I created an unauthenticated home page and return that in my getHomePage.
That works - the home page displays. As soon as I add a link to the home
page to go to the search page, the home page does not load and I have the
continuous authentication loop. I don't have any security on the home page
surrounding the link.
Sorry for the bad code formatting. I'm not sure what happened. I also
don't know where all the '*' came from.
Chris
On Friday, April 4, 2025, Ernesto Reinaldo Barreiro <reier...@gmail.com>
wrote:
> I didn't look at your code...but I guess you need to redirect to a not
> protected page when users try to access your app. If the home page is
> protected then redirecting to it will trigger another redirect....
>
>
>
> On Fri, Apr 4, 2025 at 3:37 AM Chris Whitcomb <chrswhitc...@gmail.com>
> wrote:
>
> > I have a wicket 8 application that is using Spring security (Spring Boot
> > 2.1.10) and is deployed on WebSphere traditional 8.5.5.x. WAS is
> connected
> > to an LDAP. This application uses the J2EE (WAS) security. The server
> > does have Kerberos configured.
> >
> > I know WAS 8.5.5 does not officially support Spring boot 2.1.10 and
> Wicket
> > 8. However, I have deployed this to a local WAS without the Kerberos
> > configured and it works. This local WAS prompts for login. I do
> > understand this could be a version problem.
> >
> >
> >
> > We would like the application to use the current Windows user to
> > automatically log in (no login prompt to the user).
> >
> >
> >
> > When hitting the URL in the logs we see the application loops a number of
> > times and each time it loops, it creates a session. I’m not sure where
> or
> > why the session is being created. Eventually the browser shows the error
> > ‘too many redirects’. I have seen 20 – 30 sessions created before it
> > stops. I have set the Spring SessionCreationPolicy to each option and
> the
> > behavior did not change.
> >
> >
> >
> > I want to secure the homepage – only users in a specific group should be
> > able to access the home page. If they are not in the group, they should
> > get redirected to an access denied page. Since we are having problems, I
> > have modified the code to show the page if the user is authenticated.
> Once
> > we get that working, we will add in the group membership.
> >
> >
> >
> > I have tried setting the role in the WebSession and then using
> > @AuthorizeInstantiotion(“role”).
> >
> > I have also tried returning the page to display in the WebApplication
> class
> > depending on if the user is signed in or not.
> >
> > Both just loop until it gives up.
> >
> > I do see all the output from the home page (SearchPage class) init, but
> > then it loops and starts over.
> >
> >
> >
> > Code below:
> >
> >
> >
> > I do have a web.xml with a security constraint as it seems WebSphere
> needs
> > this otherwise we don’t get a principal at all.
> >
> > <security-constraint>
> >
> > <web-resource-collection>
> >
> > <web-resource-name>User</web-resource-name>
> >
> > <url-pattern>/*</url-pattern>
> >
> > </web-resource-collection>
> >
> > <auth-constraint>
> >
> > <role-name>AllAuthenticated</role-name>
> >
> > </auth-constraint>
> >
> > </security-constraint>
> >
> > *<!-- Security roles used in the application -->*
> >
> > <security-role>
> >
> > <role-name>AllAuthenticated</role-name>
> >
> > </security-role>
> >
> >
> >
> > My WebSession class:
> >
> > public class *AppWebSession* extends AbstractAuthenticatedWebSession {
> >
> >
> >
> > public volatile boolean signedIn;
> >
> >
> >
> > public *AppWebSession*(Request request) {
> >
> > super(request);
> >
> > *init*();
> >
> > }
> >
> >
> >
> > private void *init*() {
> >
> > Injector.*get*().*inject*(this);
> >
> > log.*debug*("Session Injected.");
> >
> > }
> >
> >
> >
> > public static AppWebSession *get*(){
> >
> > return (AppWebSession) Session.*get*();
> >
> > }
> >
> >
> >
> > @Override
> >
> > public Roles *getRoles*() {
> >
> > log.*debug*("getRoles()");
> >
> >
> >
> > Roles roles = new *Roles*();
> >
> >
> >
> > if(AppWebSession.*get*().*isSignedIn*()){
> >
> > // Because we are having problems, just set the role if
> > isSignedIn = true. Later, we will set the roles based on group
> membership.
> >
> > roles.add(“HASACCESS”);
> >
> >
> >
> > return roles;
> >
> > }
> >
> >
> >
> > @Override
> >
> > public boolean *isSignedIn*() {
> >
> >
> >
> > signedIn =
> SecurityContextHolder.*getContext*().*getAuthentication*
> > ().*isAuthenticated*();
> >
> > log.*debug*("signedIn -> " + signedIn); <-- This shows ‘true’.
> >
> > return signedIn;
> >
> > }
> >
> > }
> >
> >
> >
> >
> >
> > My SecurityConfig class:
> >
> > @Configuration
> >
> > @EnableWebSecurity (debug = true)
> >
> > public class *AppSecurityConfig* extends *WebSecurityConfigurerAdapter* {
> >
> >
> >
> > private WebSpherePreAuthenticatedProcessingFilter wasPreAuthFilter =
> > new *WebSpherePreAuthenticatedProcessingFilter*();
> >
> >
> >
> > @Override
> >
> > protected void *configure*(HttpSecurity http) throws Exception {
> >
> >
> >
> >
> wasPreAuthFilter.*setAuthenticationManager*(*authenticationManager*
> > ());
> >
> > http
> >
> > .*addFilter*(wasPreAuthFilter)
> >
> > .*authorizeRequests*()
> >
> > .*anyRequest*().*permitAll*();
> >
> > }
> >
> >
> >
> > @Override
> >
> > protected void *configure*(AuthenticationManagerBuilder auth) throws
> > Exception {
> >
> >
> auth.*authenticationProvider*(*websphereAuthenticationProvider*());
> >
> > }
> >
> >
> >
> >
> >
> > *// Required for WASPreAuth Filter*
> >
> > @Bean
> >
> > public AuthenticationProvider *websphereAuthenticationProvider*() {
> >
> >
> >
> > return new *AuthenticationProvider*() {
> >
> >
> >
> > @Override
> >
> > public Authentication *authenticate*(Authentication
> > authentication) throws AuthenticationException {
> >
> >
> >
> > String groupName = "AD Group name";
> >
> > PreAuthenticatedAuthenticationToken preAuthToken = new
> > *PreAuthenticatedAuthenticationToken*(authentication.*getPrincipal*(),
> > authentication.*getCredentials*());
> >
> >
> >
> > try {
> >
> >
> >
> > Subject subject = WSSubject.*getCallerSubject*();
> >
> > Optional<Principal> principal =
> subject.*getPrincipals*
> > ().*stream*().*findFirst*();
> >
> > if (principal.*isPresent*()) {
> >
> > log.*debug*("principal = " + principal.*get*().
> > *getName*());
> >
> > }
> >
> > Optional<WSCredential> credentialStream = subject.
> > *getPublicCredentials*(WSCredential.class).*stream*().*findFirst*();
> >
> >
> >
> > List<GrantedAuthority> authorities = new
> ArrayList<>();
> >
> >
> >
> > Stream<String> groupIds = credentialStream.*get*().
> > *getGroupIds*().*stream*();
> >
> >
> >
> > Optional<String> group = groupIds.*filter*(i -> i.
> > *contains*(groupName.*trim*())).*findFirst*();
> >
> > if (group.*isPresent*()) {
> >
> > log.*debug*("group found: " + group.*get*());
> >
> > authorities.*add*(new *SimpleGrantedAuthority*
> > ("ROLE_HASACCESS"));
> >
> > } else {
> >
> > log.*debug*("Group not found");
> >
> > }
> >
> > preAuthToken = new
> > *PreAuthenticatedAuthenticationToken*
> > (principal.*get*(), credentialStream.*get*(), authorities);
> >
> >
> >
> > }
> >
> > catch (WSSecurityException e) {
> >
> > log.*error*(e.*getMessage*(), e);
> >
> > } catch (CredentialExpiredException e) {
> >
> > log.*error*(e.*getMessage*(), e);
> >
> > }
> >
> >
> >
> > return preAuthToken;
> >
> > }
> >
> >
> >
> > @Override
> >
> > public boolean *supports*(Class<?> authentication) {
> >
> >
> >
> > return true;
> >
> > }
> >
> > };
> >
> > }
> >
> > }
> >
> >
> >
> > My HomePage class:
> >
> > *// @AuthorizeInstantiation("hasAccess") Commented out and using the
> > getHomePage logic*
> >
> > public class *SearchPage* extends *BasePage* {
> >
> >
> >
> > private IModel<AppSearchCriteria> searchCriteriaIModel = new
> > Model<>(new *AppSearchCriteria*());
> >
> > private boolean showSearchResults = false;
> >
> >
> >
> >
> >
> > public *SearchPage*() {
> >
> > super();
> >
> > log.*debug*("SearchPage()");
> >
> > }
> >
> >
> >
> > public *SearchPage*(IModel<AppSearchCriteria> model) {
> >
> > super();
> >
> > log.*debug*("SearchPage(model)");
> >
> > searchCriteriaIModel = model;
> >
> > }
> >
> >
> >
> > @Override
> >
> > protected void *onInitialize*() {
> >
> > super.*onInitialize*();
> >
> > log.*debug*("SearchPage.init()");
> >
> > Form<AppSearchCriteria> form = new Form<>("form",
> > searchCriteriaIModel);
> >
> > log.*debug*("form created");
> >
> > form.*type*(FormType.Horizontal);
> >
> > *add*(form);
> >
> > log.*debug*("form added");
> >
> > log.*debug*("SearchPage.init() done");
> >
> > }
> >
> > }
> >
> >
> >
> > From the WebApplication class:
> >
> > @Override
> >
> > public Class<? extends Page> *getHomePage*() {
> >
> > log.*debug*("getHomePage()");
> >
> > AppWebSession session = (AppWebSession)AppWebSession.*get*();
> >
> > log.*debug*("Determine which page to show ...");
> >
> > // This principal that is output is correct.
> >
> > log.*debug*("SecurityContextHolder principal: " +
> > SecurityContextHolder.*getContext*().*getAuthentication*().*getPrincipal*
> > ());
> >
> >
> >
> > if (session != null) {
> >
> > if (session.*isSignedIn*()) {
> >
> > log.*debug*("signed in - returning
> > SearchPage"); <-- I do see this output in the logs
> >
> > return SearchPage.class;
> >
> > } else {
> >
> > log.*debug*("session not signed in - returning
> > NotAuthorized");
> >
> > return NotAuthorized.class;
> >
> > }
> >
> > } else {
> >
> > log.*debug*("session is NULL - returning NotAuthorized");
> >
> > return NotAuthorized.class;
> >
> > }
> >
> > }
> >
>
>
> --
> Regards - Ernesto Reinaldo Barreiro
>
