Develop Reference

WSO2 EI - RelayUtils Error while building Passthrough stream

I'm using WSO2 EI 6.3.0 and i want to get data from specific webservice and push this data to an other webservice.
In the first time, i have to get the JWT Token from a first webservice to put it in the second call to get data.
So, i created several sequence to have reusable sequences.
I have the error when i want to inject bearer token header into my endpoint to get data.
STEP OF IN SEQUENCE
During the LogincheckSeq, i call the login_check api to get the JWT Token.
Then during the createBearerTokenSeq, i only create a property with the token recovered from LoginCheckSeq
Then we pass in the CreateBearerTokenSeq, to create a property with the token recovered before from the json response of the LoginCheckEP
Finally, we pass in the last sequence GetCustomerSeq to get customers informations from the webservice in json thanks to the jwt token given in the header (Authorization: Bearer token)
This is my CustomerAPI.xml :
<?xml version="1.0" encoding="UTF-8"?>
<api context="/customers" name="CustomersAPI"
xmlns="http://ws.apache.org/ns/synapse">
<resource methods="POST GET" uri-template="/">
<inSequence>
<log level="custom" separator="
">
<property name="API CUSTOMER" value="START"/>
</log>
<sequence key="LoginCheckSeq"/>
<sequence key="CreateBearerTokenSeq"/>
<sequence key="GetCustomersSeq"/>
</inSequence>
<outSequence>
<log>
<property expression="$axis2:HTTP_SC" name="Status Code" xmlns:ns="http://org.apache.synapse/xsd"/>
</log>
</outSequence>
<faultSequence>
<log level="full"/>
</faultSequence>
</resource>
</api>
LoginCheckSeq.xml
<?xml version="1.0" encoding="UTF-8"?>
<sequence name="LoginCheckSeq" trace="disable"
xmlns="http://ws.apache.org/ns/synapse">
<log level="custom" separator="
">
<property name="Login SEQUENCE" value="START"/>
</log>
<property expression="json-eval($.username)" name="uri.var.username" scope="default" type="STRING"/>
<property expression="json-eval($.password)" name="uri.var.password" scope="default" type="STRING"/>
<log level="custom" separator=",">
<property expression="fn:concat('Username : ', get-property('uri.var.username'), ' / Password : ',get-property('uri.var.password')) " name="PARAMS"/>
</log>
<call>
<endpoint key="LoginCheckEP"/>
</call>
</sequence>
CreateBearerToken.xml
<?xml version="1.0" encoding="UTF-8"?>
<sequence name="CreateBearerTokenSeq" trace="disable"
xmlns="http://ws.apache.org/ns/synapse">
<log level="custom" separator="
">
<property name="Create Bearer Token SEQUENCE" value="START"/>
</log>
<payloadFactory media-type="json">
<format>{"token":"$1"}</format>
<args>
<arg evaluator="json" expression="$.token"/>
</args>
</payloadFactory>
<property name="messageType" value="application/json" scope="axis2"/>
<property expression="json-eval($.token)" name="uri.var.jwt.token" scope="default" type="STRING"/>
</sequence>
GetCustomerSeq.xml
<?xml version="1.0" encoding="UTF-8"?>
<sequence name="GetCustomersSeq" trace="disable" xmlns="http://ws.apache.org/ns/synapse">
<log description="" level="custom" separator="
">
<property name="Get Customer SEQUENCE" value="START"/>
</log>
<log description="" level="custom" separator="##">
<property expression="fn:concat('Bearer ', get-property('uri.var.jwt.token'))" name="JWT Token Created"/>
</log>
<header name="Authorization" expression="fn:concat('Bearer ', get-property('uri.var.jwt.token'))" scope="transport"/>
<send>
<endpoint key="GetCustomersEP"/>
</send>
</sequence>
I get well the JWT Token from LoginCechkSeq but i have an error in the getCustomerSeq.
This is the error :
[2018-08-14 15:14:07,510] [EI-Core] INFO - LogMediator API CUSTOMER = START
[2018-08-14 15:14:07,511] [EI-Core] INFO - LogMediator Login SEQUENCE = START
[2018-08-14 15:14:07,511] [EI-Core] INFO - LogMediator PARAMS = Username : test#test.fr / Password : Azerty123
[2018-08-14 15:14:08,586] [EI-Core] INFO - LogMediator Create Bearer Token SEQUENCE = START
[2018-08-14 15:14:08,591] [EI-Core] INFO - LogMediator Get Customer SEQUENCE = START
[2018-08-14 15:14:08,591] [EI-Core] INFO - LogMediator JWT Token Created = Bearer eyJhbGciOiJSUzI1NiJ9.eyJyb2xlcyI6WyJST0xFX1VTRVJfTUFUT09NQSIsIlJPTEVfVVNFUiJdLCJ1c2VybmFtZSI6InRlc3RAdGVzdC5mciIsImZpcnN0TmFtZSI6I kxvXHUwMGVmYyIsImxhc3ROYW1lIjoiQ2FyaW91IiwiaWQiOjIwLCJpYXQiOjE1MzQyNTI0NDgsImV4cCI6MTUzNDI2Njg0OH0.Gx_cSwXE0rm1EZSPeI64cbOdysjXcLwj2NYjtNE4eh_gtUSwbCE2EUPL6sB-Rt_ayQOeOEx-w07Bkbh-Rr6rUd-mqnKXHuUCe76pOXWWW5ejV7k8n_ Tf3gk4upbzn77VMsyNALWJYNBSO4S8dDCyp413SRvnRaKuhkF1GgvkbZx7aJNUwkDA_ZuxG3IfOKQdao7GgDhWH9pltH9zIjXtjagbjRPgBaekcZiB2bxglQLF7RUMky2MVG_WEbcLFms14LiIEooG3lXao73Z2foYXSMxReHHAmhGPfSipw_wA9ohMolB_X5Ck13O0tSDUvsqvqdZHPZ w8ITmn_4pKnJhTiCK6U58Ub_Nr6Royeiwf3_WN7ooqOczF0hbJr7ZFONo3BwKEhCj6gPv9gknK0ahSotnsRvQS56VsquWJm9ZwtXAI2D0J8tNjSmxMP9FWbmFMWap2wOayUEGpauYD3WA5W-CZexqulJTbLSPcMF92QWaKMoVtL5blgGt9vTb1YIVnQi4KALK9psJETgcvHCIbfsN E_IcYMlotIHRuO4RR-j0I7WAxQVko9YNkIRpuDUftpUq95TbIxn5NeTFhWL_NoC2F3jO4khGYR-Hk2P2ZudygrrdmDMfezn7d5yArV7mlukSB6chwq38T261ktzqx_G_rHt1pjt0jXVhz1DPsY4
[2018-08-14 15:14:10,087] [EI-Core] ERROR - RelayUtils Error while building Passthrough stream
org.apache.axiom.om.OMException: com.ctc.wstx.exc.WstxUnexpectedCharException: Unexpected character '{' (code 123) in prolog; expected '<'
at [row,col {unknown-source}]: [1,1]
at org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBuilder.java:296)
at org.apache.axiom.om.impl.llom.OMDocumentImpl.getOMDocumentElement(OMDocumentImpl.java:109)
at org.apache.axiom.om.impl.builder.StAXOMBuilder.getDocumentElement(StAXOMBuilder.java:570)
at org.apache.axiom.om.impl.builder.StAXOMBuilder.getDocumentElement(StAXOMBuilder.java:566)
at org.apache.synapse.transport.passthru.util.DeferredMessageBuilder.getDocument(DeferredMessageBuilder.java:165)
at org.apache.synapse.transport.passthru.util.RelayUtils.builldMessage(RelayUtils.java:163)
at org.apache.synapse.transport.passthru.util.RelayUtils.buildMessage(RelayUtils.java:116)
at org.apache.synapse.mediators.AbstractListMediator.buildMessage(AbstractListMediator.java:145)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:94)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70)
at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158)
at org.apache.synapse.rest.Resource.process(Resource.java:351)
at org.apache.synapse.rest.API.process(API.java:338)
at org.apache.synapse.rest.RESTRequestHandler.apiProcess(RESTRequestHandler.java:123)
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:101)
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:56)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:303)
at org.apache.synapse.core.axis2.SynapseCallbackReceiver.handleMessage(SynapseCallbackReceiver.java:570)
at org.apache.synapse.core.axis2.SynapseCallbackReceiver.receive(SynapseCallbackReceiver.java:193)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.synapse.transport.passthru.ClientWorker.run(ClientWorker.java:263)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.ctc.wstx.exc.WstxUnexpectedCharException: Unexpected character '{' (code 123) in prolog; expected '<'
at [row,col {unknown-source}]: [1,1]
at com.ctc.wstx.sr.StreamScanner.throwUnexpectedChar(StreamScanner.java:639)
at com.ctc.wstx.sr.BasicStreamReader.nextFromProlog(BasicStreamReader.java:2052)
at com.ctc.wstx.sr.BasicStreamReader.next(BasicStreamReader.java:1134)
at org.apache.axiom.util.stax.wrapper.XMLStreamReaderWrapper.next(XMLStreamReaderWrapper.java:225)
at org.apache.axiom.util.stax.dialect.DisallowDoctypeDeclStreamReaderWrapper.next(DisallowDoctypeDeclStreamReaderWrapper.java:34)
at org.apache.axiom.om.impl.builder.StAXOMBuilder.parserNext(StAXOMBuilder.java:681)
at org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBuilder.java:214)
... 24 more
I tried several thing like add this line :
<messageBuilder contentType="application/json" class="org.wso2.carbon.integrator.core.json.JsonStreamBuilder"/>
Or add property with name "messageType" with value "application/json"
But nothing resolve my problem...
If someone has already encountered this problem, I'm taking the solution =)

I found the response.
The Content-Type of the server response is : application/ld+json.
So WSO2 didn't recognize the encoding.
I just added this line into the axis2.xml :
<messageFormatter contentType="application/ld+json" class="org.wso2.carbon.integrator.core.json.JsonStreamFormatter"/>
....
<messageBuilder contentType="application/ld+json"
class="org.wso2.carbon.integrator.core.json.JsonStreamBuilder"/>
And it's work fine ! =)

Changing returned content type in Spring MVC

I have a zip file with a custom extension that needs to be returned as content type application/zip, but for some reason, no matter what I do, it always gets returned as text/html.
It would seem that configuring a content negotiation manager as in this article https://spring.io/blog/2013/05/11/content-negotiation-using-spring-mvc would do the trick, but it doesn't seem to work for me. If I request a .zip file through the same controller/method it works perfectly.
I've tried configuring several different properties in an attempt to accomplish my goal, but here's my latest from my application-context.xml.
<bean id="contentNegotiationManager"
class="org.springframework.web.accept.ContentNegotiationManagerFactoryBean">
<property name="favorPathExtension" value="true" />
<property name="ignoreAcceptHeader" value="true" />
<property name="defaultContentType" value="application/zip" />
<property name="mediaTypes">
<map>
<entry key="xyz" value="application/zip" />
</map>
</property>
</bean>
Here are my headers from my browser:
Remote Address:::1:8080
Request URL:http://localhost:8080/app/faces/download/148943e4ead.xyz
Request Method:GET
Status Code:200 OK
Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Cookie:JSESSIONID=gcvvicbqtlyyrbgnth3qurfy; jwplayer.volume=100; SESSION-GUID=f8vdloov22qbmx6r; plushContainerWidth=100%25; plushMultiOps=1; plushNoTopMenu=0; SQLiteManager_currentLangue=2; _ga=GA1.1.1642769916.1411099193
DNT:1
Host:localhost:8080
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
Response Headers
Content-Length:2585515
Content-Type:text/html
Server:Jetty(6.1.26)

Looks like I was overcomplicating the issue. I only needed this functionality on one controller method, so simply adding produces = "application/zip" to my RequestMapping worked just fine.
#RequestMapping(
value = "/download/{fileName:.+}",
method = RequestMethod.GET,
produces = "application/zip")
#ResponseBody
public FileSystemResource download(#PathVariable("fileName") String fileName) {
...
}

Spring Security, REST basic authentication issue

I got an issue related to the HTTP response header "Access-Control-Allow-Origin" when using basic authetication with Spring. When I authenticate manually, like the code bellow (I'm using REST):
#RequestMapping(value = "/login", method = RequestMethod.POST, consumes = "application/json")
#ResponseStatus(value = HttpStatus.OK)
public void login(#RequestBody String body, HttpServletResponse response)
throws IOException {
try {
User user = gson.fromJson(body, User.class);
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
usuario.getUsername(), usuario.getPassword());
authenticationManager.authenticate(token);
} catch (BadCredentialsException e) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
} catch (Exception e) {
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
}
}
everything works fine, I receive the following HTTP response:
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
Content-Type: text/html;charset=utf-8
Content-Length: 951
Date: Fri, 17 May 2013 19:14:36 GMT
as you can see, "Access-Control-Allow-Origin" is present on the response.
Everything is fine here. I can catch a 401 error in my ajax call.
But when the authentication is performed automatically, like the code bellow:
#RequestMapping(value = "/name", method = RequestMethod.POST, consumes = "application/json")
#PreAuthorize("hasRole('ROLE_CUSTOMER')")
public #ResponseBody String getName(HttpServletResponse response) throws IOException {
String json = null;
try {
User userSession = (User) SecurityContextHolder.getContext()
.getAuthentication().getPrincipal();
Customer customer = customerDao.getNameByUsername(userSession.getUsername());
json = gson.toJson(customer);
} catch (Exception e) {
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
}
return json;
}
the HTTP response is:
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Basic realm="Spring Security Application"
Content-Type: text/html;charset=utf-8
Content-Length: 981
Date: Fri, 17 May 2013 19:41:08 GMT
There is no "Access-Control-Allow-Origin" in the response
Google Chrome console show the following error:
Origin null is not allowed by Access-Control-Allow-Origin
My ajax call does not return a 401 Unauthorized error, even though the HTTP response return it (response above), I receive an unknow error.
I figured out that for all browsers, I need a "Access-Control-Allow-Origin" in the HTTP response, otherwise they will generate some kind of silent error and my ajax call will fail (can't catch the 401 error). Actually, javascript will fail silently. XMLHttpRequest
does not accept an HTTP response without "Access-Control-Allow-Origin".
How can I make Spring inject this "Access-Control-Allow-Origin" in HTTP responses for basic authentication?
this is my Spring Security xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http create-session="stateless" entry-point-ref="authenticationEntryPoint">
<security:intercept-url pattern="/customer/**" />
<security:http-basic />
<security:custom-filter ref="basicAuthenticationFilter"
after="BASIC_AUTH_FILTER" />
</security:http>
<bean id="basicAuthenticationFilter"
class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>
<bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="teste.com" />
</bean>
<!-- It is responsible for validating the user's credentials -->
<security:authentication-manager alias="authenticationManager">
<!-- It is responsible for providing credential validation to the AuthenticationManager -->
<security:authentication-provider>
<security:password-encoder ref="passwordEncoder" />
<security:jdbc-user-service
data-source-ref="mySQLdataSource"
users-by-username-query="select username, password, enabled from usuario where username = ?"
authorities-by-username-query="select username, papel from autoridade where username = ?" />
</security:authentication-provider>
</security:authentication-manager>
<bean class="org.springframework.security.crypto.password.StandardPasswordEncoder"
id="passwordEncoder" />
</beans>

Just found my own way:
First of all, I don't really remember why I put this line here, but it was messing up my code:
<security:http-basic />
Second, this answer show me the path: Handle unauthorized error message for Basic Authentication in Spring Security. I had to create a custom authentication entry point in order to send the Access-Control-Allow-Origin thing.
So this is my code now:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http create-session="stateless"
entry-point-ref="authenticationEntryPoint">
<security:intercept-url pattern="/api/admin/**" />
<security:intercept-url pattern="/medico/**" />
<!-- <security:http-basic /> -->
<security:custom-filter ref="basicAuthenticationFilter"
after="BASIC_AUTH_FILTER" />
</security:http>
<bean id="basicAuthenticationFilter"
class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>
<!--
<bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="test.com" />
</bean> -->
<bean id="authenticationEntryPoint"
class="com.test.util.PlainTextBasicAuthenticationEntryPoint">
<property name="realmName" value="test.com" />
</bean>
<!-- It is responsible for validating the user's credentials -->
<security:authentication-manager alias="authenticationManager">
<!-- It is responsible for providing credential validation to the AuthenticationManager -->
<security:authentication-provider>
<security:password-encoder ref="passwordEncoder" />
<security:jdbc-user-service
data-source-ref="mySQLdataSource"
users-by-username-query="select username, password, enabled from usuario where username = ?"
authorities-by-username-query="select username, papel from autoridade where username = ?" />
</security:authentication-provider>
</security:authentication-manager>
<bean
class="org.springframework.security.crypto.password.StandardPasswordEncoder"
id="passwordEncoder" />
</beans>
package com.test.util;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
public class PlainTextBasicAuthenticationEntryPoint extends
BasicAuthenticationEntryPoint {
#Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
response.addHeader("Access-Control-Allow-Origin", "null");
response.addHeader("WWW-Authenticate", "Basic realm=\"" + getRealmName() + "\"");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
PrintWriter writer = response.getWriter();
writer.println("HTTP Status " + HttpServletResponse.SC_UNAUTHORIZED + " - " + authException.getMessage());
}
}
My http response now:
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: null
WWW-Authenticate: Basic realm="test.com"
Content-Length: 35
Date: Mon, 20 May 2013 20:05:03 GMT
HTTP Status 401 - Bad credentials
before the alteration, I got this error message:
OPTIONS http://localhost:8080/test/customer/name 200 (OK) jquery-1.8.2.min.js:2
XMLHttpRequest cannot load http://localhost:8080/test/customer/name. Origin null is not allowed by Access-Control-Allow-Origin.
and now as expected I get this one:
OPTIONS http://localhost:8080/test/customer/name 200 (OK) jquery-1.8.2.min.js:2
POST http://localhost:8080/test/customer/name 401 (Unauthorized)

What is setting Cache-Control no-cache, no-store in my deployment?

I have an issue that my application deployment always returns response headers with:
Cache-Control: no-cache
Cache-Control: no-store
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Pragma:no-cache
I'm using:
Spring 3.1.2.RELEASE
Primefaces JSF 3.4.1
Spring Webflow 2.3.0.RELEASE
JBoss AS 7.0.1
I've tried nearly every solution on the application side I could find:
Configuring the WebContentInterceptor (tried various permutations of it) Right out of the box cache-control header filter?
Writing a custom interceptor that adds different Cache-Control header (tested with Cache-Control: private)
Writing a customer filter that adds HTTP response parameters. Configure it with Cache-Control: private as init-params in web.xml
Use the context.xml file (tried both in META-INF/ and WEB-INF/) to disable the Cache-Control in JBoss/Tomcat http://daveharris.wordpress.com/2007/07/09/how-to-configure-cache-control-in-tomcat/
In all of the above cases, the response headers never ended up different, always no-cache, no-store, 1970 expires, pragma: no-cache
I'm running out of ideas, does anyone know what is setting these headers in my response so I can target the appropriate deployment component to resolve this?

The root code causing this is in Spring MVC, called from the WebContentGenerator. This class is used as base class for several classes in the MVC/Webflow stack: WebContentInterceptor (MVC interceptor), AbstractController (MVC controller), AbstractHandlerMethodAdapter (MVC HandlerAdapter), AnnotationMethodHadlerAdapter (MVC HandlerAdapter), FlowHandlerAdapter (Webflow HandlerAdapter), JsfFlowHandlerAdapter (Webflow + JSF HandlerAdapter)
The CacheControl seconds setting of 0 calls the preventCaching method. So it seems the application is defaulting to a setting of 0.
org.springframework.web.servlet.support.WebContentGenerator
protected final void preventCaching(HttpServletResponse response) {
response.setHeader(HEADER_PRAGMA, "no-cache");
if (this.useExpiresHeader) {
// HTTP 1.0 header
response.setDateHeader(HEADER_EXPIRES, 1L);
}
if (this.useCacheControlHeader) {
// HTTP 1.1 header: "no-cache" is the standard value,
// "no-store" is necessary to prevent caching on FireFox.
response.setHeader(HEADER_CACHE_CONTROL, "no-cache");
if (this.useCacheControlNoStore) {
response.addHeader(HEADER_CACHE_CONTROL, "no-store");
}
}
}
I found out that since I am using JSF + Webflow, the JsfFlowHandlerAdapter is handling the server requests for the flows/views first. This is why configuring interceptors does not help because the JsfFlowHandlerAdapter has already set the Cache-Control and other HTTP Headers at this point. It turns out I had already extended the JsfFlowHandlerAdapter to handle FlowExecutionRestorationFailureException (see Sping Web Flow Preventing Back Button Use) so all I needed to do was set the configuration I wanted ala WebContentInterceptor (since the configurations belong to the base class WebContentGenerator).
Custom JsfFlowHandlerAdapter
public class MyAppFlowHandlerAdapter extends org.springframework.faces.webflow.JsfFlowHandlerAdapter {
...
}
webmvc-config.xml
<!-- Dispatches requests mapped to flows to FlowHandler implementations -->
<bean
class="com.myapp.MyAppFlowHandlerAdapter">
<property name="flowExecutor" ref="flowExecutor" />
<!-- Disable built in Cache-Control settings -->
<property name="cacheSeconds" value="-1" />
<property name="useExpiresHeader" value="false" />
<property name="useCacheControlHeader" value="false" />
<property name="useCacheControlNoStore" value="false" />
</bean>
<!-- Maps request paths to flows in the flowRegistry; e.g. a path of /hotels/booking
looks for a flow with id "hotels/booking" -->
<bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping">
<!-- snip out unimportant -->
<property name="interceptors">
<list>
<ref bean="cacheControlInterceptor" />
</list>
</property>
</bean>
<bean id="cacheControlInterceptor"
class="com.myapp.CacheControlInterceptor">
CacheControlInterceptor (to set your own HTTP Headers. The methods that do it in WebContentGenerator are final so cannot #Override)
public class CacheControlInterceptor extends HandlerInterceptorAdapter {
#Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
//Example below: set your Cache-Control, expires, pragma headers here
response.setHeader("Cache-Control", "private");
return true;
}
}

Spring Security - Persistent Remember Me Issue

I've been trying to track down why Spring Security isn't creating the Spring Security remember me cookie (SPRING_SECURITY_REMEMBER_ME_COOKIE). However, based on what I see via the HTTP headers the cookie is being set it's just that there is an additional GET request for /j_spring_security_check that is causing the exception below. This also results in the cookie being removed.
FINE: Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Authentication method not supported: GET
I'm using Spring 3.0.1, Spring Security 3.0.3 Snapshot, and Google App Engine 1.3.1. Any ideas as to what is going on?
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter doFilter
FINE: Request is to process authentication
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication
FINE: Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Authentication method not supported: GET
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication
FINE: Updated SecurityContextHolder to contain null Authentication
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication
FINE: Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler#4196c169
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices loginFail
FINE: Interactive login attempt was unsuccessful.
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices cancelCookie
FINE: Cancelling cookie
Below is the relevant portion of the applicationContext-security.xml.
<http auto-config="false">
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/img/**" filters="none" />
<intercept-url pattern="/js/**" filters="none" />
<intercept-url pattern="/app/admin/**" filters="none" />
<intercept-url pattern="/app/login/**" filters="none" />
<intercept-url pattern="/app/register/**" filters="none" />
<intercept-url pattern="/app/error/**" filters="none" />
<intercept-url pattern="/" filters="none" />
<intercept-url pattern="/**" access="ROLE_USER" />
<logout logout-success-url="/" />
<form-login login-page="/app/login" default-target-url="/" authentication-failure-url="/app/login?login_error=1" />
<session-management invalid-session-url="/app/login" />
<remember-me services-ref="rememberMeServices" key="myKey" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="sha-256" base64="true">
<salt-source user-property="username" />
</password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id="userDetailsService" class="com.my.service.auth.UserDetailsServiceImpl" />
<beans:bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<beans:property name="userDetailsService" ref="userDetailsService" />
<beans:property name="tokenRepository" ref="persistentTokenRepository" />
<beans:property name="key" value="myKey" />
</beans:bean>
<beans:bean id="persistentTokenRepository" class="com.my.service.auth.PersistentTokenRepositoryImpl" />
Below are the http headers for the scenario I'm having issues with:
http://localhost:8080/j_spring_security_check
POST /j_spring_security_check HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost:8080/app/login
Cookie: JSESSIONID=15t2gq1vo5noj
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
j_username=test%40test.com&j_password=test&_spring _security_remember_me=on&submit=Submit
HTTP/1.1 302 Found
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=1dymxpkh13z32;Path=/
Set-Cookie: SPRING_SECURITY_REMEMBER_ME_COOKIE=U05kS2NTakNIZTN Dd0hFcWxqZXRUQT09Oi90M3Q0NTA1czhxSjRadTQ5NW5FQVE9P Q;Path=/;Expires=Wed, 31-Mar-10 10:52:07 GMT
Location: http://localhost:8080/app/helloWorld
Content-Length: 0
Server: Jetty(6.1.x)
----------------------------------------------------------
http://localhost:8080/app/helloWorld
GET /app/helloWorld HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost:8080/app/login
Cookie: JSESSIONID=1dymxpkh13z32; SPRING_SECURITY_REMEMBER_ME_COOKIE=U05kS2NTakNIZTN Dd0hFcWxqZXRUQT09Oi90M3Q0NTA1czhxSjRadTQ5NW5FQVE9P Q
HTTP/1.1 200 OK
Content-Language: en-US
Content-Type: text/html
Content-Length: 526
Server: Jetty(6.1.x)
----------------------------------------------------------
http://localhost:8080/j_spring_security_check
GET /j_spring_security_check HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: JSESSIONID=1dymxpkh13z32; SPRING_SECURITY_REMEMBER_ME_COOKIE=U05kS2NTakNIZTN Dd0hFcWxqZXRUQT09Oi90M3Q0NTA1czhxSjRadTQ5NW5FQVE9P Q
HTTP/1.1 302 Found
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SPRING_SECURITY_REMEMBER_ME_COOKIE=;Path=/;Expires=Thu, 01 Jan 1970 00:00:00 GMT
Location: http://localhost:8080/app/login?login_error=1
Content-Length: 0
Server: Jetty(6.1.x)
----------------------------------------------------------
http://localhost:8080/app/login?login_error=1
GET /app/login?login_error=1 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: JSESSIONID=1dymxpkh13z32
HTTP/1.1 200 OK
Content-Language: en-US
Content-Type: text/html
Content-Length: 928
Server: Jetty(6.1.x)

Turns out that Firebug was generating the additional GET request.

Have you tried using the simplest version of remember-me ?
<remember-me key="myAppKey"/>
Could be that your custom implementation of the token repository is at fault. What does your PersistentTokenRepositoryImpl actually do?
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html

Remember Me was broken in Spring Security 3.0.1: SEC-1356. Use 3.0.2.