Spring Security (PreAuthentication) setup fails with Spring webflow, works otherwise [SWF-794] #254
Description
robin bajaj opened SWF-794 and commented
I am using Spring 2.5, Spring Webflow 2.0.2 and Spring Security 2.0.1 versions
I think I have hit upon a bug involving preAuthentication+ spring Security+ Spring Webflow and its related to Spring Webflow since Spring Security+preAuthentication is working fine for non spring-webflow related pages.
I started with sample webapp from Spring web flow. Then added form-login based security using "tutorial" sample application from Spring Security.
It was all working fine. Then I changed my spring security setup to accommodate the requirement for preAuthentication (since we are using Tivoli Access Manager/Web Seal infrastructure for authentication and will continue to use Spring Security for authorization). After a lot of struggle, I have Spring Security working such that I can navigate from my unsecured home page to a secured (non SWF) page and I notice (from DEBUG log output) that Spring security filter chain is doing its job correctly.
But when I click on the other secured link on my home page that starts my (spring webflow based) web-flow, I get the error in the browser
Code:
Error 501: Method is not defined in RFC 2068 and is not supported by the Servlet API
Here's the exception trace, I get from Websphere 6.1.0.15 server -
Code:
[09/07/08 16:16:46:046 EDT] 00000027 WebApp E [Servlet Error]-[Spring MVC Dispatcher Servlet]: com.ibm.ws.webcontainer.webapp.WebAppErrorReport: Method is not defined in RFC 2068 and is not supported by the Servlet API
at com.ibm.ws.webcontainer.webapp.WebAppDispatcherContext.sendError(WebAppDispatcherContext.java:538)
at com.ibm.ws.webcontainer.srt.SRTServletResponse.sendError(SRTServletResponse.java:968)
at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:152)
at org.springframework.security.context.HttpSessionContextIntegrationFilter$OnRedirectUpdateSessionResponseWrapper.sendError(HttpSessionContextIntegrationFilter.java:498)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:788)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1068)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1009)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:145)
at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:359)
Last edited by robinbajaj; Yesterday at 03:53 PM. Reason: mentioned the versions of spring, swf, security frameworks
Edit/Delete Message Reply With Quote Multi-Quote This Message Quick reply to this message
robinbajaj
View Public Profile
Send a private message to robinbajaj
Find all posts by robinbajaj
Add robinbajaj to Your Contacts
#2 Report Post
Old Yesterday, 11:45 AM
robinbajaj robinbajaj is online now
Junior Member
Join Date: Jun 2007
Posts: 16
Default
(continued from the above post.. with more details.)
I have put the full exception trace here
http://rafb.net/p/Np6u4461.html (because of the character limit in spring forums)
Just to confirm if its a Websphere related issue I created a war file and deployed on Apache tomcat 5.5.26, I get the same behaviour - non SWF secured page can be visited without problems, but the SWF related webflow page cannot be visited, and I get the same message in the browser.
Here's how my springSecurityContext.xml looks like
URL: http://rafb.net/p/wBURCg22.html
Here's how my webflow-config.xml looks like
URL: http://rafb.net/p/ap30Xo16.html
Here's my policy.xml (for my first webflow)
URL: http://rafb.net/p/DDsQ8g62.html
Here's my home page (unsecured)
URL: http://rafb.net/p/EKMPU732.html
Here's my first page from the policy webflow
URL: http://rafb.net/p/1fnShV36.html
Edit/Delete Message Reply With Quote Multi-Quote This Message Quick reply to this message
robinbajaj
View Public Profile
Send a private message to robinbajaj
Find all posts by robinbajaj
Add robinbajaj to Your Contacts
#3 Report Post
Old Yesterday, 03:06 PM
robinbajaj robinbajaj is online now
Junior Member
Join Date: Jun 2007
Posts: 16
Default
Its worth mentioning that Spring webflow page could be visited without problems when I had form-login based authentication setup in spring security.
So before , it was like
CASE-1:
Spring Security (form-login) + spring Webflow --> working fine for secured (both SWF and non-SWF) pages.
my securityContext.xml from CASE_1 is :
Code:
<global-method-security secured-annotations="enabled">
</global-method-security>
<http>
<intercept-url pattern="/login.jsp*" filters="none" />
<intercept-url pattern="/secure/extreme/**"
access="ROLE_SUPERVISOR" />
<intercept-url pattern="/secure/**"
access="ROLE_SUPERVISOR,ROLE_USER" />
<intercept-url pattern="/faces/policysearch*"
access="ROLE_SUPERVISOR,ROLE_USER" />
<intercept-url pattern="/spring/*"
access="ROLE_SUPERVISOR,ROLE_USER" />
<form-login login-page="/login.jsp" />
<logout />
</http>
<authentication-provider user-service-ref="userDetailsService">
<user-service>
<user name="super" password="super"
authorities="ROLE_SUPERVISOR" />
<user name="scott" password="scott" authorities="ROLE_USER" />
<user name="mark" password="mark" authorities="ROLE_USER"
disabled="true" />
<user name="base" password="base" authorities="ROLE_BASE" />
</user-service>
</authentication-provider>
CASE-2:
Now, after I changed my authentication setup from form-login to preauthentication --> only my non-SWF, secured pages can be visited.
And I get the above mentioned error when I try to visit the SWF controlled web pages.
my (current, non-working) securityContext.xml from CASE_2 is :
Code:
<global-method-security secured-annotations="enabled">
</global-method-security>
<http
entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
<intercept-url pattern="/secure/extreme/*"
access="ROLE_SUPERVISOR" />
<intercept-url pattern="/secure/*"
access="ROLE_SUPERVISOR,ROLE_USER" />
<intercept-url pattern="/faces/policysearch*"
access="ROLE_SUPERVISOR,ROLE_USER" />
<intercept-url pattern="/spring/*"
access="ROLE_SUPERVISOR,ROLE_USER" />
</http>
<beans:bean id="preAuthenticatedProcessingFilterEntryPoint"
class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
<beans:bean id="preAuthenticatedProcessingFilter"
class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
<custom-filter position="PRE_AUTH_FILTER" />
<beans:property name="principalRequestHeader" value="iv-user" />
<beans:property name="credentialsRequestHeader"
value="iv-password" />
<beans:property name="authenticationManager"
ref="authenticationManager" />
</beans:bean>
<authentication-manager alias="authenticationManager" />
<beans:bean id="preauthAuthProvider"
class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
<custom-authentication-provider />
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean id="userDetailsServiceWrapper"
class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
<beans:property name="userDetailsService"
ref="userDetailsService" />
</beans:bean>
</beans:property>
</beans:bean>
<beans:bean id="userDetailsService"
class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
<beans:property name="userProperties">
<beans:bean
class="org.springframework.beans.factory.config.PropertiesFactoryBean">
<beans:property name="location"
value="/WEB-INF/users.properties" />
</beans:bean>
</beans:property>
</beans:bean>
I even turned on the DEBUG output for org.springframework.webflow, org.springframework.js, org.springframework.binding, org.springframework.faces packages but no additional output was spit out in the log file, I just got the same exception trace as mentioned above.
At this time, I would even appreciate any tips to further debug this situation as to how I could get more detailed errors from SWF or Spring security in this case,
robin
Affects: 2.0.2