Pac4j Spring security on google apps engine
171 views
Skip to first unread message
Faisal Mateen
Mar 18, 2015, 3:42:36 AM3/18/15
to pac4j...@googlegroups.com
Hi Alll,
I am working on an application to migrate from openid to Oauth2 using spring security. I followed the demo implementation for pac4j.
Our application is hosted on GAE. I am injecting CustomizedUserDetailService injected in ClientAuthenticationProvider to assign roles to the user.
But I noticed authenticate method of ClientAuthenticationProvider never called so loadUserDetails inside CustomizedUserDetailService is also will not be called. However the user was successfully authenticated and returned to the application.
If I user callback service then the AuthenticationToken is always Anonymous and can't be casted to ClientAuthenticationToken. Below are my security configurations. Can anyone of you please help me to find out what is missing?
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
<security:http auto-config="false" use-expressions="true" access-denied-page="/denied" >
<security:intercept-url pattern="/auth/login" access="permitAll"/>
<security:intercept-url pattern="/auth/oAuthCallback" access="permitAll"/>
<security:intercept-url pattern="/contact/us" access="permitAll"/>
<security:intercept-url pattern="/admin/auth/login" access="permitAll"/>
<security:intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/starreg/auth/login" access="permitAll"/>
<security:intercept-url pattern="/starreg" access="hasAnyRole('ROLE_CSP_ADMIN', 'ROLE_CSP_EVAL')" />
<security:intercept-url pattern="/starreg/**" access="hasAnyRole('ROLE_CSP_ADMIN', 'ROLE_CSP_EVAL')" />
<security:intercept-url pattern="/page/adminpages/*.jsp" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/page/starregpages/*.jsp" access="hasAnyRole('ROLE_CSP_ADMIN', 'ROLE_CSP_EVAL')" />
<security:intercept-url pattern="/page/*.jsp" access="isAuthenticated()" />
<security:form-login
login-page="/auth/login"
authentication-failure-url="/auth/login?error=true"
default-target-url="/"
/>
<security:logout
invalidate-session="true"
logout-success-url="/page/logout.jsp"
/>
<!--<security:logout />-->
<security:custom-filter after="BASIC_AUTH_FILTER" ref="clientFilter" />
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="clientProvider" />
</security:authentication-manager>
<bean id="googleEntryPoint" class="org.pac4j.springframework.security.web.ClientAuthenticationEntryPoint">
<property name="client" ref="googleClient" />
</bean>
<!-- clients definition -->
<bean id="googleClient" class="org.pac4j.oauth.client.Google2Client">
<property name="key" value="[KEY]" />
<property name="secret" value="SECRET" />
<property name="scope" value="EMAIL_AND_PROFILE" />
</bean>
<bean id="clients" class="org.pac4j.core.client.Clients">
<property name="callbackUrl" value="http://localhost:8081/auth/oAuthCallback" />
<property name="clients">
<list>
<ref bean="googleClient" />
</list>
</property>
</bean>
<!-- common to all clients -->
<bean id="clientFilter" class="org.pac4j.springframework.security.web.ClientAuthenticationFilter">
<constructor-arg value="/callback"/>
<property name="clients" ref="clients" />
<property name="sessionAuthenticationStrategy" ref="sas" />
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="customAuthenticationUserDetailsService" class="csp.com.neupart.security.CustomAuthenticationUserDetailsService">
<property name="cspUserDAO" ref="CSPUserDAO"></property>
</bean>
<bean id="clientProvider" class="csp.com.neupart.security.ClientAuthenticationProvider">
<property name="userDetailsService" ref="customAuthenticationUserDetailsService"/>
<property name="clients" ref="clients" />
</bean>
<bean id="httpSessionRequestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache" />
<bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" />
</beans>
Thanks in advance
Best Regards
Faisal Mateen
Jérôme LELEU
Mar 18, 2015, 4:45:38 AM3/18/15
to Faisal Mateen, pac4j...@googlegroups.com
Hi,
It seems very strange to be authenticated without calling the authenticate method of the ClientAuthenticationProvider. We are not taking about the login form authentication, right?
Can you turn on DEBUG logs on org.pac4j?
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Faisal Mateen
Mar 18, 2015, 7:06:59 AM3/18/15
to pac4j...@googlegroups.com, fma...@gmail.com
Thanks for your reply Jérôme.
In the JSP page I have <a href="<%=google2Client.getRedirectAction(context, false, false).getLocation()%>">Authenticate with Google</a> which correctly generated the authentication url. So the user will be redirected to google.
Jérôme LELEU
Mar 18, 2015, 8:45:55 AM3/18/15
to Faisal Mateen, pac4j...@googlegroups.com
Hi,
It depends on your logging framework. For the demo, I use logback: https://github.com/pac4j/spring-security-pac4j-demo/blob/master/src/main/resources/logback.xml#L9.
For log4j, log4j.logger.org.pac4j=DEBUG seems to be correct. Maybe you don't define the appropriate appender (http://logging.apache.org/log4j/1.2/manual.html).
Best regards,
Jérôme
--
Faisal Mateen
Mar 19, 2015, 5:00:20 AM3/19/15
to pac4j...@googlegroups.com
Hi Again,
Any update :-) ?
I just deployed the demo application (i.e spring-security-pac4j-demo-master) on Tomcat and no GAE is involved. Still I can see the authentication method from provider is never called. Because bean google2Cleint is accessed directly in JSP page it generates redirect URL correctly. However in call back code SecurityContextHolder.getContext().getAuthentication() will always return AnonymousAuthenticationToken instead of ClientAuthenticationToken. Jérôme LELEU
Mar 19, 2015, 9:00:22 AM3/19/15
to Faisal Mateen, pac4j...@googlegroups.com
Hi,
In fact, I was sleeping when your email arrived ;-)
I saw:
14:28:46,899 DEBUG FilterChainProxy:337 - /auth/oAuthCallback?client_name=Google2Client&code=4/_XMU9bxsUPaMxgpX35OiL7XADREuQnZ4PLqJEtUexvQ.EowiBJZQ8bsQrjMoGjtSfToM7CRamAI at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
14:28:46,899 DEBUG FilterChainProxy:337 - /auth/oAuthCallback?client_name=Google2Client&code=4/_XMU9bxsUPaMxgpX35OiL7XADREuQnZ4PLqJEtUexvQ.EowiBJZQ8bsQrjMoGjtSfToM7CRamAI at position 3 of 11 in additional filter chain; firing Filter: 'ClientAuthenticationFilter'
14:28:46,900 DEBUG FilterChainProxy:337 - /auth/oAuthCallback?client_name=Google2Client&code=4/_XMU9bxsUPaMxgpX35OiL7XADREuQnZ4PLqJEtUexvQ.EowiBJZQ8bsQrjMoGjtSfToM7CRamAI at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
14:28:46,900 DEBUG FilterChainProxy:337 - /auth/oAuthCallback?client_name=Google2Client&code=4/_XMU9bxsUPaMxgpX35OiL7XADREuQnZ4PLqJEtUexvQ.EowiBJZQ8bsQrjMoGjtSfToM7CRamAI at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
The ClientAuthenticationFilter is never called. I guess your callback url is not properly defined: did you specify /auth/oAuthCallback ?
Thanks.
Best regards,
Jérôme
--
Faisal Mateen
Mar 19, 2015, 9:57:27 AM3/19/15
to pac4j...@googlegroups.com
Thanks Jérôme,
I added PRE_AUTH_FILTER in my spring-security configs and it is working as it should :-).
<security:custom-filter position="PRE_AUTH_FILTER" ref="clientFilter" />
Thanks again for you time and for providing excellent implementation to integrate social logins.
Best Regards
Faisal Mateen
Reply all
Reply to author
Forward
0 new messages