I created an unauthenticated home page and return that in my getHomePage. That works - the home page displays. As soon as I add a link to the home page to go to the search page, the home page does not load and I have the continuous authentication loop. I don't have any security on the home page surrounding the link.
Sorry for the bad code formatting. I'm not sure what happened. I also don't know where all the '*' came from. Chris On Friday, April 4, 2025, Ernesto Reinaldo Barreiro <reier...@gmail.com> wrote: > I didn't look at your code...but I guess you need to redirect to a not > protected page when users try to access your app. If the home page is > protected then redirecting to it will trigger another redirect.... > > > > On Fri, Apr 4, 2025 at 3:37 AM Chris Whitcomb <chrswhitc...@gmail.com> > wrote: > > > I have a wicket 8 application that is using Spring security (Spring Boot > > 2.1.10) and is deployed on WebSphere traditional 8.5.5.x. WAS is > connected > > to an LDAP. This application uses the J2EE (WAS) security. The server > > does have Kerberos configured. > > > > I know WAS 8.5.5 does not officially support Spring boot 2.1.10 and > Wicket > > 8. However, I have deployed this to a local WAS without the Kerberos > > configured and it works. This local WAS prompts for login. I do > > understand this could be a version problem. > > > > > > > > We would like the application to use the current Windows user to > > automatically log in (no login prompt to the user). > > > > > > > > When hitting the URL in the logs we see the application loops a number of > > times and each time it loops, it creates a session. I’m not sure where > or > > why the session is being created. Eventually the browser shows the error > > ‘too many redirects’. I have seen 20 – 30 sessions created before it > > stops. I have set the Spring SessionCreationPolicy to each option and > the > > behavior did not change. > > > > > > > > I want to secure the homepage – only users in a specific group should be > > able to access the home page. If they are not in the group, they should > > get redirected to an access denied page. Since we are having problems, I > > have modified the code to show the page if the user is authenticated. > Once > > we get that working, we will add in the group membership. > > > > > > > > I have tried setting the role in the WebSession and then using > > @AuthorizeInstantiotion(“role”). > > > > I have also tried returning the page to display in the WebApplication > class > > depending on if the user is signed in or not. > > > > Both just loop until it gives up. > > > > I do see all the output from the home page (SearchPage class) init, but > > then it loops and starts over. > > > > > > > > Code below: > > > > > > > > I do have a web.xml with a security constraint as it seems WebSphere > needs > > this otherwise we don’t get a principal at all. > > > > <security-constraint> > > > > <web-resource-collection> > > > > <web-resource-name>User</web-resource-name> > > > > <url-pattern>/*</url-pattern> > > > > </web-resource-collection> > > > > <auth-constraint> > > > > <role-name>AllAuthenticated</role-name> > > > > </auth-constraint> > > > > </security-constraint> > > > > *<!-- Security roles used in the application -->* > > > > <security-role> > > > > <role-name>AllAuthenticated</role-name> > > > > </security-role> > > > > > > > > My WebSession class: > > > > public class *AppWebSession* extends AbstractAuthenticatedWebSession { > > > > > > > > public volatile boolean signedIn; > > > > > > > > public *AppWebSession*(Request request) { > > > > super(request); > > > > *init*(); > > > > } > > > > > > > > private void *init*() { > > > > Injector.*get*().*inject*(this); > > > > log.*debug*("Session Injected."); > > > > } > > > > > > > > public static AppWebSession *get*(){ > > > > return (AppWebSession) Session.*get*(); > > > > } > > > > > > > > @Override > > > > public Roles *getRoles*() { > > > > log.*debug*("getRoles()"); > > > > > > > > Roles roles = new *Roles*(); > > > > > > > > if(AppWebSession.*get*().*isSignedIn*()){ > > > > // Because we are having problems, just set the role if > > isSignedIn = true. Later, we will set the roles based on group > membership. > > > > roles.add(“HASACCESS”); > > > > > > > > return roles; > > > > } > > > > > > > > @Override > > > > public boolean *isSignedIn*() { > > > > > > > > signedIn = > SecurityContextHolder.*getContext*().*getAuthentication* > > ().*isAuthenticated*(); > > > > log.*debug*("signedIn -> " + signedIn); <-- This shows ‘true’. > > > > return signedIn; > > > > } > > > > } > > > > > > > > > > > > My SecurityConfig class: > > > > @Configuration > > > > @EnableWebSecurity (debug = true) > > > > public class *AppSecurityConfig* extends *WebSecurityConfigurerAdapter* { > > > > > > > > private WebSpherePreAuthenticatedProcessingFilter wasPreAuthFilter = > > new *WebSpherePreAuthenticatedProcessingFilter*(); > > > > > > > > @Override > > > > protected void *configure*(HttpSecurity http) throws Exception { > > > > > > > > > wasPreAuthFilter.*setAuthenticationManager*(*authenticationManager* > > ()); > > > > http > > > > .*addFilter*(wasPreAuthFilter) > > > > .*authorizeRequests*() > > > > .*anyRequest*().*permitAll*(); > > > > } > > > > > > > > @Override > > > > protected void *configure*(AuthenticationManagerBuilder auth) throws > > Exception { > > > > > auth.*authenticationProvider*(*websphereAuthenticationProvider*()); > > > > } > > > > > > > > > > > > *// Required for WASPreAuth Filter* > > > > @Bean > > > > public AuthenticationProvider *websphereAuthenticationProvider*() { > > > > > > > > return new *AuthenticationProvider*() { > > > > > > > > @Override > > > > public Authentication *authenticate*(Authentication > > authentication) throws AuthenticationException { > > > > > > > > String groupName = "AD Group name"; > > > > PreAuthenticatedAuthenticationToken preAuthToken = new > > *PreAuthenticatedAuthenticationToken*(authentication.*getPrincipal*(), > > authentication.*getCredentials*()); > > > > > > > > try { > > > > > > > > Subject subject = WSSubject.*getCallerSubject*(); > > > > Optional<Principal> principal = > subject.*getPrincipals* > > ().*stream*().*findFirst*(); > > > > if (principal.*isPresent*()) { > > > > log.*debug*("principal = " + principal.*get*(). > > *getName*()); > > > > } > > > > Optional<WSCredential> credentialStream = subject. > > *getPublicCredentials*(WSCredential.class).*stream*().*findFirst*(); > > > > > > > > List<GrantedAuthority> authorities = new > ArrayList<>(); > > > > > > > > Stream<String> groupIds = credentialStream.*get*(). > > *getGroupIds*().*stream*(); > > > > > > > > Optional<String> group = groupIds.*filter*(i -> i. > > *contains*(groupName.*trim*())).*findFirst*(); > > > > if (group.*isPresent*()) { > > > > log.*debug*("group found: " + group.*get*()); > > > > authorities.*add*(new *SimpleGrantedAuthority* > > ("ROLE_HASACCESS")); > > > > } else { > > > > log.*debug*("Group not found"); > > > > } > > > > preAuthToken = new > > *PreAuthenticatedAuthenticationToken* > > (principal.*get*(), credentialStream.*get*(), authorities); > > > > > > > > } > > > > catch (WSSecurityException e) { > > > > log.*error*(e.*getMessage*(), e); > > > > } catch (CredentialExpiredException e) { > > > > log.*error*(e.*getMessage*(), e); > > > > } > > > > > > > > return preAuthToken; > > > > } > > > > > > > > @Override > > > > public boolean *supports*(Class<?> authentication) { > > > > > > > > return true; > > > > } > > > > }; > > > > } > > > > } > > > > > > > > My HomePage class: > > > > *// @AuthorizeInstantiation("hasAccess") Commented out and using the > > getHomePage logic* > > > > public class *SearchPage* extends *BasePage* { > > > > > > > > private IModel<AppSearchCriteria> searchCriteriaIModel = new > > Model<>(new *AppSearchCriteria*()); > > > > private boolean showSearchResults = false; > > > > > > > > > > > > public *SearchPage*() { > > > > super(); > > > > log.*debug*("SearchPage()"); > > > > } > > > > > > > > public *SearchPage*(IModel<AppSearchCriteria> model) { > > > > super(); > > > > log.*debug*("SearchPage(model)"); > > > > searchCriteriaIModel = model; > > > > } > > > > > > > > @Override > > > > protected void *onInitialize*() { > > > > super.*onInitialize*(); > > > > log.*debug*("SearchPage.init()"); > > > > Form<AppSearchCriteria> form = new Form<>("form", > > searchCriteriaIModel); > > > > log.*debug*("form created"); > > > > form.*type*(FormType.Horizontal); > > > > *add*(form); > > > > log.*debug*("form added"); > > > > log.*debug*("SearchPage.init() done"); > > > > } > > > > } > > > > > > > > From the WebApplication class: > > > > @Override > > > > public Class<? extends Page> *getHomePage*() { > > > > log.*debug*("getHomePage()"); > > > > AppWebSession session = (AppWebSession)AppWebSession.*get*(); > > > > log.*debug*("Determine which page to show ..."); > > > > // This principal that is output is correct. > > > > log.*debug*("SecurityContextHolder principal: " + > > SecurityContextHolder.*getContext*().*getAuthentication*().*getPrincipal* > > ()); > > > > > > > > if (session != null) { > > > > if (session.*isSignedIn*()) { > > > > log.*debug*("signed in - returning > > SearchPage"); <-- I do see this output in the logs > > > > return SearchPage.class; > > > > } else { > > > > log.*debug*("session not signed in - returning > > NotAuthorized"); > > > > return NotAuthorized.class; > > > > } > > > > } else { > > > > log.*debug*("session is NULL - returning NotAuthorized"); > > > > return NotAuthorized.class; > > > > } > > > > } > > > > > -- > Regards - Ernesto Reinaldo Barreiro >