Wss4jSecurityInterceptor and AcegiDigestPasswordValidationCallbackHandler do not correctly work together to update the Acegi security context. [SWS-341]

[gregturn]

Ian Butcher opened SWS-341 and commented

I am trying to hook up digest password handling and acegi authorization. I have managed to do this successfully with the plain text equivalent. I think I've managed to get close to the problem. When you configure the plain text acegi handler you wire in a ProviderManager.

<bean id="acegiHandler"
class="org.springframework.ws.soap.security.wss4j.callback.acegi.AcegiPlainTextPasswordValidationCallbackHandler">
<property name="authenticationManager" ref="authenticationManager"/>
</bean>

<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
    <property name="providers">
        <bean class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
            <property name="userDetailsService" ref="inMemoryDaoImpl"/>
        </bean>
    </property>
</bean>


<bean id="wsSecurityInterceptor" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
    <property name="validationActions" value="UsernameToken"/>
    <property name="validationCallbackHandler">
        <!--<ref local="acegiDigestPasswordHandler"/>-->
        <ref local="acegiHandler"/>
    </property>
</bean>

<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
    <property name="userMap">
        <value>
            Ernie=Bert,ROLE_SUPERVISOR
        </value>
    </property>
</bean>

It is the AbstractUserDetailsAuthenticationProvider (called by the AuthenticationManager) which, upon successful authentication, that actually sets the setAuthenticated(true) on the UsernamePasswordAuthenticationToken (see UsernamePasswordAuthenticationToken(principal, authentication.getCredentials(), user.getAuthorities()); ).

protected Authentication createSuccessAuthentication(Object principal, Authentication authentication,
UserDetails user) {
// Ensure we return the original credentials the user supplied,
// so subsequent attempts are successful even with encoded passwords.
// Also ensure we return the original getDetails(), so that future
// authentication events after cache expiry contain the details

// IB this constructor sets 'authenticated' to true
UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(principal,
authentication.getCredentials(), user.getAuthorities());
result.setDetails(authentication.getDetails());

    return result;
}

In the case of AcegiDigestPasswordValidationCallbackHandler you don't wire in a AuthenticationManager so even thought the credentials are valid it is never set to authentication in acegi SecurityContext. So the authorization fails even though the Principal has the correct GrantedAuthorities.

<bean id="wsSecurityInterceptor" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
<property name="validationActions" value="UsernameToken"/>
<property name="validationCallbackHandler">
<ref local="acegiDigestPasswordHandler"/>
<!--<ref local="acegiHandler"/>-->
</property>
</bean>

<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
    <property name="userMap">
        <value>
            Ernie=Bert,ROLE_SUPERVISOR
        </value>
    </property>
</bean>

<bean id="acegiDigestPasswordHandler"
      class="org.springframework.ws.soap.security.wss4j.callback.acegi.AcegiDigestPasswordValidationCallbackHandler">
    <property name="userDetailsService">
        <ref local="inMemoryDaoImpl"/>
    </property>
</bean>

---

Affects: 1.5

Attachments:

• AcegiDigestPasswordValidationCallbackHandler.patch (1.35 kB)
• DigestPasswordValidationCallbackHandlerUnitTests.patch (6.44 kB)

Referenced from: commits fe45fe1, 08a84ca

[gregturn]

Tareq Abedrabbo commented

Line 81 in UsernamePasswordAuthenticationToken:
UsernamePasswordAuthenticationToken authRequest =
new UsernamePasswordAuthenticationToken(principal, principal.getPassword());
This constructor sets authenticated to false.

The following constructor sets authenticated to true but needs GrantedAuthority[] as an argument:
UsernamePasswordAuthenticationToken(Object principal, Object credentials, GrantedAuthority[] authorities)

[gregturn]

Tareq Abedrabbo commented

After investigation, I think that setAuthenticated is not the culprit. The problem comes from the way WSS4J handles digest passwords. Unlike with plain text passwords, WSS4J takes the responsibility of validating digest passwords and thus "steals" the flow.
This can be seen in AcegiDigestPasswordValidationCallbackHandler.handleUsernameToken: only the password of the user is passed to the callback whereas the granted authorities are lost. Thus, when UsernamePasswordAuthenticationToken is initialized in handleUsernameTokenPrincipal(), the authorities are not passed.
It seems that the only way to solve the issue is by reloading the user details in handleUsernameTokenPrincipal. The impact on performace can be alleviated by the usage of an appropriate UserCache.

Ian,
I've tested the attached patch with a configuration similar to the one you posted and it seemed to work. It would be great if you could confirm that it solves the issue for you or if you could post the complete acegi configuration you used.

[gregturn]

Ian Butcher commented

I'll take a look in the next couple of days. My sample project is 'between configurations'. I am profiling different autht strategies.

Thanks,

Ian.

[gregturn]

Ian Butcher commented

Tareq I have verified this fix on my sample application. Great work and thanks.

[gregturn]

Tareq Abedrabbo commented

Unit tests (acegi & spring security).
Ian, thanks for the feedback.

[gregturn]

Arjen Poutsma commented

Fixed. Thanks for the patch, Tareq, and thanks for the feedback, Ian!

[gregturn]

Arjen Poutsma commented

Closing issues for 1.5.1