I have problems setting up a simple microservice system using Spring Boot's OAuth2 capabilities.
What I want to do is to set up a Spring Boot Authorization Server handling registration, authorization and user data management. Besides that, I'd like to set up a Resource Server handling the logic of the application.
Because all data is stored related to the user's ID, the resource server has to request the ID from authorization server. Therefore, I've set up the following user info endpoint:
#Controller
public class UserInfoEndpoint {
private UserManagementBean userManagementBean;
#Autowired
public UserInfoEndpoint(final UserManagementBean userManagementBean) {
this.userManagementBean = userManagementBean;
}
#GetMapping("/user/me")
#ResponseBody
public Principal user(final Principal principal) throws PRPException {
User user = userManagementBean.loadUser(principal.getName());
#SuppressWarnings("unused")
Principal retVal = new Principal() {
#Override
public String getName() {
return user.getId().toString();
}
public String getPrimaryEmail() {
return user.getPrimaryEmail();
}
};
return retVal;
}
}
At the moment, I'm using JWK to sign the tokens. I am able to access this endpoint with Postman, where I get the following result:
{
"primaryEmail": "eric#live.de",
"name": "3"
}
However, when trying to obtain user information with the resource server
#Bean
#RequestScope
public OAuth2Authentication userInfo(final HttpServletRequest request) {
UserInfoTokenServices services = new UserInfoTokenServices("http://localhost:8081/user/me", "PRPBackend");
services.setPrincipalExtractor(principalExtractor());
String authHeader = request.getHeader(HttpHeaders.AUTHORIZATION);
String tokenString = authHeader.replace("Bearer ", "").replace("bearer ", "");
DefaultOAuth2AccessToken accessToken = new DefaultOAuth2AccessToken(tokenString);
AuthorizationCodeResourceDetails resource = new AuthorizationCodeResourceDetails();
resource.setAccessTokenUri("http://localhost:8081/oauth/token");
resource.setClientId("PRPBackend");
resource.setClientSecret("secret");
resource.setUserAuthorizationUri("http://localhost:8081/oauth/authorize");
resource.setAuthenticationScheme(AuthenticationScheme.header);
resource.setClientAuthenticationScheme(AuthenticationScheme.header);
OAuth2ClientContext clientContext = new DefaultOAuth2ClientContext();
clientContext.setPreservedState("key", "abcdef");
clientContext.setAccessToken(accessToken);
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(resource, clientContext);
services.setRestTemplate(restTemplate);
OAuth2Authentication authentication = services.loadAuthentication(tokenString);
return authentication;
}
the authorization server tells me, that the user is anonymous.
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 4 of 13 in additional filter chain; firing Filter: 'CorsFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 5 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /user/me' doesn't match 'POST /logout'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 7 of 13 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /user/me' doesn't match 'POST /login'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 8 of 13 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.s.HttpSessionRequestCache : saved request doesn't match
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 9 of 13 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#74903b51: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/actuator/**'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/favicon.ico'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/login'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/confirm/**'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/signup'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/oauth/authorize'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/css/**'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/img/**'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /user/me' doesn't match 'OPTIONS /oauth/token'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /user/me' doesn't match 'POST /oauth/token'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /user/me; Attributes: [authenticated]
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#74903b51: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2019-12-16 06:28:30.533 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#33824388, returned: -1
2019-12-16 06:28:30.545 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:92) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108) [spring-boot-actuator-2.2.1.RELEASE.jar:2.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at com.prp.auth.security.filter.SimpleCorsFilter.doFilter(SimpleCorsFilter.java:38) [main/:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1579) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.27.jar:9.0.27]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_222]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_222]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.27.jar:9.0.27]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_222]
and returns the login page.
I've tried several configs, but nothing worked. Here's my security config of the authorization server:
#Override
protected void configure(final HttpSecurity http) throws Exception {
// #formatter:off
http.requestMatchers().and()
.authorizeRequests()
.and()
.authorizeRequests()
.antMatchers("/actuator/**", "/favicon.ico").permitAll()
.antMatchers(HttpMethod.GET, "/login", "/confirm/**", "/signup",
"/oauth/authorize", "/css/**", "/img/**").permitAll()
.antMatchers(HttpMethod.OPTIONS, "/oauth/token").permitAll()
.antMatchers(HttpMethod.POST, "/oauth/token").permitAll()
.and().formLogin().loginPage("/login").permitAll()
.and().authorizeRequests().anyRequest().authenticated()
.and().headers().frameOptions().disable()
.and().cors().configurationSource(new CorsConfigurationSource() {
#Override
public CorsConfiguration getCorsConfiguration(final HttpServletRequest request) {
CorsConfiguration conf = new CorsConfiguration();
List<String> allowedOrigins = new ArrayList<>();
allowedOrigins.add("http://localhost:8000");
conf.setAllowedOrigins(allowedOrigins);
List<String> allowedMethods = new ArrayList<>();
allowedMethods.add("POST");
conf.setAllowedMethods(allowedMethods);
return conf;
}
});
}
EDIT:
I've been trying to access the same endpoint via Postman and JQuery. Postman is able to fetch the user's data, the JQuery implementation gets the same error as described above.
One more edit:
The JQuery request I'm testing with is the following:
fetchUser() {
let ref = this;
console.log("Calling URL to load user information: " + localStorageManager.loadOauthProvider() + "/user/me");
$.ajax({
url: localStorageManager.loadOauthProvider() + "/user/me",
method: "GET",
headers: ref.oauth2.authorizationHeader,
success: function(data, status, xhr) {
console.log("Fetch user response: " + JSON.stringify(data));
},
error: function(xhr, status, error) {
console.log("Error: " + error);
}
});
}
The result:
Fetch user response: "<!doctype html>\n<html>\n<head>\n<meta charset=\"utf-8\">\n<meta name=\"viewport\"\n\tcontent=\"width=device-width, initial-scale=1, shrink-to-fit=no\">\n<meta name=\"description\" content=\"\">\n<meta name=\"author\" content=\"\">\n<link rel=\"icon\" href=\"/img/favicon.ico\">\n\n<title>Login</title>\n<link rel=\"stylesheet\"\n\thref=\"/css/bootstrap.min.css\" />\n\n<!-- Custom styles for this template -->\n<link rel=\"stylesheet\" type=\"text/css\" href=\"/css/login.css\" />\n\n</head>\n\n<body class=\"text-center\">\n\n\t<form name=\"login\" action=\"/login\" method=\"post\"\n\t\tclass=\"form-signin\">\n\t\t<h1 class=\"h3 mb-3 font-weight-normal\">LEVO</h1>\n\t\t<img class=\"mb-4\" src=\"/img/logo.png\" alt=\"\" width=\"72\"\n\t\t\theight=\"72\">\n\t\t<h1 class=\"h3 mb-3 font-weight-normal\">\n\t\t\t<span>Anmelden</span>\n\t\t</h1>\n\t\t\n\t\t\n\t\t<label for=\"username\" class=\"sr-only\">E-Mail</label>\n\t\t<input type=\"text\" id=\"username\" name=\"username\" class=\"form-control\"\n\t\t\tplaceholder=\"E-Mail\" required autofocus>\n\t\t<label for=\"password\" class=\"sr-only\"></label>\n\t\t<input type=\"password\" id=\"password\" name=\"password\"\n\t\t\tclass=\"form-control\" placeholder=\"Passwort\"\n\t\t\trequired>\n\t\t<div class=\"checkbox mb-3\">\n\t\t\t<label> <input type=\"checkbox\" value=\"remember-me\"> <span>Angemeldet bleiben</span>\n\t\t\t</label>\n\t\t</div>\n\t\t<button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">\n\t\t\t<span>Anmelden</span>\n\t\t</button>\n\t\t<a class=\"nav-link\" href=\"/signup\">\n\t\t\t<span data-feather=\"home\"></span>\n\t\t\t<span>Hier registrieren</span>\n\t\t</a>\n\n\t\t<p class=\"mt-5 mb-3 text-muted\">© Levo 2019</p>\n\t</form>\n\n\n</body>\n</html>"
Postman is creating the following request, which works:
GET /user/me HTTP/1.1 Host: localhost:8081 Authorization: Bearer [...]
From my point of view your SecurityConfig handles not what you expect. Your first rule http.requestMatchers().and().authorizeRequests() means:
requestMatchers() configures if an URL will be processed by that SecurityFilterChain. So if an URL does not match it , the whole SecurityFilterChain will be skipped which means Spring Security will not handle this URL after that. If you do not configure it, the default is to match all URLs.
So you need to define your antMatchers Resources which should be processed by this SecurityFilerChain. If you change this rule to the following basic config http.requestMatchers().antMatchers("/")... the user endpoint should work as expected.
The reason behind this is, that the endpoint /user/me should not be handled/overridden by this SecurityConfigChain. So if you have enabled the ResourceServer of Spring in a default way, the default config is used for this endpoint.
So in this antMatchers("/") you should define all resources which should be handled by this security filter but not the user/me.
You have both #EnableAuthorizationServer, #EnableResourceServer in AuthServerConfig which might be causing the issue. Remove #EnableResourceServer as you are extending the AuthorizationServerConfigurerAdapter with AuthServerConfig
Change
#Configuration
#EnableAuthorizationServer
#EnableResourceServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter
To
#Configuration
#EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter
Related
I'm trying to figure out how we may secure applications with spring boot.
I have a very basic HelloWorld Controller, with a services is supposed to be called only by authenticated users, and one that may be called by anyone :
#RestController
public class HelloWorldController {
private static final Logger logger = LoggerFactory.getLogger(HelloWorldController.class);
#GetMapping("/private")
public Map<String, Object> securedResource() {
logger.info("Called : HelloWorldController/private");
Map<String, Object> model = new HashMap<String, Object>();
model.put("id", UUID.randomUUID().toString());
model.put("content", "Hello collection's Private World");
return model;
}
#GetMapping("/public")
public Map<String, Object> publicResource() {
logger.info("Called : HelloWorldController/public");
Map<String, Object> model = new HashMap<String, Object>();
model.put("content", "You well got public resource.");
return model;
}
}
For managing my authorizations, I tried to configure it :
public class SecurityConfiguration {
#Bean
public SecurityFilterChain configure(HttpSecurity http) throws Exception {
http
// Beware : order of request matchers is important.
.authorizeHttpRequests(requests -> requests
// Specify that requests on "/public" services's pattern may be called by anyone.
.requestMatchers(HttpMethod.GET, "/public").permitAll()
// Specify that requests on "/private" services's pattern may be called by any authenticated user.
.requestMatchers(HttpMethod.GET, "/private").authenticated()
// Specify that any other requests are not allowed by anyone.
.anyRequest().denyAll())
.httpBasic();
return http.build();
}
}
I though doing so will allow unauthenticated users to call the "/public" service. But when I call "http://localhost:8080/public" from postman, I get a 401 error, and it work only if I provide credentials in Basic Auth when I call the service.
Perhaps have I done something wrong ?
Edit : Below are some logs when calling the service
2023-01-25T19:25:11.888+01:00 INFO 2352 --- [nio-8080-exec-3] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
2023-01-25T19:25:11.888+01:00 INFO 2352 --- [nio-8080-exec-3] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2023-01-25T19:25:11.889+01:00 INFO 2352 --- [nio-8080-exec-3] o.s.web.servlet.DispatcherServlet : Completed initialization in 1 ms
2023-01-25T19:25:11.895+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter#8adba4e, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter#37348e64, org.springframework.security.web.context.SecurityContextHolderFilter#44ab0b55, org.springframework.security.web.header.HeaderWriterFilter#26490443, org.springframework.security.web.csrf.CsrfFilter#6c3ee96d, org.springframework.security.web.authentication.logout.LogoutFilter#6b97305f, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#36d829c6, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter#3894a5e1, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter#56ebb12, org.springframework.security.web.authentication.www.BasicAuthenticationFilter#44bf732c, org.springframework.security.web.savedrequest.RequestCacheAwareFilter#44ef0221, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter#18a1c2ab, org.springframework.security.web.authentication.AnonymousAuthenticationFilter#4390a01d, org.springframework.security.web.access.ExceptionTranslationFilter#2bb41cea, org.springframework.security.web.access.intercept.AuthorizationFilter#2aaea4a6]] (1/1)
2023-01-25T19:25:11.896+01:00 DEBUG 2352 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Securing GET /public
2023-01-25T19:25:11.897+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/15)
2023-01-25T19:25:11.897+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/15)
2023-01-25T19:25:11.899+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderFilter (3/15)
2023-01-25T19:25:11.900+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/15)
2023-01-25T19:25:11.901+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking CsrfFilter (5/15)
2023-01-25T19:25:11.902+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.security.web.csrf.CsrfFilter : Did not protect against CSRF since request did not match CsrfNotRequired [TRACE, HEAD, GET, OPTIONS]
2023-01-25T19:25:11.902+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (6/15)
2023-01-25T19:25:11.902+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.s.w.a.logout.LogoutFilter : Did not match request to Ant [pattern='/logout', POST]
2023-01-25T19:25:11.903+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking UsernamePasswordAuthenticationFilter (7/15)
2023-01-25T19:25:11.903+01:00 TRACE 2352 --- [nio-8080-exec-3] w.a.UsernamePasswordAuthenticationFilter : Did not match request to Ant [pattern='/login', POST]
2023-01-25T19:25:11.905+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking DefaultLoginPageGeneratingFilter (8/15)
2023-01-25T19:25:11.905+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking DefaultLogoutPageGeneratingFilter (9/15)
2023-01-25T19:25:11.907+01:00 TRACE 2352 --- [nio-8080-exec-3] .w.a.u.DefaultLogoutPageGeneratingFilter : Did not render default logout page since request did not match [Ant [pattern='/logout', GET]]
2023-01-25T19:25:11.909+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking BasicAuthenticationFilter (10/15)
2023-01-25T19:25:11.911+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.s.w.a.www.BasicAuthenticationFilter : Did not process authentication request since failed to find username and password in Basic Authorization header
2023-01-25T19:25:11.912+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (11/15)
2023-01-25T19:25:11.913+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.s.w.s.HttpSessionRequestCache : matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided
2023-01-25T19:25:11.914+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (12/15)
2023-01-25T19:25:11.915+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (13/15)
2023-01-25T19:25:11.916+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (14/15)
2023-01-25T19:25:11.916+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (15/15)
2023-01-25T19:25:11.917+01:00 TRACE 2352 --- [nio-8080-exec-3] estMatcherDelegatingAuthorizationManager : Authorizing SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest#843dacb]
2023-01-25T19:25:11.917+01:00 TRACE 2352 --- [nio-8080-exec-3] estMatcherDelegatingAuthorizationManager : Checking authorization on SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest#843dacb] using org.springframework.security.authorization.AuthenticatedAuthorizationManager#5dd1b7b8
2023-01-25T19:25:11.918+01:00 TRACE 2352 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2023-01-25T19:25:11.918+01:00 TRACE 2352 --- [nio-8080-exec-3] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2023-01-25T19:25:11.919+01:00 TRACE 2352 --- [nio-8080-exec-3] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2023-01-25T19:25:11.921+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
2023-01-25T19:25:11.921+01:00 TRACE 2352 --- [nio-8080-exec-3] o.s.s.w.a.ExceptionTranslationFilter : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied
org.springframework.security.access.AccessDeniedException: Access Denied
at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:98) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:170) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.4.jar:6.0.4]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter.doFilterInternal(DefaultLogoutPageGeneratingFilter.java:58) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.4.jar:6.0.4]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:188) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:174) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:116) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.4.jar:6.0.4]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.4.jar:6.0.4]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.4.jar:6.0.4]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.4.jar:6.0.4]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.0.1.jar:6.0.1]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:351) ~[spring-web-6.0.4.jar:6.0.4]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) ~[spring-web-6.0.4.jar:6.0.4]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.0.4.jar:6.0.4]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.4.jar:6.0.4]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.0.4.jar:6.0.4]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.4.jar:6.0.4]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.0.4.jar:6.0.4]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.4.jar:6.0.4]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:177) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:119) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:400) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:859) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1734) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-10.1.5.jar:10.1.5]
at java.base/java.lang.Thread.run(Thread.java:1589) ~[na:na]
I effectively forgot #Configuration annotation on my security configuration class. With it, it works as expected.
Thank you all.
I am creating a spring boot project with many micro services. My project consists of an Api Gateway(Zuul) a discovery service (Eureka) and two other micro services (Users and Accounts).
On the Gateway service I have implemented Spring Boot Security like this:
WebSecurity.java
#Configuration
#EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {
#Autowired
Environment environment;
public WebSecurity(Environment environment) {
this.environment = environment;
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.headers().frameOptions().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.authorizeRequests()
.antMatchers(HttpMethod.GET,"users-ws/users/status/check").permitAll()
.antMatchers(HttpMethod.POST,"users-ws/users/h2-console/**").permitAll()
.antMatchers(HttpMethod.POST,"users-ws/users/createUser").permitAll()
.antMatchers(HttpMethod.POST,"users-ws/users/login").permitAll()
.anyRequest()
.authenticated()
.and()
.addFilter(new AuthorizationFilter(authenticationManager(),environment));
}
}
Authorization Filter
public class AuthorizationFilter extends BasicAuthenticationFilter {
Environment environment;
AuthenticationManager authManager;
public AuthorizationFilter(AuthenticationManager authManager,Environment environment) {
super(authManager);
this.environment = environment;
}
#Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
String authorizationHeader = request.getHeader("Authorization");
if (authorizationHeader == null || !authorizationHeader.startsWith("Bearer")) {
chain.doFilter(request,response);
return;
}
UsernamePasswordAuthenticationToken authenticationToken = getAuthentication(request);
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
chain.doFilter(request,response);
}
private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request) {
String authorizationHeader = request.getHeader("Authorization");
if (authorizationHeader == null) {
return null;
}
String token = authorizationHeader.replace("Bearer","");
String userId = Jwts.parser()
.setSigningKey(environment.getProperty("token.secret"))
.parseClaimsJws(token)
.getBody()
.getSubject();
if (userId == null) {
return null;
}
return new UsernamePasswordAuthenticationToken(userId,null, new ArrayList<>());
}
}
So according to this everything should be authenticated except the first four urls right?
Because now it giving me this on all urls that according to my configurations should not need authentication
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/users-ws/users/status/check'; against 'users-ws/users/status/check'
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /users-ws/users/status/check' doesn't match 'POST users-ws/users/h2-console/**'
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /users-ws/users/status/check' doesn't match 'POST users-ws/users/createUser'
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /users-ws/users/status/check' doesn't match 'POST users-ws/users/login'
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
2019-10-13 15:00:55.214 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/users-ws/users/status/check'; against '/logout'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /users-ws/users/status/check' doesn't match 'POST /logout'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /users-ws/users/status/check' doesn't match 'PUT /logout'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /users-ws/users/status/check' doesn't match 'DELETE /logout'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 5 of 11 in additional filter chain; firing Filter: 'AuthorizationFilter'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#6910dd88: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /users-ws/users/status/check at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /users-ws/users/status/check; Attributes: [authenticated]
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#6910dd88: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2019-10-13 15:00:55.215 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#603b97b3, returned: -1
2019-10-13 15:00:55.216 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) ~[spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at com.example.apigatewayservice.apigatewayservice.security.AuthorizationFilter.doFilterInternal(AuthorizationFilter.java:33) [classes/:na]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:74) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:94) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:114) [spring-boot-actuator-2.1.9.RELEASE.jar:2.1.9.RELEASE]
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:104) [spring-boot-actuator-2.1.9.RELEASE.jar:2.1.9.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589) [tomcat-embed-core-9.0.26.jar:9.0.26]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.26.jar:9.0.26]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_131]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_131]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.26.jar:9.0.26]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_131]
2019-10-13 15:00:55.217 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.a.ExceptionTranslationFilter : Calling Authentication entry point.
2019-10-13 15:00:55.217 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.a.Http403ForbiddenEntryPoint : Pre-authenticated entry point called. Rejecting access
2019-10-13 15:00:55.217 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#46c5ddf9
2019-10-13 15:00:55.217 DEBUG 34683 --- [nio-8011-exec-6] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2019-10-13 15:00:55.217 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against 'users-ws/users/status/check'
2019-10-13 15:00:55.217 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /error' doesn't match 'POST users-ws/users/h2-console/**'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /error' doesn't match 'POST users-ws/users/createUser'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /error' doesn't match 'POST users-ws/users/login'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/logout'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /error' doesn't match 'POST /logout'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /error' doesn't match 'PUT /logout'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /error' doesn't match 'DELETE /logout'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 5 of 11 in additional filter chain; firing Filter: 'AuthorizationFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#6910dd88: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-10-13 15:00:55.218 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-10-13 15:00:55.219 DEBUG 34683 --- [nio-8011-exec-6] o.s.security.web.FilterChainProxy : /error reached end of additional filter chain; proceeding with original chain
2019-10-13 15:00:55.222 DEBUG 34683 --- [nio-8011-exec-6] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2019-10-13 15:00:55.222 DEBUG 34683 --- [nio-8011-exec-6] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2019-10-13 15:00:55.895 INFO 34683 --- [freshExecutor-0] com.netflix.discovery.DiscoveryClient : Disable delta property : false
2019-10-13 15:00:55.895 INFO 34683 --- [freshExecutor-0] com.netflix.discovery.DiscoveryClient : Single vip registry refresh property : null
2019-10-13 15:00:55.895 INFO 34683 --- [freshExecutor-0] com.netflix.discovery.DiscoveryClient : Force full registry fetch : false
2019-10-13 15:00:55.895 INFO 34683 --- [freshExecutor-0] com.netflix.discovery.DiscoveryClient : Application is null : false
2019-10-13 15:00:55.895 INFO 34683 --- [freshExecutor-0] com.netflix.discovery.DiscoveryClient : Registered Applications size is zero : true
2019-10-13 15:00:55.895 INFO 34683 --- [freshExecutor-0] com.netflix.discovery.DiscoveryClient : Application version is -1: false
2019-10-13 15:00:55.895 INFO 34683 --- [freshExecutor-0] com.netflix.discovery.DiscoveryClient : Getting all instance registry info from the eureka server
2019-10-13 15:00:55.916 INFO 34683 --- [freshExecutor-0] com.netflix.discovery.DiscoveryClient : The response status is 200
You can add endpoints in configure(WebSecurity web) where you do not need to authenticate the user.
#Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers(HttpMethod.GET,"users-ws/users/status/check")
.antMatchers(HttpMethod.POST,"users-ws/users/h2-console/**")
.antMatchers(HttpMethod.POST,"users-ws/users/createUser")
.antMatchers(HttpMethod.POST,"users-ws/users/login");
//completely bypass the Spring Security Filter Chain.
}
WebSecurity.java
#Configuration
#EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {
#Autowired
Environment environment;
public WebSecurity(Environment environment) {
this.environment = environment;
}
#Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers(HttpMethod.GET,"users-ws/users/status/check")
.antMatchers(HttpMethod.POST,"users-ws/users/h2-console/**")
.antMatchers(HttpMethod.POST,"users-ws/users/createUser")
.antMatchers(HttpMethod.POST,"users-ws/users/login");
//completely bypass the Spring Security Filter Chain.
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.headers().frameOptions().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.addFilter(new AuthorizationFilter(authenticationManager(),environment));
}
}
I'm trying to configure a simple Authorization Server based on one of the examples in Github but I got stuck in the token verification part. My current aim is to provide a basic implementation that secures a gateway. What I understand is that Spring automatically makes the redirect to the AS in case there is no token in the user session to allow him to log against it. Once logged, it makes the call to authorize the client and then another one to exchange the given code for a token. In my current implementation, the application is redirected once it has the client code to my client's login page from where it makes a call to oauth/token which is then denied access. I don't fully understand where the call to the client's login page is configured or how it makes then the call to oauth/token to get the token. My understanding is that this is done automatically by a OAuth2RestTemplate and a filter configured automatically by Spring when using the #EnableOAuth2Sso
This is my current code.
#Configuration
#ComponentScan
#EnableAutoConfiguration
#RestController
#SessionAttributes("authorizationRequest")
public class AuthserverApplication extends WebMvcConfigurerAdapter {
public static void main(String[] args) {
SpringApplication.run(AuthserverApplication.class, args);
}
#Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
registry.addViewController("/oauth/confirm_access").setViewName("authorize");
}
#Configuration
#EnableResourceServer
public static class ResourceServer extends ResourceServerConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/user")
.authorizeRequests().anyRequest().authenticated();
}
}
#Configuration
#EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
#Autowired
private AuthenticationManager authenticationManager;
#Autowired
private UserDetailsService userService;
#Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("acme")
.secret("acmesecret")
.authorizedGrantTypes("authorization_code", "refresh_token","password")
.scopes("openid")
.autoApprove(".*");
}
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints
.userDetailsService(userService)
.authenticationManager(authenticationManager);
}
#Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer)
throws Exception {
oauthServer
.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
}
#RequestMapping({"/user"})
public Map<String, String> user(Principal principal) {
Map<String, String> map = new LinkedHashMap<>();
map.put("name", principal.getName());
return map;
}
#Configuration
#Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {
#Autowired
private AuthenticationManager authenticationManager;
#Autowired
private UserDetailsService userDetailsService;
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin().loginPage("/login").permitAll()
.and().authorizeRequests().anyRequest().authenticated()
.and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and().exceptionHandling()
.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"));
}
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.parentAuthenticationManager(authenticationManager)
.userDetailsService(userDetailsService);
}
}
}
With application.properties
server.contextPath=/uaa
security.user.password=password
security.ignored=/css/**,/js/**,/favicon.ico,/webjars/**
logging.level.org.springframework.security=DEBUG
spring.oauth2.resource.userInfoUri: http://localhost:8080/uaa/user
And the client application
#SpringBootApplication
#EnableOAuth2Sso
#RestController
public class ClientApplication extends WebSecurityConfigurerAdapter{
#RequestMapping("/user")
public String home(Principal user) {
return "Hello " + user.getName();
}
public static void main(String[] args) {
new SpringApplicationBuilder(ClientApplication.class).run(args);
}
#Override
public void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/**").authorizeRequests()
.antMatchers("/", "/login**", "/webjars/**").permitAll()
.anyRequest()
.authenticated();
}
}
With the application.yml file
server:
port: 9999
security:
oauth2:
client:
clientId: acme
clientSecret: acmesecret
accessTokenUri: http://localhost:8080/uaa/oauth/token
userAuthorizationUri: http://localhost:8080/uaa/oauth/authorize
tokenName: oauth_token
authenticationScheme: query
clientAuthenticationScheme: form
resource:
userInfoUri: http://localhost:8080/uaa/user
I always get this errors in the browser
Name . Status Type Initiator . Size Time
login 302 x-www-form-urlencoded Other 588 B 9 ms
authorize?client_id=acme&redirect_uri=http://localhost:9999/login&response_type=code&state=5Q67ay 302 login 380 B 66 ms
login?code=qUKZU5&state=5Q67ay 401 document :8080/uaa/oauth/authorize?client_id=acme&redirect_uri=http://localhost:9999/login&response_type=code&state=5Q67ay 663 B 133 ms
And this in the server
017-06-27 13:04:33.316 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-06-27 13:04:33.316 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-06-27 13:04:33.316 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-06-27 13:04:33.316 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#1c2ae5d1
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /oauth/token' doesn't match 'GET /logout
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/logout'
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /oauth/token' doesn't match 'PUT /logout
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /oauth/token' doesn't match 'DELETE /logout
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2017-06-27 13:04:33.318 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2017-06-27 13:04:33.318 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/oauth/token'
2017-06-27 13:04:33.318 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /oauth/token; Attributes: [fullyAuthenticated]
2017-06-27 13:04:33.318 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2017-06-27 13:04:33.318 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#5fb2cc06, returned: -1
2017-06-27 13:04:33.319 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:106) [spring-boot-actuator-1.5.2.RELEASE.jar:1.5.2.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:474) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:783) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:798) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1434) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.11.jar:8.5.11]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_131]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_131]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.11.jar:8.5.11]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_131]
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using Ant [pattern='/**', GET]
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /oauth/token' doesn't match 'GET /**
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.util.matcher.AndRequestMatcher : Did not match
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.s.HttpSessionRequestCache : Request not saved as configured RequestMatcher did not match
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.a.ExceptionTranslationFilter : Calling Authentication entry point.
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using MediaTypeRequestMatcher
[contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager#62266a9a, matchingMediaTypes=[application/atom+xml, application/x-www-form-urlencoded, application/json, application/octet-stream, application/xml, multipart/form-data, text/xml], useEquals=false, ignoredMediaTypes=[*/*]]
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.m.MediaTypeRequestMatcher : httpRequestMediaTypes=[application/json, application/x-www-form-urlencoded]
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.m.MediaTypeRequestMatcher : Processing application/json
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.m.MediaTypeRequestMatcher : application/atom+xml .isCompatibleWith application/json = false
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.m.MediaTypeRequestMatcher : application/x-www-form-urlencoded .isCompatibleWith application/json = false
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith application/json = true
2017-06-27 13:04:33.324 DEBUG 25404 --- [nio-8080-exec-8] s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint#7a85031c
2017-06-27 13:04:33.325 DEBUG 25404 --- [nio-8080-exec-8] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
I finally found the issue.
In the end it was the combination of two things. I needed to add oauthServer.allowFormAuthenticationForClients() to change the order of filters and allow the authentication based on the user logging information first. And then there was another problem that was related to the property tokenName in the client. It had to be access_token instead of oauth_token to match the name by default Spring uses to find the token in the request.
With those 2 changes it started working.
I've enabled OAuth2 in my Spring IO 2.0.6 Platform as follows
#EnableWebSecurity
#EnableResourceServer
#EnableAuthorizationServer
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure( final HttpSecurity http ) throws Exception {
http.authorizeRequests()
.antMatchers( "/**" )
.permitAll()
.anyRequest().authenticated()
.and()
.formLogin().and()
.httpBasic();
}
}
but when I go to / for my index.html which has my login form I receive the following.
<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>
here's what appears to be relevant debug level logsj
2016-07-20 17:34:50.063 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.c.web.OrderedRequestContextFilter : Bound request context to thread: org.apache.catalina.connector.RequestFacade#174f5835
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/css/**']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/css/**'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/js/**']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/js/**'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/images/**']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/images/**'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/**/favicon.ico']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/**/favicon.ico'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/error']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/error'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/token']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/oauth/token'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/token_key']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/oauth/token_key'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/check_token']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/oauth/check_token'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#6c710c23
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/logout'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.o.p.a.BearerTokenExtractor : Token not found in headers. Trying request parameters.
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.o.p.a.BearerTokenExtractor : Token not found in request parameters. Not an OAuth2 request.
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] p.a.OAuth2AuthenticationProcessingFilter : No token in request, will continue chain.
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.session.SessionManagementFilter : Requested session ID B18ACABBAAF00852E3373A4EB0BDDCE2 is invalid.
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-07-20 17:34:50.065 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /; Attributes: [#oauth2.throwOnError(authenticated)]
2016-07-20 17:34:50.065 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-07-20 17:34:50.066 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#1a3d182d, returned: -1
2016-07-20 17:34:50.066 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'delegatingApplicationListener'
2016-07-20 17:34:50.066 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'authorizationAuditListener'
2016-07-20 17:34:50.067 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'delegatingApplicationListener'
2016-07-20 17:34:50.067 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'auditListener'
2016-07-20 17:34:50.067 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jul 20 17:34:50 CDT 2016, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
2016-07-20 17:34:50.068 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) ~[spring-security-core-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:232) ~[spring-security-core-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:122) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:48) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter(OAuth2AuthenticationProcessingFilter.java:176) [spring-security-oauth2-2.0.10.RELEASE.jar:na]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:87) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:103) [spring-boot-actuator-1.3.6.RELEASE.jar:1.3.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:676) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476) [tomcat-embed-core-8.0.36.jar:8.0.36]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_92]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_92]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.0.36.jar:8.0.36]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_92]
2016-07-20 17:34:50.068 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Calling Authentication entry point.
2016-07-20 17:34:50.072 DEBUG 15064 --- [nio-8080-exec-1] s.s.o.p.e.DefaultOAuth2ExceptionRenderer : Written [error="unauthorized", error_description="Full authentication is required to access this resource"] as "application/xhtml+xml" using [org.springframework.security.oauth2.http.converter.jaxb.JaxbOAuth2ExceptionMessageConverter#c4b9155]
2016-07-20 17:34:50.072 DEBUG 15064 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
What do I need to do to allow requests through to my /?
It appears I have to do the following, / and /index.html are both required, the rest depends on your layout, though I did have to define allowing the /webjars/ which is surprising
#EnableWebSecurity
#EnableResourceServer
#EnableAuthorizationServer
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
public void configure( final WebSecurity web ) throws Exception {
web.ignoring()
.antMatchers( "/", "/index.html", "/partials/**/*.html" )
.antMatchers( "/webjars/**/*.js" )
.antMatchers( "/webjars/**/*.css" );
}
#Override
protected void configure( final HttpSecurity http ) throws Exception {
super.configure( http );
}
}
I use Spring 3.1 with Spring Mvc and Spring Security.
<security:http auto-config="true" use-expressions="true" access-denied-page="/views/not-authorized.jsp">
<security:form-login login-page="/login.html"
login-processing-url="/j_spring_security_check"
default-target-url="/main.html"
always-use-default-target="false"
authentication-failure-url="/login.html?error=true" />
<security:logout logout-url="/j_spring_security_logout"
invalidate-session="true"
logout-success-url="/login.html"/>
</security:http>
This works OK when I try to access a secured page when I'm not logged in or my session expired but it doesn't work when I call a secured action method from a controller. I just get an ActionDenied Exception in log and that's it...
UPDATE: I deleted the old log because of the body limitation but it's the same log... Though there is a ExceptionHandlerExceptionResolver, there is no #ExceptionHandler method...
DEBUG 17-01-2013 12:47:50,337 - FilterChainProxy:318 - /rs/administration/team/1/list.action?_dc=1358419670168&role=SUPERVISOR&page=1&start=0&limit=10&sort=username&dir=ASC at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG 17-01-2013 12:47:50,338 - HttpSessionSecurityContextRepository:139 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG 17-01-2013 12:47:50,338 - HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade#63f61b14. A new one will be created.
DEBUG 17-01-2013 12:47:50,338 - FilterChainProxy:318 - /rs/administration/team/1/list.action?_dc=1358419670168&role=SUPERVISOR&page=1&start=0&limit=10&sort=username&dir=ASC at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG 17-01-2013 12:47:50,339 - FilterChainProxy:318 - /rs/administration/team/1/list.action?_dc=1358419670168&role=SUPERVISOR&page=1&start=0&limit=10&sort=username&dir=ASC at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG 17-01-2013 12:47:50,339 - FilterChainProxy:318 - /rs/administration/team/1/list.action?_dc=1358419670168&role=SUPERVISOR&page=1&start=0&limit=10&sort=username&dir=ASC at position 4 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG 17-01-2013 12:47:50,339 - FilterChainProxy:318 - /rs/administration/team/1/list.action?_dc=1358419670168&role=SUPERVISOR&page=1&start=0&limit=10&sort=username&dir=ASC at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG 17-01-2013 12:47:50,339 - FilterChainProxy:318 - /rs/administration/team/1/list.action?_dc=1358419670168&role=SUPERVISOR&page=1&start=0&limit=10&sort=username&dir=ASC at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG 17-01-2013 12:47:50,339 - FilterChainProxy:318 - /rs/administration/team/1/list.action?_dc=1358419670168&role=SUPERVISOR&page=1&start=0&limit=10&sort=username&dir=ASC at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG 17-01-2013 12:47:50,340 - AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#6fa8dbd0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: C6A69A5A39B643C5DBE37DC225E76F49; Granted Authorities: ROLE_ANONYMOUS'
DEBUG 17-01-2013 12:47:50,340 - FilterChainProxy:318 - /rs/administration/team/1/list.action?_dc=1358419670168&role=SUPERVISOR&page=1&start=0&limit=10&sort=username&dir=ASC at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG 17-01-2013 12:47:50,340 - FilterChainProxy:318 - /rs/administration/team/1/list.action?_dc=1358419670168&role=SUPERVISOR&page=1&start=0&limit=10&sort=username&dir=ASC at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG 17-01-2013 12:47:50,340 - FilterChainProxy:318 - /rs/administration/team/1/list.action?_dc=1358419670168&role=SUPERVISOR&page=1&start=0&limit=10&sort=username&dir=ASC at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG 17-01-2013 12:47:50,340 - AntPathRequestMatcher:103 - Checking match of request : '/rs/administration/team/1/list.action'; against '/login.html'
DEBUG 17-01-2013 12:47:50,341 - AntPathRequestMatcher:103 - Checking match of request : '/rs/administration/team/1/list.action'; against '/views/not-authorized.jsp'
DEBUG 17-01-2013 12:47:50,341 - FilterSecurityInterceptor:184 - Public object - authentication not attempted
DEBUG 17-01-2013 12:47:50,341 - FilterChainProxy:304 - /rs/administration/team/1/list.action?_dc=1358419670168&role=SUPERVISOR&page=1&start=0&limit=10&sort=username&dir=ASC reached end of additional filter chain; proceeding with original chain
DEBUG 17-01-2013 12:47:50,341 - DispatcherServlet:799 - DispatcherServlet with name 'action' processing GET request for [/bpms/prestataire/rs/administration/team/1/list.action]
DEBUG 17-01-2013 12:47:50,342 - RequestMappingHandlerMapping:211 - Looking up handler method for path /rs/administration/team/1/list.action
DEBUG 17-01-2013 12:47:50,342 - RequestMappingHandlerMapping:218 - Returning handler method [public java.util.Map<java.lang.String, ?> fr.isiom.bpms.prestataire.action.controllers.administration.TeamAdministrationController.listTeams(fr.isiom.bpms.prestataire.action.model.generic.ActionListParam,fr.isiom.bpms.prestataire.action.model.administration.TeamProfile,java.security.Principal) throws java.lang.Exception]
DEBUG 17-01-2013 12:47:50,343 - DefaultListableBeanFactory:245 - Returning cached instance of singleton bean 'teamAdministrationController'
DEBUG 17-01-2013 12:47:50,343 - DispatcherServlet:879 - Last-Modified value for [/bpms/prestataire/rs/administration/team/1/list.action] is: -1
DEBUG 17-01-2013 12:47:50,346 - MethodSecurityInterceptor:193 - Secure object: ReflectiveMethodInvocation: public java.util.Map fr.isiom.bpms.prestataire.action.controllers.administration.TeamAdministrationController.listTeams(fr.isiom.bpms.prestataire.action.model.generic.ActionListParam,fr.isiom.bpms.prestataire.action.model.administration.TeamProfile,java.security.Principal) throws java.lang.Exception; target is of class [fr.isiom.bpms.prestataire.action.controllers.administration.TeamAdministrationController]; Attributes: [ROLE_SUPERVISOR, ROLE_TEAM_LEADER]
DEBUG 17-01-2013 12:47:50,346 - MethodSecurityInterceptor:298 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#6fa8dbd0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: C6A69A5A39B643C5DBE37DC225E76F49; Granted Authorities: ROLE_ANONYMOUS
DEBUG 17-01-2013 12:47:50,347 - AffirmativeBased:65 - Voter: org.springframework.security.access.vote.RoleVoter#3b61c3c3, returned: -1
DEBUG 17-01-2013 12:47:50,347 - AffirmativeBased:65 - Voter: org.springframework.security.access.vote.AuthenticatedVoter#3ca2691a, returned: 0
DEBUG 17-01-2013 12:47:50,348 - DefaultListableBeanFactory:245 - Returning cached instance of singleton bean 'org.springframework.context.annotation.internalScheduledAnnotationProcessor'
DEBUG 17-01-2013 12:47:50,349 - ExceptionHandlerExceptionResolver:132 - Resolving exception from handler [public java.util.Map<java.lang.String, ?> fr.isiom.bpms.prestataire.action.controllers.administration.TeamAdministrationController.listTeams(fr.isiom.bpms.prestataire.action.model.generic.ActionListParam,fr.isiom.bpms.prestataire.action.model.administration.TeamProfile,java.security.Principal) throws java.lang.Exception]: org.springframework.security.access.AccessDeniedException: Access is denied
DEBUG 17-01-2013 12:47:50,353 - ResponseStatusExceptionResolver:132 - Resolving exception from handler [public java.util.Map<java.lang.String, ?> fr.isiom.bpms.prestataire.action.controllers.administration.TeamAdministrationController.listTeams(fr.isiom.bpms.prestataire.action.model.generic.ActionListParam,fr.isiom.bpms.prestataire.action.model.administration.TeamProfile,java.security.Principal) throws java.lang.Exception]: org.springframework.security.access.AccessDeniedException: Access is denied
DEBUG 17-01-2013 12:47:50,354 - DefaultHandlerExceptionResolver:132 - Resolving exception from handler [public java.util.Map<java.lang.String, ?> fr.isiom.bpms.prestataire.action.controllers.administration.TeamAdministrationController.listTeams(fr.isiom.bpms.prestataire.action.model.generic.ActionListParam,fr.isiom.bpms.prestataire.action.model.administration.TeamProfile,java.security.Principal) throws java.lang.Exception]: org.springframework.security.access.AccessDeniedException: Access is denied
DEBUG 17-01-2013 12:47:50,356 - DispatcherServlet:910 - Could not complete request
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:205)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:59)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:622)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:212)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:126)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:96)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:617)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:578)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:900)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:827)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.__invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:877)
at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:594)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1675)
at java.lang.Thread.run(Thread.java:662)
DEBUG 17-01-2013 12:47:50,360 - ExceptionTranslationFilter:165 - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:205)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:59)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:622)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:212)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:126)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:96)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:617)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:578)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:900)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:827)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.__invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:877)
at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:594)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1675)
at java.lang.Thread.run(Thread.java:662)
DEBUG 17-01-2013 12:47:50,363 - HttpSessionRequestCache:41 - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/bpms/prestataire/rs/administration/team/1/list.action?_dc=1358419670168&role=SUPERVISOR&page=1&start=0&limit=10&sort=username&dir=ASC]
DEBUG 17-01-2013 12:47:50,363 - ExceptionTranslationFilter:185 - Calling Authentication entry point.
DEBUG 17-01-2013 12:47:50,365 - DefaultRedirectStrategy:36 - Redirecting to 'http://localhost:8080/bpms/prestataire/login.html'
DEBUG 17-01-2013 12:47:50,366 - HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
DEBUG 17-01-2013 12:47:50,366 - SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
DEBUG 17-01-2013 12:47:50,378 - FilterChainProxy:318 - /login.html at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG 17-01-2013 12:47:50,378 - HttpSessionSecurityContextRepository:139 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG 17-01-2013 12:47:50,378 - HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade#63f61b14. A new one will be created.
DEBUG 17-01-2013 12:47:50,378 - FilterChainProxy:318 - /login.html at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG 17-01-2013 12:47:50,379 - FilterChainProxy:318 - /login.html at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG 17-01-2013 12:47:50,379 - FilterChainProxy:318 - /login.html at position 4 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG 17-01-2013 12:47:50,379 - FilterChainProxy:318 - /login.html at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG 17-01-2013 12:47:50,379 - DefaultSavedRequest:309 - pathInfo: both null (property equals)
DEBUG 17-01-2013 12:47:50,379 - DefaultSavedRequest:317 - queryString: arg1=_dc=1358419670168&role=SUPERVISOR&page=1&start=0&limit=10&sort=username&dir=ASC; arg2=null (property not equals)
DEBUG 17-01-2013 12:47:50,379 - HttpSessionRequestCache:75 - saved request doesn't match
DEBUG 17-01-2013 12:47:50,380 - FilterChainProxy:318 - /login.html at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG 17-01-2013 12:47:50,380 - FilterChainProxy:318 - /login.html at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG 17-01-2013 12:47:50,380 - AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#6fa8dbd0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: C6A69A5A39B643C5DBE37DC225E76F49; Granted Authorities: ROLE_ANONYMOUS'
DEBUG 17-01-2013 12:47:50,380 - FilterChainProxy:318 - /login.html at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG 17-01-2013 12:47:50,381 - FilterChainProxy:318 - /login.html at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG 17-01-2013 12:47:50,381 - FilterChainProxy:318 - /login.html at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
This is the same log as before... I commented the #ExceptionHandler method, then restarted server... Anyway this is my exceptionHandler method:
#ExceptionHandler(RuntimeException.class)
public ModelAndView handleException(Exception ex, HttpServletRequest request, HttpServletResponse response) {
return getErrorResponseMap(StringUtils.EMPTY, JsonErrorCause.TECHNICAL_ERROR));
}
protected static Map<String, Object> getErrorResponseMap(String msg, String causeCode) {
Map<String, Object> modelMap = new HashMap<String, Object>(ERROR_PROPERTY_COUNT);
modelMap.put(JsonProperties.MESSAGE, msg);
modelMap.put(JsonProperties.SUCCESS, Boolean.FALSE);
modelMap.put(JsonProperties.CAUSE, causeCode);
return modelMap;
}
I even tried something like...
#ExceptionHandler(RuntimeException.class)
public ModelAndView handleException(Exception ex, HttpServletRequest request, HttpServletResponse response) {
ModelAndView modelAndView = new ModelAndView();
if (ex.getMessage().contains("Access is denied")) {
modelAndView.setViewName("/views/not-authorized.jsp");
return modelAndView;
}
modelAndView.addAllObjects(getErrorResponseMap(StringUtils.EMPTY, JsonErrorCause.TECHNICAL_ERROR));
return modelAndView;
}
UPDATE 2: My showLoginPage method:
#RequestMapping(value = PageAddress.LOGIN_URL)
public ModelAndView showLoginPage(#RequestParam(value = "error", required = false) boolean errorParam, ModelMap model) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (!auth.getAuthorities().contains(new SimpleGrantedAuthority(ContractorRole.USER))) {
model.put(ERROR_PROP_NAME, errorParam);
return new ModelAndView(PageCode.LOGIN, model);
} else {
RedirectView mainRedirectView = new RedirectView(PageAddress.MAIN_URL, true);
mainRedirectView.setExposeModelAttributes(false);
return new ModelAndView(mainRedirectView);
}
}
Try <access-denied-handler> element instead of deprecated access-denied-page:
<security:http ...>
...
<security:access-denied-handler ref="accessDeniedHandlerImpl" />
</security:http>
<bean id="accessDeniedHandlerImpl" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<property name="errorPage" value="/views/not-authorized.jsp"/>
</bean>