java - Integrating Spring Security and Waffle on Tomcat with Role checks -



java - Integrating Spring Security and Waffle on Tomcat with Role checks -

as title suggests, i'm trying integrate spring security , waffle on tomcat using roles. app deployed windows environment users have been domain authenticated , want exercising single sign on. take things further, want check groups authenticated user belongs , configure interceptors prevent users not members of approved group(s) accessing web app.

here's app context looks like:

<?xml version="1.0" encoding="utf-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:p="http://www.springframework.org/schema/p" xmlns:cache="http://www.springframework.org/schema/cache" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:sec="http://www.springframework.org/schema/security" xmlns:context="http://www.springframework.org/schema/context" xsi:schemalocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/cache http://www.springframework.org/schema/cache/spring-cache-3.1.xsd"> <mvc:annotation-driven /> <cache:annotation-driven /> <import resource="mvc-config.xml"/> <!--waffle config--> <!-- windows authentication provider --> <bean id="wafflewindowsauthprovider" class="waffle.windows.auth.impl.windowsauthproviderimpl" /> <!-- collection of security filters --> <bean id="negotiatesecurityfilterprovider" class="waffle.servlet.spi.negotiatesecurityfilterprovider"> <constructor-arg ref="wafflewindowsauthprovider" /> </bean> <bean id="wafflesecurityfilterprovidercollection" class="waffle.servlet.spi.securityfilterprovidercollection"> <constructor-arg> <list> <ref bean="negotiatesecurityfilterprovider" /> <ref bean="basicsecurityfilterprovider" /> </list> </constructor-arg> </bean> <!-- spring filter entry point --> <sec:http use-expressions="true" entry-point-ref="negotiatesecurityfilterentrypoint"> <sec:intercept-url pattern="/**" access="hasrole('app_user')" /> <sec:custom-filter ref="wafflenegotiatesecurityfilter" position="basic_auth_filter" /> </sec:http> <bean id="basicsecurityfilterprovider" class="waffle.servlet.spi.basicsecurityfilterprovider"> <constructor-arg ref="wafflewindowsauthprovider" /> </bean> <bean id="negotiatesecurityfilterentrypoint" class="waffle.spring.negotiatesecurityfilterentrypoint"> <property name="provider" ref="wafflesecurityfilterprovidercollection" /> </bean> <!-- spring authentication provider --> <sec:authentication-manager alias="authenticationprovider" /> <!-- spring security filter --> <bean id="wafflenegotiatesecurityfilter" class="waffle.spring.negotiatesecurityfilter"> <property name="provider" ref="wafflesecurityfilterprovidercollection" /> <property name="allowguestlogin" value="false" /> <property name="principalformat" value="fqn" /> <property name="roleformat" value="both" /> </bean> <!--end waffle config--> <!-- mvc resources tag magic --> <mvc:resources mapping="/css/**" location="/css/" /> <mvc:resources mapping="/js/**" location="/js/" /> <mvc:resources mapping="/img/**" location="/img/" /> <bean id="multipartresolver" class="org.springframework.web.multipart.commons.commonsmultipartresolver"> <property name="maxuploadsize" value="1000000" /> </bean> <bean id="excelexportview" class="com.mycompany.appname.view.excelexportview"></bean> <context:component-scan base-package="com.mycompany.appname" /> <bean id="cachemanager" class="org.springframework.cache.support.simplecachemanager"> <property name="caches"> <set> <bean class="org.springframework.cache.concurrent.concurrentmapcachefactorybean" p:name="columnnames"/> </set> </property> </bean> <beans profile="dev"> <bean id="datasource" destroy-method="close" class="org.apache.commons.dbcp.basicdatasource"> <qualifier value="internal"/> <property name="driverclassname" value="${jdbc.driverclassname}" /> <property name="url" value="${jdbc.internal.url}" /> <property name="username" value="${jdbc.internal.username}" /> <!--<property name="password" value="${jdbc.internal.password}"/>--> <property name="minevictableidletimemillis" value="120000"/> <property name="testonborrow" value="true" /> <property name="timebetweenevictionrunsmillis" value="120000"/> <property name="minidle" value="1"/> </bean> <bean id="datasourceexternal" destroy-method="close" class="org.apache.commons.dbcp.basicdatasource"> <qualifier value="external"/> <property name="driverclassname" value="${jdbc.driverclassname}" /> <property name="url" value="${jdbc.external.url}" /> <property name="username" value="${jdbc.external.username}" /> <!--<property name="password" value="${jdbc.external.password}"/>--> <property name="minevictableidletimemillis" value="120000"/> <property name="testonborrow" value="true" /> <property name="timebetweenevictionrunsmillis" value="120000"/> <property name="minidle" value="1"/> </bean> <bean class="org.springframework.beans.factory.config.propertyplaceholderconfigurer"> <property name="location" value="/web-inf/db-dev.properties"></property> </bean> </beans> <beans profile="test"> <bean id="datasource" destroy-method="close" class="org.apache.commons.dbcp.basicdatasource"> <qualifier value="internal"/> <property name="driverclassname" value="${jdbc.driverclassname}" /> <property name="url" value="${jdbc.internal.url}" /> <property name="minevictableidletimemillis" value="120000"/> <property name="testonborrow" value="true" /> <property name="timebetweenevictionrunsmillis" value="120000"/> <property name="minidle" value="1"/> </bean> <bean id="datasourceexternal" destroy-method="close" class="org.apache.commons.dbcp.basicdatasource"> <qualifier value="external"/> <property name="driverclassname" value="${jdbc.driverclassname}" /> <property name="url" value="${jdbc.external.url}" /> <property name="minevictableidletimemillis" value="120000"/> <property name="testonborrow" value="true" /> <property name="timebetweenevictionrunsmillis" value="120000"/> <property name="minidle" value="1"/> </bean> <bean class="org.springframework.beans.factory.config.propertyplaceholderconfigurer"> <property name="location" value="/web-inf/db-test.properties"></property> </bean> </beans> <beans profile="production"> <bean id="datasource" destroy-method="close" class="org.apache.commons.dbcp.basicdatasource"> <qualifier value="internal"/> <property name="driverclassname" value="${jdbc.driverclassname}" /> <property name="url" value="${jdbc.internal.url}" /> <property name="minevictableidletimemillis" value="120000"/> <property name="testonborrow" value="true" /> <property name="timebetweenevictionrunsmillis" value="120000"/> <property name="minidle" value="1"/> </bean> <bean id="datasourceexternal" destroy-method="close" class="org.apache.commons.dbcp.basicdatasource"> <qualifier value="external"/> <property name="driverclassname" value="${jdbc.driverclassname}" /> <property name="url" value="${jdbc.external.url}" /> <property name="minevictableidletimemillis" value="120000"/> <property name="testonborrow" value="true" /> <property name="timebetweenevictionrunsmillis" value="120000"/> <property name="minidle" value="1"/> </bean> <bean class="org.springframework.beans.factory.config.propertyplaceholderconfigurer"> <property name="location" value="/web-inf/db-prod.properties"></property> </bean> </beans>

and web.xml

<?xml version="1.0" encoding="iso-8859-1"?>

<filter> <filter-name>springsecurityfilterchain</filter-name> <filter-class>org.springframework.web.filter.delegatingfilterproxy</filter-class> </filter> <filter-mapping> <filter-name>springsecurityfilterchain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- beans in these files makeup configuration of root web application context --> <context-param> <param-name>contextconfiglocation</param-name> <param-value>/web-inf/appname-servlet.xml</param-value> </context-param> <context-param> <param-name>log4jconfiglocation</param-name> <param-value>/web-inf/log4j.properties</param-value> </context-param> <listener> <listener-class>org.springframework.web.util.log4jconfiglistener</listener-class> </listener> <!-- protect against xss --> <context-param> <param-name>defaulthtmlescape</param-name> <param-value>true</param-value> </context-param> <listener> <listener-class>org.springframework.web.context.contextloaderlistener</listener-class> </listener> <!-- deploys 'accounts' dispatcher servlet configuration resides in /web-inf/mvc-config.xml --> <servlet> <servlet-name>appname</servlet-name> <servlet-class>org.springframework.web.servlet.dispatcherservlet</servlet-class> <init-param> <param-name>contextconfiglocation</param-name> <param-value>/web-inf/appname-servlet.xml</param-value> </init-param> </servlet> <!-- maps urls 'appname' servlet --> <servlet-mapping> <servlet-name>appname</servlet-name> <url-pattern>*.htm</url-pattern> </servlet-mapping> <!-- <error-page> <exception-type>java.lang.exception</exception-type> <location>/error.jsp</location> </error-page> --> <welcome-file-list> <welcome-file>/web-inf/views/appname_main.jsp</welcome-file> </welcome-file-list> <session-config> <session-timeout>60</session-timeout> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config>

what's happening right attempts nail app "appname" result in immediate prompting authentication. reading on waffle, can assume fall-back authentication because failed windows token , authenticate user (either through failed effort or invalid credentials).

previous attempts have included not using 'hasrole' instead using

access="is_authenticated_fully" />

this wouldn't check role of user, @ to the lowest degree restrict access app based on domain authentication. unfortunately in case, still prompted user every time nail app. @ to the lowest degree configuration allowed domain users access app, unlike 'hasrole' approach has returned access denied each time.

any insights appreciated...

[edit: adding detail our logs]

it turns out getting false positive results when thought single sign-on working "is_authenticated_fully". browser caching credentials , applying them on request, sso never working. prompted @ times. role_user yields same results: prompting , accepting credentials.

strangely, we've run problem trying detail out of waffle. added next lines tomcat's conf logging.properties:

waffle.servlet.negotiatesecurityfilter.level = fine waffle.servlet.spi.securityfilterprovidercollection.level = fine waffle.servlet.spi.negotiatesecurityfilterprovider.level = fine waffle.servlet.spi.basicsecurityfilterprovider.level = fine

yet, localhost, catalina, etc produce no detail regarding waffle.

the logging info find related roles in play this:

token:'org.springframework.security.authentication.anonymousauthenticationtoken@905571d8: principal: anonymoususer; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@0: remoteipaddress: 10.10.90.70; sessionid: null; granted authorities: role_anonymous'> 2013-02-21 11:25:10,527 debug [org.springframework.security.web.filterchainproxy] - </web-inf/views/ourappname_main.jsp @ position 6 of 8 in additional filter chain; firing filter: 'sessionmanagementfilter'> 2013-02-21 11:25:10,528 debug [org.springframework.security.web.filterchainproxy] - </web-inf/views/ourappname_main.jsp @ position 7 of 8 in additional filter chain; firing filter: 'exceptiontranslationfilter'> 2013-02-21 11:25:10,528 debug [org.springframework.security.web.filterchainproxy] - </web-inf/views/ourappname_main.jsp @ position 8 of 8 in additional filter chain; firing filter: 'filtersecurityinterceptor'> 2013-02-21 11:25:10,529 debug [org.springframework.security.web.access.intercept.filtersecurityinterceptor] - <secure object: filterinvocation: url: /web-inf/views/ourappname_main.jsp; attributes: [is_authenticated_fully]> 2013-02-21 11:25:10,529 debug [org.springframework.security.web.access.intercept.filtersecurityinterceptor] - <previously authenticated: org.springframework.security.authentication.anonymousauthenticationtoken@905571d8: principal: anonymous

from wfetch captured this:

user; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@0: remoteipaddress: 10.10.10.10; sessionid: null; granted authorities: role_anonymous> http://10.10.10.10/ourappname/ transfer-encoding: chunked date: thu, 21 feb 2013 16:29:42 gmt

[edit again] header info failed phone call requested. worth noting waffle-filter sample working desired no prompting of user when localhost used. when ip or domain used, prompts. i'm guessing scheme administration/trusted host issue?

get /ourappnamehttp/1.1 accept: text/html, application/xhtml+xml, */* accept-language: en-us user-agent: mozilla/5.0 (compatible; msie 9.0; windows nt 6.1; wow64; trident/5.0) accept-encoding: gzip, deflate host: localhost:8080 connection: keep-alive http/1.1 302 found server: apache-coyote/1.1 location: http://localhost:8080/ourappname/ transfer-encoding: chunked date: thu, 21 feb 2013 20:15:51 gmt /ourappname/ http/1.1 accept: text/html, application/xhtml+xml, */* accept-language: en-us user-agent: mozilla/5.0 (compatible; msie 9.0; windows nt 6.1; wow64; trident/5.0) accept-encoding: gzip, deflate host: localhost:8080 connection: keep-alive http/1.1 401 unauthorized server: apache-coyote/1.1 set-cookie: jsessionid=f2216f75cba6ac8476189da48a63a872; domain=.domain.tld; path=/something/; httponly connection: keep-alive www -authenticate: negotiate www-authenticate: ntlm www-authenticate: basic realm="basicsecurityfilterprovider" transfer-encoding: chunked date: thu, 21 feb 2013 20:15:51 gmt /fismacm/ http/1.1 accept: text/html, application/xhtml+xml, */* accept-language: en-us user-agent: mozilla/5.0 (compatible; msie 9.0; windows nt 6.1; wow64; trident/5.0) accept-encoding: gzip, deflate host: localhost:8080 connection: keep-alive authorization: negotiate yhkgbisgaqufaqbvmg2gmdaubgorbgeeayi3agikbgkqhkic9xibagigcsqgsib3egecagykkwybbagcnwichqi5bdd ovexnu1nqaaeaaacxsgjibaaeadmaaaalaasakaaaaaybsr0aaaapvzjlofiylurfvjfht0xe http/1.1 401 unauthorized server: apache-coyote/1.1 set-cookie: jsessionid=2cc0fdbf578629857113c6a72ee67ff5; domain=.domain.tld; path=/something/; httponly connection: keep-alive www-authenticate: negotiate www-authenticate: ntlm www-authenticate: basic realm="basicsecurityfilterprovider" transfer-encoding: chunked date: thu, 21 feb 2013 20:15:51 gmt /favicon.ico http/1.1 accept: */* accept-encoding: gzip, deflate user-agent: mozilla/5.0 (compatible; msie 9.0; windows nt 6.1; wow64; trident/5.0) host: localhost:8080 connection: keep-alive http/1.1 200 ok server: apache-coyote/1.1 accept-ranges: bytes etag: w/"21630-1349272326000" last-modified: wed, 03 oct 2012 13:52:06 gmt content-type: image/x-icon content-length: 21630 date: thu, 21 feb 2013 20:16:07 gmt

java windows spring tomcat spring-security

Comments

Post a Comment

Popular posts from this blog

web services - java.lang.NoClassDefFoundError: Could not initialize class net.sf.cglib.proxy.Enhancer -

web services - java.lang.NoClassDefFoundError: Could not initialize class net.sf.cglib.proxy.Enhancer - when trying request rest service @ time of response getting exception.. feb 21, 2013 2:34:49 pm com.sun.jersey.spi.container.containerresponse mapmappablecontainerexception severe: exception contained within mappablecontainerexception not mapped response, re-throwing http container java.lang.noclassdeffounderror: not initialize class net.sf.cglib.proxy.enhancer @ org.hibernate.proxy.pojo.cglib.cgliblazyinitializer.getproxyfactory(cgliblazyinitializer.java:117) @ org.hibernate.proxy.pojo.cglib.cglibproxyfactory.postinstantiate(cglibproxyfactory.java:43) @ org.hibernate.tuple.entity.pojoentitytuplizer.buildproxyfactory(pojoentitytuplizer.java:162) @ org.hibernate.tuple.entity.abstractentitytuplizer.<init>(abstractentitytuplizer.java:135) @ org.hibernate.tuple.entity.pojoentitytuplizer.<init>(pojoentitytuplizer.java:55) @ org.hibernate.tuple.e...
Read more

Accessing MATLAB's unicode strings from C -

Accessing MATLAB's unicode strings from C - how can access underlying unicode info of matlab strings through matlab engine or mex c interfaces? here's example. let's set unicode characters in utf-8 encoded file test.txt, read as fid=fopen('test.txt','r','l','utf-8'); s=fscanf(fid, '%s') in matlab. now if first feature('defaultcharacterset', 'utf-8') , c engevalstring(ep, "s") , output text file utf-8. proves matlab stores unicode internally. if mxarraytostring(enggetvariable(ep, "s")) , unicode2native(s, 'latin-1') give me in matlab: non-latin-1 characters replaced character code 26. need getting access underlying unicode info c string in unicode format (utf-8, utf-16, etc.), , preserving non-latin-1 characters. is possible? my platform os x, matlab r2012b. addendum: documentation explicitly states "[mxarraytostring()] supports multibyte encoded characters...
Read more

javascript - mongodb won't find my schema method in nested container -

javascript - mongodb won't find my schema method in nested container - i trying access method of schema stored within mixed container. here situation : have cases model can many different things, have schema each of these things stored in "casecontent" mixed property. var caseschema = mongoose.schema({ casecontent : {}, object : {type:string, default : "null"}, collision : {type : boolean, default : false} }); the casecontent property filled model of 1 of schemas, 1 exemple : var treeschema = new mongoose.schema({ applecount : {type : number, default : 3} }); treeschema.methods.dostuff = function (data) { console.log('hey, listen'); homecoming true; }; then, want utilize method of schema original container : caseschema.methods.dostuff = function (data) { if (this.casecontent.dostuff !== undefined) { this.casecontent.dostuff(); console.log('it worked'); } else { ...
Read more