack Trace -------------
06-19@14:27:45 ERROR [] tionAuthenticationProvider - Failed to validate SignIn request
javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:149)
at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
at javax.xml.ws.Service.<init>(Unknown Source)
at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
Caused by: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:100)
at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
... 33 more
Caused by: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://mydev-svc.state.ak.us:444/WebService/MyAlaskaService.svc?wsdl'.: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(Unknown Source)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source)
at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
at javax.xml.ws.Service.<init>(Unknown Source)
at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.service.MyAlaskaService_Service.<init>(MyAlaskaService_Service.java:62)
at us.ak.state.revenue.cssd.webBaseTest.MyAlaska.client.MyAlaskaV3.<init>(MyAlaskaV3.java:57)
at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.loadUserByFederationResponse(MyAlaskaAuthProvider.java:50)
at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:123)
at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:34)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 60 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 66 more
at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
... 35 more
06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
06-19@14:27:45 DEBUG [] AlaskaAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@8c9de8
06-19@14:27:45 DEBUG [] thenticationFailureHandler - No failure URL set, sending 401 Unauthorized error
06-19@14:27:45 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
06-19@14:27:45 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
-----Original Message-----
From: Oliver Wulff [mailto:owulff@talend.com]
Sent: Tuesday, June 18, 2013 11:11 PM
To: users@cxf.apache.org
Subject: RE: FEDIZ Authentication problems
Hi Tom
>>>
If I subclass `` to authenticate on my desired URL path `myAlaska`
>>>
Which class do you want to subclass?
>>>
MyAlaskaAuthProvider
>>>
What kind of AuthProvider is this?
>>>
If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check
>>>
Can you point me in your configuration what you mean?
>>>
The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>>>
This is kind of strange. Did you really get redirected to the IDP? Could you share the browser traffic (httpfox, findbugs, etc).
>>>
The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>>>
This is per WS-Federation spec. The SAML assertion is sent in the wresult parameter. Fediz works with ADFS but keep in mind that ADFS uses an older WS-Trust and SAML 1.1 assertion which is supported by Fediz as well.
>>>
I have spring security configured like so:
<sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
<sec:intercept-url pattern="/" access="permitAll"/>
<sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
<sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
<sec:session-management session-authentication-strategy-ref="sas"/>
</sec:http>
The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>>>
The following definintion requires that you're authenticated (without the requirement for any roles):
<sec:intercept-url pattern="/secure/fedservlet" access="isAuthenticated()"/>
There is an example available for spring security. Here is the spring security documentation of it:
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml?view=markup
HTH
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
Sent: 18 June 2013 21:15
To: users@cxf.apache.org
Subject: FEDIZ Authentication problems
I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an RP to an existing .NET ADFS IDP.
If I subclass `` to authenticate on my desired URL path `myAlaska` I end up with the following log entries when I try to log in:
06-18@09:56:56 INFO [] Spring Security Debugger -
************************************************************
Request received for '/myAlaska':
org.apache.catalina.connector.RequestFacade@a2f68b
servletPath:/myAlaska
pathInfo:null
Security filter chain: [
SecurityContextPersistenceFilter
MyAlaskaAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06-18@09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession currently exists
06-18@09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared: path=/myAlaska, and /j_spring_fediz_security_check
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath Authentication: true
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to process authentication
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging.
wa: null
wresult: null
full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
Method: GET
06-18@09:56:56 DEBUG [] ProviderManager - Authentication attempt using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider
06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1dacb29: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities
06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct: null Result: null Cert Count: 0
06-18@09:56:56 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
06-18@09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null'
06-18@09:56:56 ERROR [] tionAuthenticationProvider - Failed to validate SignIn request
org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed
at org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93)
at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121)
at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: The request was invalid or malformed
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@1508a8b
06-18@09:56:56 DEBUG [] thenticationFailureHandler - No failure URL set, sending 401 Unauthorized error
06-18@09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
06-18@09:56:56 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check I get the following error instead:
06-18@10:57:19 INFO [] Spring Security Debugger -
************************************************************
Request received for '/myAlaska':
org.apache.catalina.connector.RequestFacade@1cdedd4
servletPath:/myAlaska
pathInfo:null
Security filter chain: [
SecurityContextPersistenceFilter
MyAlaskaAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06-18@10:57:19 DEBUG [] nSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
06-18@10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@3d3f6f. A new one will be created.
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
06-18@10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication = false
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
06-18@10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURI: arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443; arg2=8443 (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURL: arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska; arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https; arg2=https (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverName: arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - contextPath: arg1=/newhirereporting; arg2=/newhirereporting (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - servletPath: arg1=/myAlaska; arg2=/myAlaska (property equals)
06-18@10:57:19 DEBUG [] HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
06-18@10:57:19 DEBUG [] nymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/'
06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/myalaska'
06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()]
06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS
06-18@10:57:19 DEBUG [] AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@200930, returned: -1
06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
06-18@10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska]
06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication entry point.
06-18@10:57:19 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
06-18@10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context: org.apache.cxf.fediz.core.config.FederationContext@a302f2
06-18@10:57:19 INFO [] FederationProcessorImpl - Issuer url: https://mydev.alaska.gov/adfs/ls/
06-18@10:57:19 INFO [] FederationProcessorImpl - WAuth:
06-18@10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null
06-18@10:57:19 INFO [] FederationProcessorImpl - Freshness: null
06-18@10:57:19 DEBUG [] FederationProcessorImpl - wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
06-18@10:57:19 DEBUG [] FederationProcessorImpl - wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/
06-18@10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP: https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska&wtrealm=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F&wct=2013-06-18T18%3A57%3A19.790Z&pubId=enhr
06-18@10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
06-18@10:57:19 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
I have spring security configured like so:
<sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
<sec:intercept-url pattern="/" access="permitAll"/>
<sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
<sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
<sec:session-management session-authentication-strategy-ref="sas"/>
</sec:http>
The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
Thank you for any help,
Tom Burton
Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
RE: FEDIZ Authentication problems
Posted by Oliver Wulff <ow...@talend.com>.
Hi Tom
>>>
If I subclass `` to authenticate on my desired URL path `myAlaska`
>>>
Which class do you want to subclass?
>>>
MyAlaskaAuthProvider
>>>
What kind of AuthProvider is this?
>>>
If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check
>>>
Can you point me in your configuration what you mean?
>>>
The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
>>>
This is kind of strange. Did you really get redirected to the IDP? Could you share the browser traffic (httpfox, findbugs, etc).
>>>
The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information
It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
>>>
This is per WS-Federation spec. The SAML assertion is sent in the wresult parameter. Fediz works with ADFS but keep in mind that ADFS uses an older WS-Trust and SAML 1.1 assertion which is supported by Fediz as well.
>>>
I have spring security configured like so:
<sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
<sec:intercept-url pattern="/" access="permitAll"/>
<sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
<sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
<sec:session-management session-authentication-strategy-ref="sas"/>
</sec:http>
The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
>>>
The following definintion requires that you're authenticated (without the requirement for any roles):
<sec:intercept-url pattern="/secure/fedservlet" access="isAuthenticated()"/>
There is an example available for spring security. Here is the spring security documentation of it:
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml?view=markup
HTH
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Burton, Tom F (DOR) [tom.burton@alaska.gov]
Sent: 18 June 2013 21:15
To: users@cxf.apache.org
Subject: FEDIZ Authentication problems
I'm trying to setup FEDIZ-1.1-SNAPSHOT with FEDIZ-1.1-SPRING-SNAPSHOT as an RP to an existing .NET ADFS IDP.
If I subclass `` to authenticate on my desired URL path `myAlaska`
I end up with the following log entries when I try to log in:
06-18@09:56:56 INFO [] Spring Security Debugger -
************************************************************
Request received for '/myAlaska':
org.apache.catalina.connector.RequestFacade@a2f68b
servletPath:/myAlaska
pathInfo:null
Security filter chain: [
SecurityContextPersistenceFilter
MyAlaskaAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06-18@09:56:56 DEBUG [] nSecurityContextRepository - No HttpSession currently exists
06-18@09:56:56 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
06-18@09:56:56 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Compared: path=/myAlaska, and /j_spring_fediz_security_check
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - ServletPath Authentication: true
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Request is to process authentication
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - begin parameter logging.
wa: null
wresult: null
full URL: https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
Method: GET
06-18@09:56:56 DEBUG [] ProviderManager - Authentication attempt using us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider
06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - Authenticating: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1dacb29: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 146.63.181.15; SessionId: null; Not granted any authorities
06-18@09:56:56 DEBUG [] MyAlaskaAuthProvider - request: WA: null Wct: null Result: null Cert Count: 0
06-18@09:56:56 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
06-18@09:56:56 ERROR [] FederationProcessorImpl - Invalid action 'null'
06-18@09:56:56 ERROR [] tionAuthenticationProvider - Failed to validate SignIn request
org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed
at org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:93)
at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticateNow(FederationAuthenticationProvider.java:121)
at org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider.authenticate(FederationAuthenticationProvider.java:109)
at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthProvider.authenticate(MyAlaskaAuthProvider.java:30)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter.attemptAuthentication(FederationAuthenticationFilter.java:62)
at us.ak.state.revenue.cssd.webBaseTest.utils.fediz.MyAlaskaAuthenticationFilter.attemptAuthentication(MyAlaskaAuthenticationFilter.java:94)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: The request was invalid or malformed
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
06-18@09:56:56 DEBUG [] AlaskaAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@1508a8b
06-18@09:56:56 DEBUG [] thenticationFailureHandler - No failure URL set, sending 401 Unauthorized error
06-18@09:56:56 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
06-18@09:56:56 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
If I remove the additional Authentication checks so it only checks on /j_spring_fediz_security_check
I get the following error instead:
06-18@10:57:19 INFO [] Spring Security Debugger -
************************************************************
Request received for '/myAlaska':
org.apache.catalina.connector.RequestFacade@1cdedd4
servletPath:/myAlaska
pathInfo:null
Security filter chain: [
SecurityContextPersistenceFilter
MyAlaskaAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06-18@10:57:19 DEBUG [] nSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
06-18@10:57:19 DEBUG [] nSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@3d3f6f. A new one will be created.
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 2 of 8 in additional filter chain; firing Filter: 'MyAlaskaAuthenticationFilter'
06-18@10:57:19 DEBUG [] AlaskaAuthenticationFilter - requiresAuthentication = false
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
06-18@10:57:19 DEBUG [] DefaultSavedRequest - pathInfo: both null (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - queryString: both null (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURI: arg1=/newhirereporting/myAlaska; arg2=/newhirereporting/myAlaska (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverPort: arg1=8443; arg2=8443 (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - requestURL: arg1=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska; arg2=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - scheme: arg1=https; arg2=https (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - serverName: arg1=cssdappstst.state.ak.us; arg2=cssdappstst.state.ak.us (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - contextPath: arg1=/newhirereporting; arg2=/newhirereporting (property equals)
06-18@10:57:19 DEBUG [] DefaultSavedRequest - servletPath: arg1=/myAlaska; arg2=/myAlaska (property equals)
06-18@10:57:19 DEBUG [] HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
06-18@10:57:19 DEBUG [] nymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
06-18@10:57:19 DEBUG [] FilterChainProxy - /myAlaska at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/'
06-18@10:57:19 DEBUG [] AntPathRequestMatcher - Checking match of request : '/myalaska'; against '/myalaska'
06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /myAlaska; Attributes: [isFullyAuthenticated()]
06-18@10:57:19 DEBUG [] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 146.63.181.15; SessionId: E05C8557CDBEB12681983615D61272D5; Granted Authorities: ROLE_ANONYMOUS
06-18@10:57:19 DEBUG [] AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@200930, returned: -1
06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69)
at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
06-18@10:57:19 DEBUG [] HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska]
06-18@10:57:19 DEBUG [] ExceptionTranslationFilter - Calling Authentication entry point.
06-18@10:57:19 DEBUG [] FederationConfigImpl - Reading federation configuration for context '/newhirereporting'
06-18@10:57:19 DEBUG [] MyAlaskaEntryPoint - Federation context: org.apache.cxf.fediz.core.config.FederationContext@a302f2
06-18@10:57:19 INFO [] FederationProcessorImpl - Issuer url: https://mydev.alaska.gov/adfs/ls/
06-18@10:57:19 INFO [] FederationProcessorImpl - WAuth:
06-18@10:57:19 INFO [] FederationProcessorImpl - HomeRealm: null
06-18@10:57:19 INFO [] FederationProcessorImpl - Freshness: null
06-18@10:57:19 DEBUG [] FederationProcessorImpl - wreply=https://cssdappstst.state.ak.us:8443/newhirereporting/myAlaska
06-18@10:57:19 DEBUG [] FederationProcessorImpl - wtrealm=https://cssdappstst.state.ak.us:8443/newhirereporting/
06-18@10:57:19 INFO [] MyAlaskaEntryPoint - Redirecting to IDP: https://mydev.alaska.gov/adfs/ls/?wa=wsignin1.0&wreply=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2FmyAlaska&wtrealm=https%3A%2F%2Fcssdappstst.state.ak.us%3A8443%2Fnewhirereporting%2F&wct=2013-06-18T18%3A57%3A19.790Z&pubId=enhr
06-18@10:57:19 DEBUG [] nSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
06-18@10:57:19 DEBUG [] tyContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
The first error tells me there was a problem with the sign In request-response, it's a straight up hit to /myAlaska without the ?wa=wsignin1.0 and any other parameters. It's also a GET request and NOT a POST.
The second error is a redirect loop that /myAlaska -> redirects to the IDP -> redirects back to myAlaska -> redirects back to the IDP ....
In my production applications people will normally just his / ->redirect to IDP -> / (or /welcome) and they're logged in.
But I want to support someone directly navigating to /someOtherPage -> redirect to IDP -> /someOtherPage as well.
When I look into the logs, it appears that the return request from the sign in page is a plain GET redirect to my desired results page.
It looks like Fediz wants a POST redirect with some desired parameters set like wa=wsignin1.0 and seeing as its not finding that information
It errors, assumes I'm not logged in and redirects me to my IDPs Sign-In Page.
I have spring security configured like so:
<sec:http entry-point-ref="federationEntryPoint" use-expressions="true" >
<sec:intercept-url pattern="/" access="permitAll"/>
<sec:intercept-url pattern="/myAlaska" access="isFullyAuthenticated()" />
<sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
<sec:session-management session-authentication-strategy-ref="sas"/>
</sec:http>
The examples look like you expect a role with the SAML Token. I want to treat ALL accounts from ADFS with the same role.
Is using ' access="isFullyAuthenticated()" ' appropriate for my use case?
Thank you for any help,
Tom Burton
Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.