Filter Chain Debugging...I've poured over the core code, I cannot for
the life of me figure out why the "/login/cas" request is not take the
user to CAS for authentication
This was working before, I have no clue why it isn't know..the
LogOutFilter on "/logout/cas" is working. Anyone have any darn
tips/idea's where to look. I'm loosing my mind on this basic simple
straw-man code.
http
.authorizeRequests()
.regexMatchers("/desktop.*", "/login")
.authenticated()
.and()
.authorizeRequests()
.regexMatchers("/")
.permitAll()
.and()
.httpBasic()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.logout().logoutSuccessUrl("/logout")
.and()
.addFilterBefore(singleSignOutFilter, CasAuthenticationFilter.class)
.addFilterBefore(logoutFilter, LogoutFilter.class);
2020-01-23 14:53:47.150 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.cas.web.CasAuthenticationFilter : Updated SecurityContextHolder
to contain null Authentication
2020-01-23 14:53:47.151 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.cas.web.CasAuthenticationFilter : Delegating to authentication
failure handler
org.springframework.security.cas.web.CasAuthenticationFilter$CasAuthenticationFailureHandler@554d70fa
2020-01-23 14:53:47.151 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request :
'/login/cas'; against '/login/cas'
2020-01-23 14:53:47.151 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.cas.web.CasAuthenticationFilter : serviceTicketRequest = true
2020-01-23 14:53:47.151 DEBUG 13071 --- [io-9000-exec-10]
.a.SimpleUrlAuthenticationFailureHandler : No failure URL set, sending
401 Unauthorized error
2020-01-23 14:53:47.152 DEBUG 13071 --- [io-9000-exec-10]
w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or
contents are anonymous - context will not be stored in HttpSession.
2020-01-23 14:53:47.152 DEBUG 13071 --- [io-9000-exec-10]
s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now
cleared, as request processing completed
2020-01-23 14:53:47.152 DEBUG 13071 --- [io-9000-exec-10]
o.s.security.web.FilterChainProxy : /error at position 1 of 15 in
additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2020-01-23 14:53:47.152 DEBUG 13071 --- [io-9000-exec-10]
o.s.security.web.FilterChainProxy : /error at position 2 of 15 in
additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2020-01-23 14:53:47.152 DEBUG 13071 --- [io-9000-exec-10]
w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2020-01-23 14:53:47.152 DEBUG 13071 --- [io-9000-exec-10]
w.c.HttpSessionSecurityContextRepository : No SecurityContext was
available from the HttpSession: null. A new one will be created.
2020-01-23 14:53:47.152 DEBUG 13071 --- [io-9000-exec-10]
o.s.security.web.FilterChainProxy : /error at position 3 of 15 in
additional filter chain; firing Filter: 'HeaderWriterFilter'
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.security.web.FilterChainProxy : /error at position 4 of 15 in
additional filter chain; firing Filter: 'CsrfFilter'
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.security.web.FilterChainProxy : /error at position 5 of 15 in
additional filter chain; firing Filter: 'LogoutFilter'
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request :
'/error'; against '/logout/cas'
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.security.web.FilterChainProxy : /error at position 6 of 15 in
additional filter chain; firing Filter: 'LogoutFilter'
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /error' doesn't
match 'POST /logout'
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.security.web.FilterChainProxy : /error at position 7 of 15 in
additional filter chain; firing Filter: 'SingleSignOutFilter'
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.security.web.FilterChainProxy : /error at position 8 of 15 in
additional filter chain; firing Filter: 'CasAuthenticationFilter'
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request :
'/error'; against '/login/cas'
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.cas.web.CasAuthenticationFilter : serviceTicketRequest = false
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.cas.web.CasAuthenticationFilter : proxyReceptorConfigured = false
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.cas.web.CasAuthenticationFilter : proxyReceptorRequest = false
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.cas.web.CasAuthenticationFilter : proxyTicketRequest = false
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.cas.web.CasAuthenticationFilter : requiresAuthentication = false
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.security.web.FilterChainProxy : /error at position 9 of 15 in
additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.security.web.FilterChainProxy : /error at position 10 of 15
in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.w.s.HttpSessionRequestCache : saved request doesn't match
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.security.web.FilterChainProxy : /error at position 11 of 15
in additional filter chain; firing Filter:
'SecurityContextHolderAwareRequestFilter'
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.security.web.FilterChainProxy : /error at position 12 of 15
in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2020-01-23 14:53:47.153 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.w.a.AnonymousAuthenticationFilter : Populated
SecurityContextHolder with anonymous token:
'org.springframework.security.authentication.AnonymousAuthenticationToken@2fbb3d34:
Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true;
Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@b364:
RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities:
ROLE_ANONYMOUS'
2020-01-23 14:53:47.154 DEBUG 13071 --- [io-9000-exec-10]
o.s.security.web.FilterChainProxy : /error at position 13 of 15
in additional filter chain; firing Filter: 'SessionManagementFilter'
2020-01-23 14:53:47.154 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.w.session.SessionManagementFilter : Requested session ID
FB5DD60372F063F2A0528D7DD272036D is invalid.
2020-01-23 14:53:47.154 DEBUG 13071 --- [io-9000-exec-10]
o.s.security.web.FilterChainProxy : /error at position 14 of 15
in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2020-01-23 14:53:47.154 DEBUG 13071 --- [io-9000-exec-10]
o.s.security.web.FilterChainProxy : /error at position 15 of 15
in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2020-01-23 14:53:47.154 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.w.u.matcher.RegexRequestMatcher : Checking match of request :
'/error'; against '/desktop.*'
2020-01-23 14:53:47.154 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.w.u.matcher.RegexRequestMatcher : Checking match of request :
'/error'; against '/login'
2020-01-23 14:53:47.154 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.w.u.matcher.RegexRequestMatcher : Checking match of request :
'/error'; against '/'
2020-01-23 14:53:47.154 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.w.a.i.FilterSecurityInterceptor : Public object -
authentication not attempted
2020-01-23 14:53:47.154 DEBUG 13071 --- [io-9000-exec-10]
o.s.security.web.FilterChainProxy : /error reached end of
additional filter chain; proceeding with original chain
2020-01-23 14:53:47.154 DEBUG 13071 --- [io-9000-exec-10]
o.s.web.servlet.DispatcherServlet : "ERROR" dispatch for GET
"/error", parameters={}
2020-01-23 14:53:47.155 DEBUG 13071 --- [io-9000-exec-10]
s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to
org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest,
HttpServletResponse)
2020-01-23 14:53:47.168 DEBUG 13071 --- [io-9000-exec-10]
o.s.w.s.v.ContentNegotiatingViewResolver : Selected 'text/html' given
[text/html, text/html;q=0.8]
2020-01-23 14:53:47.171 DEBUG 13071 --- [io-9000-exec-10]
o.s.web.servlet.DispatcherServlet : Exiting from "ERROR"
dispatch, status 401
2020-01-23 14:53:47.171 DEBUG 13071 --- [io-9000-exec-10]
o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2020-01-23 14:53:47.171 DEBUG 13071 --- [io-9000-exec-10]
w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or
contents are anonymous - context will not be stored in HttpSession.
2020-01-23 14:53:47.172 DEBUG 13071 --- [io-9000-exec-10]
s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now
cleared, as request processing completed
On 2020-01-20 1:38 p.m., Ray Bon wrote:
Colin,
When you say '/login/cas', are you talking about the CAS server login
page?
Try '/cas/login'.
Ray
On Mon, 2020-01-20 at 12:29 -0500, Colin Ryan wrote:
Folks
Sorry to go so far backwards. But in moving forward with some odd
requirements I've had to go back to first principle code and am
having problems with the basics.
My understanding is that Spring defaults to "/login/cas" now as being
the URL for the CasFilter, as such the application doesn't actually
have to have a Handler for "/login/cas" as it's simply getting picked
up by the filter. Assuming this is correct, for some reason my
straw-man code appears to not be creating/inserting the
CasAuthenticationFilter into the Filter Chain.
My code is all stock sample code.
* Service Bean
* Entry Point Bean returning a CasAuthenticationEntryPoint that has
the Service Bean assigned.
* The following is the security config.
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private AuthenticationProvider authenticationProvider;
private CasAuthenticationEntryPoint authenticationEntryPoint;
private SingleSignOutFilter singleSignOutFilter;
private LogoutFilter logoutFilter;
private ServiceProperties serviceProperties;
@Autowired
public SecurityConfig(CasAuthenticationProvider casAuthenticationProvider,
CasAuthenticationEntryPoint eP,
LogoutFilter lF
, SingleSignOutFilter ssF,ServiceProperties sP
) {
this.authenticationProvider = casAuthenticationProvider;
this.authenticationEntryPoint = eP;
this.logoutFilter = lF;
this.singleSignOutFilter = ssF;
this.serviceProperties = sP;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.regexMatchers("/secured.*", "/login")
.authenticated()
.and()
.authorizeRequests()
.regexMatchers("/")
.permitAll()
.and()
.httpBasic()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.logout().logoutSuccessUrl("/logout")
.and()
.addFilterBefore(singleSignOutFilter, CasAuthenticationFilter.class)
.addFilterBefore(logoutFilter, LogoutFilter.class)
;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws
Exception {
auth.authenticationProvider(authenticationProvider);
}
@Override
protected AuthenticationManager authenticationManager() throws Exception {
return new ProviderManager(Arrays.asList(authenticationProvider));
}
@Bean
public CasAuthenticationFilter casAuthenticationFilter(ServiceProperties
sP) throws Exception {
CasAuthenticationFilter filter = new CasAuthenticationFilter();
filter.setServiceProperties(sP);
filter.setAuthenticationManager(authenticationManager());
filter.setFilterProcessesUrl("/login/cas");
return filter;
}
}
The application will intercept anything that is accessed behind the
authenticated() filter.
However any calls to "/login/cas" give a 404 error. It appears that
the filter isn't "there" and my application in turn is complaining
that I simply don't have a handler for the "/login/cas" path. My
SingleSignOutFilter works via "/logout/cas"
Obviously the issue is that when the callbacks from CAS come they
fail as the application isn't providing the typical interfaces on the
"/login/cas" path.
Any idea's. I've debugged and stepped through the application as it's
building the security configuration and as far as I can tell the
CasAuthenticationFilter is never getting put into the filter chain.
I haven't attached all the other code bits, but as I said they are
"stock". In debugging all the values in the stack make sense etc etc.
Colin
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca <mailto:r...@uvic.ca>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees,
Esquimalt and WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b017be33043f8982f6703206c789fb3b68777e8e.camel%40uvic.ca
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/b017be33043f8982f6703206c789fb3b68777e8e.camel%40uvic.ca?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c65ea26e-94b3-c5d1-c2c9-49f5c3bd2f5b%40caveo.ca.