hst-springsec 1.1.2 for site authentication using Hippo 11.0.2
23 views
Skip to first unread message
Riaz Tai
Oct 20, 2016, 10:09:37 AM10/20/16
to Hippo Community
Hi,
Not sure if this is the correct forum to discuss hst-springsec or the https://forge.onehippo.org site.
Nevertheless, we have been using hst-springsec for authenticating users on our website. The channel manager would also allow users to log into the site and then render the homepage.
Now that we have upgraded to Hippo 11.0.2, the channel manager is throwing an exception after site login when we try to redirect to the homepage. After spending some time debugging, I've identified the cause of the issue.
When we login to the CMS there is new HSTSESSIONID cookie that is created. When we access the site via the Channel Manager, a JSESSIONID cookie is returned. The HttpSession that this JSESSIONID corresponds to, has a CmsSessionContext attribute that identifies the CMS user among other things. When we login to the site, the Spring Security SessionFixationProtectionStrategy invalidates the existing HttpSession and creates a new one, returning a new JSESSIONID. It copies over session attributes but.....as the CmsSessionContextImpl receives notification about the HttpSession invalidation, it correctly detaches itself from the HttpSession. So when the session attributes are copied over, the CmsSessionContext can no longer identify the CMS user and the CmsSecurityValve throws a NullPointerException at line 144 as cmsSessionContext.getRepositoryCredentials() returns null.
Just wondering whether anyone has encountered a similar issue?
Thanks
Riaz
Woonsan Ko
Oct 20, 2016, 10:16:15 AM10/20/16
to hippo-c...@googlegroups.com
Hi Riaz,
Do you have some bypassing patterns like the following [1]?
<!-- Channel Manager requests may bypass authentication -->
<http pattern="/_rp/**" security="none"/>
<http pattern="/_cmsrest/**" security="none"/>
<http pattern="/_cmsinternal/**" security="none"/>
What we normally have done is simply to exclude any requests to channel manager preview URLs in spring security because channel manager prohibits access from non-CMS-authenticated users already.
If you have those bypassing patterns already, one can be suspicious if there's any new request URL pattern from channel manager in v11. In that case, we'll need to add more patterns there.
Regards,
Woonsan
--
Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)
To post to this group, send email to hippo-community@googlegroups.com
RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
---
You received this message because you are subscribed to the Google Groups "Hippo Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hippo-community+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/hippo-community.
For more options, visit https://groups.google.com/d/optout.
w....@onehippo.com www.onehippo.com
Boston - 745 Atlantic Ave, 8th Floor, Boston MA 02111
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
Boston - 745 Atlantic Ave, 8th Floor, Boston MA 02111
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
Riaz Tai
Oct 20, 2016, 10:25:33 AM10/20/16
to Hippo Community
Hi Woonsan,
Yes we have those patterns except the /_cmsinternal is configured as
<intercept-url pattern="/_cmsinternal/**" access="permitAll" />
This is due to the way site authentication works as it doesn't use Hippo users for authentication.
On Thursday, October 20, 2016 at 3:16:15 PM UTC+1, w.ko wrote:
Hi Riaz,Do you have some bypassing patterns like the following [1]?<!-- Channel Manager requests may bypass authentication --><http pattern="/_rp/**" security="none"/><http pattern="/_cmsrest/**" security="none"/><http pattern="/_cmsinternal/**" security="none"/>What we normally have done is simply to exclude any requests to channel manager preview URLs in spring security because channel manager prohibits access from non-CMS-authenticated users already.If you have those bypassing patterns already, one can be suspicious if there's any new request URL pattern from channel manager in v11. In that case, we'll need to add more patterns there.Regards,Woonsan
On Thu, Oct 20, 2016 at 10:09 AM, Riaz Tai <riaz...@gmail.com> wrote:
Hi,Not sure if this is the correct forum to discuss hst-springsec or the https://forge.onehippo.org site.Nevertheless, we have been using hst-springsec for authenticating users on our website. The channel manager would also allow users to log into the site and then render the homepage.Now that we have upgraded to Hippo 11.0.2, the channel manager is throwing an exception after site login when we try to redirect to the homepage. After spending some time debugging, I've identified the cause of the issue.When we login to the CMS there is new HSTSESSIONID cookie that is created. When we access the site via the Channel Manager, a JSESSIONID cookie is returned. The HttpSession that this JSESSIONID corresponds to, has a CmsSessionContext attribute that identifies the CMS user among other things. When we login to the site, the Spring Security SessionFixationProtectionStrategy invalidates the existing HttpSession and creates a new one, returning a new JSESSIONID. It copies over session attributes but.....as the CmsSessionContextImpl receives notification about the HttpSession invalidation, it correctly detaches itself from the HttpSession. So when the session attributes are copied over, the CmsSessionContext can no longer identify the CMS user and the CmsSecurityValve throws a NullPointerException at line 144 as cmsSessionContext.getRepositoryCredentials() returns null.Just wondering whether anyone has encountered a similar issue?ThanksRiaz
--
Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)
To post to this group, send email to hippo-c...@googlegroups.com
RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
---
You received this message because you are subscribed to the Google Groups "Hippo Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hippo-communi...@googlegroups.com.
Visit this group at https://groups.google.com/group/hippo-community.
For more options, visit https://groups.google.com/d/optout.
Riaz Tai
Oct 21, 2016, 4:26:14 AM10/21/16
to Hippo Community
Hi Woonsan,
I have managed to resolve the issue by implementing a custom SessionAuthenticationStrategy that delegates to the default SessionFixationProtectionStrategy for the site but not for the cms.
Seems to work fine.
Regards
Riaz
Woonsan Ko
Oct 21, 2016, 7:53:40 AM10/21/16
to hippo-c...@googlegroups.com
Hi Riaz,
That's great!
It sounds like we have a problem in spring-security integration when visited through channel manager (maybe due to security enhancements).
I'd like to have a fix in the forge module as well. I'll try to reproduce the issue and follow your path. Thanks a lot for the hint!
Regards,
Regards,
Woonsan (Sent from my iPhone)
Reply all
Reply to author
Forward
0 new messages