Due to a variety of reasons, we decided to not secure our html pages,
but to secure the AJAX data calls. The AJAX endpoints are CXF JAX-RS
endpoints. Because we support OAuth and OpenID, we made the decision
to go with Spring Security and sessions, instead of the proper RESTful
authenticate-each-call methodology. We also transformed the Spring
Security settings. Relevant parts below:
<sec:http access-denied-page="/rest/auth?error=access-denied">
<sec:form-login
authentication-failure-url="/rest/auth?error=failed-login"
login-page="/rest/auth?error=not-authenticated"
default-target-url="/rest/auth/success"/>
</sec:http>
Basically, on a auth failure or a not-authorized-yet situation, we
have spring security redirect to a REST endpoint, that responds with
the proper status code and that's it. No forwarding to the login-page
or anything of that sort (which would be pointless because all these
are AJAX calls...) On a auth sucess, we would like to redirect to
/rest/api/user/15 (or whatever ID that just successfully logged in.)
But it looks like we won't be able to dynamically change the target
URL, so we'll depend on /rest/auth/success to return the URI. From
TCPMon, we see:
HTTP/1.1 302 Moved Temporarily
Set-Cookie: JSESSIONID=C149C4F73C95BDAF33E2BED4CCC1D133;
Location: http://localhost/plutom-ws/rest/auth/success
but the call to auth/success fails (stacktrace truncated to the
relevant portion):
GET /plutom-ws/rest/auth/success HTTP/1.1
Cookie: JSESSIONID=C149C4F73C95BDAF33E2BED4CCC1D133;
java.lang.RuntimeException: org.apache.cxf.interceptor.Fault: An
Authentication object was not found in the SecurityContext
at
org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:107)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:323)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:118)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:208)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:166)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:113)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:184)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:112)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
So a bunch of questions:
1) I annotated the auth/success endpoint with @SECURED, is this correct?
2) Who's responsible for looking at the cookie, finding the Spring
stored session, and setting the authentication obect? Do I need an
interceptor that I didn't add?
3) Is the fact that CXFNonSpringServlet is called expected? I'm
definitely not using that anywhere...
thanks for any help
Jeff
