I created an unauthenticated home page and return that in my getHomePage.
That works - the home page displays.  As soon as I add a link to the home
page to go to the search page, the home page does not load and I have the
continuous authentication loop.  I don't have any security on the home page
surrounding the link.

Sorry for the bad code formatting.  I'm not sure what happened.  I also
don't know where all the '*' came from.

Chris


On Friday, April 4, 2025, Ernesto Reinaldo Barreiro <reier...@gmail.com>
wrote:

> I didn't look at your code...but I guess you need to redirect to a not
> protected page when users try to access your app. If the home page is
> protected then redirecting to it will trigger another redirect....
>
>
>
> On Fri, Apr 4, 2025 at 3:37 AM Chris Whitcomb <chrswhitc...@gmail.com>
> wrote:
>
> > I have a wicket 8 application that is using Spring security (Spring Boot
> > 2.1.10) and is deployed on WebSphere traditional 8.5.5.x.  WAS is
> connected
> > to an LDAP.  This application uses the J2EE (WAS) security.  The server
> > does have Kerberos configured.
> >
> > I know WAS 8.5.5 does not officially support Spring boot 2.1.10 and
> Wicket
> > 8.  However, I have deployed this to a local WAS without the Kerberos
> > configured and it works.  This local WAS prompts for login.  I do
> > understand this could be a version problem.
> >
> >
> >
> > We would like the application to use the current Windows user to
> > automatically log in (no login prompt to the user).
> >
> >
> >
> > When hitting the URL in the logs we see the application loops a number of
> > times and each time it loops, it creates a session.  I’m not sure where
> or
> > why the session is being created.  Eventually the browser shows the error
> > ‘too many redirects’.  I have seen 20 – 30 sessions created before it
> > stops.  I have set the Spring SessionCreationPolicy to each option and
> the
> > behavior did not change.
> >
> >
> >
> > I want to secure the homepage – only users in a specific group should be
> > able to access the home page.  If they are not in the group, they should
> > get redirected to an access denied page.  Since we are having problems, I
> > have modified the code to show the page if the user is authenticated.
> Once
> > we get that working, we will add in the group membership.
> >
> >
> >
> > I have tried setting the role in the WebSession and then using
> > @AuthorizeInstantiotion(“role”).
> >
> > I have also tried returning the page to display in the WebApplication
> class
> > depending on if the user is signed in or not.
> >
> > Both just loop until it gives up.
> >
> > I do see all the output from the home page (SearchPage class) init, but
> > then it loops and starts over.
> >
> >
> >
> > Code below:
> >
> >
> >
> > I do have a web.xml with a security constraint as it seems WebSphere
> needs
> > this otherwise we don’t get a principal at all.
> >
> > <security-constraint>
> >
> >         <web-resource-collection>
> >
> >             <web-resource-name>User</web-resource-name>
> >
> >             <url-pattern>/*</url-pattern>
> >
> >         </web-resource-collection>
> >
> >         <auth-constraint>
> >
> >             <role-name>AllAuthenticated</role-name>
> >
> >         </auth-constraint>
> >
> >     </security-constraint>
> >
> >     *<!-- Security roles used in the application -->*
> >
> >     <security-role>
> >
> >         <role-name>AllAuthenticated</role-name>
> >
> >     </security-role>
> >
> >
> >
> > My WebSession class:
> >
> > public class *AppWebSession* extends AbstractAuthenticatedWebSession {
> >
> >
> >
> >     public volatile boolean signedIn;
> >
> >
> >
> >     public *AppWebSession*(Request request) {
> >
> >         super(request);
> >
> >         *init*();
> >
> >     }
> >
> >
> >
> >     private void *init*() {
> >
> >         Injector.*get*().*inject*(this);
> >
> >         log.*debug*("Session Injected.");
> >
> >     }
> >
> >
> >
> >     public static AppWebSession *get*(){
> >
> >         return (AppWebSession) Session.*get*();
> >
> >     }
> >
> >
> >
> >     @Override
> >
> >     public Roles *getRoles*() {
> >
> >         log.*debug*("getRoles()");
> >
> >
> >
> >         Roles roles = new *Roles*();
> >
> >
> >
> >         if(AppWebSession.*get*().*isSignedIn*()){
> >
> >             // Because we are having problems, just set the role if
> > isSignedIn = true.  Later, we will set the roles based on group
> membership.
> >
> >             roles.add(“HASACCESS”);
> >
> >
> >
> >         return roles;
> >
> >     }
> >
> >
> >
> >     @Override
> >
> >     public boolean *isSignedIn*() {
> >
> >
> >
> >        signedIn =
> SecurityContextHolder.*getContext*().*getAuthentication*
> > ().*isAuthenticated*();
> >
> >         log.*debug*("signedIn -> " + signedIn);   <--  This shows ‘true’.
> >
> >        return signedIn;
> >
> >     }
> >
> > }
> >
> >
> >
> >
> >
> > My SecurityConfig class:
> >
> > @Configuration
> >
> > @EnableWebSecurity (debug = true)
> >
> > public class *AppSecurityConfig* extends *WebSecurityConfigurerAdapter* {
> >
> >
> >
> >     private WebSpherePreAuthenticatedProcessingFilter wasPreAuthFilter =
> > new *WebSpherePreAuthenticatedProcessingFilter*();
> >
> >
> >
> >     @Override
> >
> >     protected void *configure*(HttpSecurity http) throws Exception {
> >
> >
> >
> >
>  wasPreAuthFilter.*setAuthenticationManager*(*authenticationManager*
> > ());
> >
> >         http
> >
> >         .*addFilter*(wasPreAuthFilter)
> >
> >         .*authorizeRequests*()
> >
> >         .*anyRequest*().*permitAll*();
> >
> >     }
> >
> >
> >
> >     @Override
> >
> >     protected void *configure*(AuthenticationManagerBuilder auth) throws
> > Exception {
> >
> >
>  auth.*authenticationProvider*(*websphereAuthenticationProvider*());
> >
> >     }
> >
> >
> >
> >
> >
> >     *// Required  for WASPreAuth Filter*
> >
> >     @Bean
> >
> >     public AuthenticationProvider *websphereAuthenticationProvider*() {
> >
> >
> >
> >         return new *AuthenticationProvider*() {
> >
> >
> >
> >             @Override
> >
> >             public Authentication *authenticate*(Authentication
> > authentication) throws AuthenticationException {
> >
> >
> >
> >                 String groupName = "AD Group name";
> >
> >                 PreAuthenticatedAuthenticationToken preAuthToken = new
> > *PreAuthenticatedAuthenticationToken*(authentication.*getPrincipal*(),
> > authentication.*getCredentials*());
> >
> >
> >
> >                 try {
> >
> >
> >
> >                     Subject subject = WSSubject.*getCallerSubject*();
> >
> >                     Optional<Principal> principal =
> subject.*getPrincipals*
> > ().*stream*().*findFirst*();
> >
> >                     if (principal.*isPresent*()) {
> >
> >                         log.*debug*("principal = " + principal.*get*().
> > *getName*());
> >
> >                     }
> >
> >                     Optional<WSCredential> credentialStream = subject.
> > *getPublicCredentials*(WSCredential.class).*stream*().*findFirst*();
> >
> >
> >
> >                     List<GrantedAuthority> authorities = new
> ArrayList<>();
> >
> >
> >
> >                     Stream<String> groupIds = credentialStream.*get*().
> > *getGroupIds*().*stream*();
> >
> >
> >
> >                     Optional<String> group = groupIds.*filter*(i -> i.
> > *contains*(groupName.*trim*())).*findFirst*();
> >
> >                     if (group.*isPresent*()) {
> >
> >                         log.*debug*("group found: " + group.*get*());
> >
> >                         authorities.*add*(new *SimpleGrantedAuthority*
> > ("ROLE_HASACCESS"));
> >
> >                     } else {
> >
> >                         log.*debug*("Group not found");
> >
> >                     }
> >
> >                     preAuthToken = new
> > *PreAuthenticatedAuthenticationToken*
> > (principal.*get*(), credentialStream.*get*(), authorities);
> >
> >
> >
> >                 }
> >
> >                 catch (WSSecurityException e) {
> >
> >                     log.*error*(e.*getMessage*(), e);
> >
> >                 } catch (CredentialExpiredException e) {
> >
> >                     log.*error*(e.*getMessage*(), e);
> >
> >                 }
> >
> >
> >
> >                 return preAuthToken;
> >
> >             }
> >
> >
> >
> >             @Override
> >
> >             public boolean *supports*(Class<?> authentication) {
> >
> >
> >
> >                 return true;
> >
> >             }
> >
> >         };
> >
> >     }
> >
> > }
> >
> >
> >
> > My HomePage class:
> >
> > *// @AuthorizeInstantiation("hasAccess")  Commented out and using the
> > getHomePage logic*
> >
> > public class *SearchPage* extends *BasePage* {
> >
> >
> >
> >     private IModel<AppSearchCriteria> searchCriteriaIModel = new
> > Model<>(new *AppSearchCriteria*());
> >
> >     private boolean showSearchResults = false;
> >
> >
> >
> >
> >
> >     public *SearchPage*() {
> >
> >         super();
> >
> >         log.*debug*("SearchPage()");
> >
> >     }
> >
> >
> >
> >     public *SearchPage*(IModel<AppSearchCriteria> model) {
> >
> >         super();
> >
> >         log.*debug*("SearchPage(model)");
> >
> >         searchCriteriaIModel = model;
> >
> >     }
> >
> >
> >
> >     @Override
> >
> >     protected void *onInitialize*() {
> >
> >         super.*onInitialize*();
> >
> >         log.*debug*("SearchPage.init()");
> >
> >         Form<AppSearchCriteria> form = new Form<>("form",
> > searchCriteriaIModel);
> >
> >         log.*debug*("form created");
> >
> >         form.*type*(FormType.Horizontal);
> >
> >         *add*(form);
> >
> >         log.*debug*("form added");
> >
> >         log.*debug*("SearchPage.init() done");
> >
> >     }
> >
> > }
> >
> >
> >
> > From the WebApplication class:
> >
> > @Override
> >
> >     public Class<? extends Page> *getHomePage*() {
> >
> >         log.*debug*("getHomePage()");
> >
> >         AppWebSession session = (AppWebSession)AppWebSession.*get*();
> >
> >         log.*debug*("Determine which page to show ...");
> >
> >         // This principal that is output is correct.
> >
> >         log.*debug*("SecurityContextHolder principal: " +
> > SecurityContextHolder.*getContext*().*getAuthentication*().*getPrincipal*
> > ());
> >
> >
> >
> >         if (session != null) {
> >
> >             if (session.*isSignedIn*()) {
> >
> >                 log.*debug*("signed in - returning
> > SearchPage");               <-- I do see this output in the logs
> >
> >                 return SearchPage.class;
> >
> >             } else {
> >
> >                 log.*debug*("session not signed in - returning
> > NotAuthorized");
> >
> >                 return NotAuthorized.class;
> >
> >             }
> >
> >         } else {
> >
> >             log.*debug*("session is NULL - returning NotAuthorized");
> >
> >             return NotAuthorized.class;
> >
> >         }
> >
> >     }
> >
>
>
> --
> Regards - Ernesto Reinaldo Barreiro
>

Reply via email to