Problems making Spring Security REST work with custom authentication provider
4,213 views
Skip to first unread message
Pablo Pazos
Dec 6, 2015, 1:02:11 PM12/6/15
to Spring Security REST
Hi group,
I have a project that works with a custom auth provider that let users login with username, password and an organization number. I created my own AuthFilter, AuthProvider and a UserPassOrgAuthToken.
This works like charm login in from the web.
Now I need to add security to my REST API under /rest/** and make the same kind of login user+pass+org work to get a JWT.
I installed the plugin, and set some configurations (https://github.com/ppazos/cabolabs-ehrserver/commit/1524ac56971f6e4a613ba1b6778d6fd3f6e368c0) but when I try to POST to /rest/login I get a 401 Unauthorized.
Also, I added some printlns on my provider and filter, and don't seem to be executed at all (see the commit link above).
Please, if you see any missconfigurations, or have any pointers of how to make this work, all comments are very welcome!
Thanks,
Pablo.
Alvaro Sanchez-Mariscal
Dec 9, 2015, 7:02:46 AM12/9/15
to Pablo Pazos, Spring Security REST
Hi Pablo,
The problem with your approach is that your filter is performing the authentication directly, hence not giving a chance to the Spring Security REST filter to get its job done. I don't think you need a filter at all, but to be able to better help you, please enable debug as specified in the documentation and paste here the output.
Cheers,
Alvaro.
--
Spring Security REST
http://alvarosanchez.github.io/grails-spring-security-rest/
---
You received this message because you are subscribed to the Google Groups "Spring Security REST" group.
To unsubscribe from this group and stop receiving emails from it, send an email to spring-security-...@googlegroups.com.
To post to this group, send email to spring-sec...@googlegroups.com.
Visit this group at http://groups.google.com/group/spring-security-rest.
To view this discussion on the web, visit https://groups.google.com/d/msgid/spring-security-rest/b0c9b906-220c-4a71-9dfb-ce1a37758862%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Pablo Pazos
Dec 10, 2015, 10:55:16 AM12/10/15
to Spring Security REST, pabl...@gmail.com
Gracias Alvaro!
This is great output, it seems it is not matching my custom AuthFilter (https://github.com/ppazos/cabolabs-ehrserver/blob/master/src/groovy/com/cabolabs/security/AuthFilter.groovy) but the RestAuthenticationFilter. This filter uses the default token UsernamePasswordAuthenticationToken and doesn't have a provider for my custom token (https://github.com/ppazos/cabolabs-ehrserver/blob/f000a4e7eeae00cb05ea56a6c367afa519399427/src/java/com/cabolabs/security/UserPassOrgAuthToken.java).
Which do you think would be the best strategy here? Should I filter the login endpoint url on my filter? Other option?
Thanks!
BTW, this is the output:
2015-12-10 12:24:00,996 [http-bio-8090-exec-10] DEBUG matcher.AntPathRequestMatcher - Checking match of request : '/rest/login'; against '/rest/**'
2015-12-10 12:24:00,996 [http-bio-8090-exec-10] DEBUG web.FilterChainProxy - /rest/login at position 1 of 8 in additional filter chain; firing Filter: 'AuthFilter'
2015-12-10 12:24:00,996 [http-bio-8090-exec-10] DEBUG web.FilterChainProxy - /rest/login at position 2 of 8 in additional filter chain; firing Filter: 'MutableLogoutFilter'
2015-12-10 12:24:00,996 [http-bio-8090-exec-10] DEBUG web.FilterChainProxy - /rest/login at position 3 of 8 in additional filter chain; firing Filter: 'RestAuthenticationFilter'
2015-12-10 12:24:01,036 [http-bio-8090-exec-10] DEBUG rest.RestAuthenticationFilter - Actual URI is /rest/login; endpoint URL is /rest/login
2015-12-10 12:24:01,036 [http-bio-8090-exec-10] DEBUG rest.RestAuthenticationFilter - Applying authentication filter to this request
2015-12-10 12:24:01,277 [http-bio-8090-exec-10] DEBUG credentials.DefaultJsonPayloadCredentialsExtractor - Extracted credentials from JSON payload. Username: admin, password: [PROTECTED]
2015-12-10 12:24:01,297 [http-bio-8090-exec-10] DEBUG rest.RestAuthenticationFilter - Trying to authenticate the request
2015-12-10 12:24:01,437 [http-bio-8090-exec-10] DEBUG rest.RestAuthenticationFilter - Authentication failed: No AuthenticationProvider found for org.springframework.security.authentication. UsernamePasswordAuthenticationToken
2015-12-10 12:24:01,437 [http-bio-8090-exec-10] DEBUG bearer.BearerTokenReader - Looking for bearer token in Authorization header, query string or Form-Encoded body parameter
2015-12-10 12:24:01,457 [http-bio-8090-exec-10] DEBUG bearer.BearerTokenReader - No token found
2015-12-10 12:24:01,467 [http-bio-8090-exec-10] DEBUG bearer.BearerTokenAuthenticationFailureHandler - Sending status code 401 and header WWW-Authenticate: Bearer
2015-12-10 12:24:01,467 [http-bio-8090-exec-10] DEBUG rest.RestAuthenticationFilter - Not authenticated. Rest authentication token not generated
On Wednesday, December 9, 2015 at 9:02:46 AM UTC-3, Álvaro Sánchez-Mariscal wrote:
Hi Pablo,The problem with your approach is that your filter is performing the authentication directly, hence not giving a chance to the Spring Security REST filter to get its job done. I don't think you need a filter at all, but to be able to better help you, please enable debug as specified in the documentation and paste here the output.Cheers,Alvaro.
2015-12-06 19:02 GMT+01:00 Pablo Pazos <pabl...@gmail.com>:
Hi group,I have a project that works with a custom auth provider that let users login with username, password and an organization number. I created my own AuthFilter, AuthProvider and a UserPassOrgAuthToken.This works like charm login in from the web.Now I need to add security to my REST API under /rest/** and make the same kind of login user+pass+org work to get a JWT.I installed the plugin, and set some configurations (https://github.com/ppazos/cabolabs-ehrserver/commit/1524ac56971f6e4a613ba1b6778d6fd3f6e368c0) but when I try to POST to /rest/login I get a 401 Unauthorized.Also, I added some printlns on my provider and filter, and don't seem to be executed at all (see the commit link above).Please, if you see any missconfigurations, or have any pointers of how to make this work, all comments are very welcome!Thanks,Pablo.
--
Spring Security REST
http://alvarosanchez.github.io/grails-spring-security-rest/
---
You received this message because you are subscribed to the Google Groups "Spring Security REST" group.
To unsubscribe from this group and stop receiving emails from it, send an email to spring-security-rest+unsub...@googlegroups.com.
To post to this group, send email to spring-sec...@googlegroups.com.
Visit this group at http://groups.google.com/group/spring-security-rest.
To view this discussion on the web, visit https://groups.google.com/d/msgid/spring-security-rest/b0c9b906-220c-4a71-9dfb-ce1a37758862%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Pablo Pazos
Dec 10, 2015, 1:16:36 PM12/10/15
to Spring Security REST, pabl...@gmail.com
Álvaro, checking your code I realized I could make my own RestAuthenticationFilter to work with my custom UserPassOrgAuthToken, so I defined a RestAuthFilter that extends yours https://github.com/ppazos/cabolabs-ehrserver/commit/666d0e39fbb502062d7bf6feedd357434505316a
If I send this {"username":"admin","password":"admin", "organization":"1234"} to /rest/login, I get the JWT ok.
Now I tried to use the token in a REST call to /rest/ehrs using the Authorization header = Bearer JWT
Looking at the logs it seems RestTokenValidationFilter is validating the token but I got 403. Also it seems weird that after RestTokenValidationFilter the remaining filters are being executed. There is an exception at the end (not sure what that is)
Any ideas?
Here is the log:
2015-12-10 14:56:37,198 [http-bio-8090-exec-7] DEBUG access.ExceptionTranslationFilter - Calling Authentication entry point.
2015-12-10 14:56:37,198 [http-bio-8090-exec-7] DEBUG bearer.BearerTokenReader - Looking for bearer token in Authorization header, query string or Form-Encoded body parameter
2015-12-10 14:56:37,198 [http-bio-8090-exec-7] DEBUG bearer.BearerTokenReader - No token found
2015-12-10 14:57:47,568 [http-bio-8090-exec-9] DEBUG matcher.AntPathRequestMatcher - Checking match of request : '/rest/ehrs'; against '/rest/**'
2015-12-10 14:57:47,568 [http-bio-8090-exec-9] DEBUG web.FilterChainProxy - /rest/ehrs at position 1 of 9 in additional filter chain; firing Filter: 'AuthFilter'
2015-12-10 14:57:47,568 [http-bio-8090-exec-9] DEBUG web.FilterChainProxy - /rest/ehrs at position 2 of 9 in additional filter chain; firing Filter: 'RestAuthFilter'
2015-12-10 14:57:47,568 [http-bio-8090-exec-9] DEBUG web.FilterChainProxy - /rest/ehrs at position 3 of 9 in additional filter chain; firing Filter: 'MutableLogoutFilter'
2015-12-10 14:57:47,568 [http-bio-8090-exec-9] DEBUG web.FilterChainProxy - /rest/ehrs at position 4 of 9 in additional filter chain; firing Filter: 'RestAuthenticationFilter'
2015-12-10 14:57:47,568 [http-bio-8090-exec-9] DEBUG rest.RestAuthenticationFilter - Actual URI is /rest/ehrs; endpoint URL is /rest/login
2015-12-10 14:57:47,568 [http-bio-8090-exec-9] DEBUG web.FilterChainProxy - /rest/ehrs at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2015-12-10 14:57:47,568 [http-bio-8090-exec-9] DEBUG web.FilterChainProxy - /rest/ehrs at position 6 of 9 in additional filter chain; firing Filter: 'GrailsAnonymousAuthenticationFilter'
2015-12-10 14:57:47,568 [http-bio-8090-exec-9] DEBUG filter.GrailsAnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'grails.plugin.springsecurity.authentication.GrailsAnonymousAuthenticationToken@dc4337e: Principal: org.springframework.security.core.userdetails.User@dc730200: Username: __grails.anonymous.user__; Password: [PROTECTED]; Enabled: false; AccountNonExpired: false; credentialsNonExpired: false; AccountNonLocked: false; Granted Authorities: ROLE_ANONYMOUS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2015-12-10 14:57:47,568 [http-bio-8090-exec-9] DEBUG web.FilterChainProxy - /rest/ehrs at position 7 of 9 in additional filter chain; firing Filter: 'RestTokenValidationFilter'
2015-12-10 14:57:47,568 [http-bio-8090-exec-9] DEBUG bearer.BearerTokenReader - Looking for bearer token in Authorization header, query string or Form-Encoded body parameter
2015-12-10 14:57:47,568 [http-bio-8090-exec-9] DEBUG bearer.BearerTokenReader - Found bearer token in Authorization header
2015-12-10 14:57:47,568 [http-bio-8090-exec-9] DEBUG rest.RestTokenValidationFilter - Token found: eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NDk4NTY1NzMs
InN1YiI6ImFkbWluIiwicHJpbmNpcGFsIjoiSDRzSUFBQUFBQUFBQUpWU1AwXC9iUUJSXC9UaE5SRllrQ0VwVTZ3RkxZa0NPMVl4Yit0bXBsUWtXYUJTU3FpXC8xd0Q4NTM1dTRNeVZKbGFnY
0dFQzFTcFg0RnZna3NmSUFLQmxabVZ0NFpnbE1XeEUzMnU1OVwvXC81NlByNkJpTkx5TE5lUEMrS25JWWk1OWsyb3VZNE5ocHJudCtKbEJIYUhORVI5eVlKTW1jSHU4RW5nQmxIaGtZVFRZWk
R1c0twaU1xOHV0VFF4dHJhM2hyZEx4SGVPR1pnbnVLcjNsMzNPSFN1TlwvQWdXMU4xT0NnVlVZWVdHb01tbnJTaTYyVTY0eFdvWGhZaGFvY011TnhrSzZRV2s1RTZZZk9vQ1N0UVJHQVF5eXp
INVRwTXJSV0hoNWF6YXpYRlFiYUdzQlBFK1pNZVR1UVpLR2RkYmR2Yk1wS2NFMmZJZHlPXC9Yb1VIZFREdW83SG45ZUNVR3B1Wkptc2lrVEZmRU43c1NKdnp0K2VMYlwvdDlzc0FWQW4wNDlc
L1U4eGZ6MEgzWlAxNklpXC9hQ3kyODZyTmV3R3J0bE55TUZNeGZORHJsZjM4K1wvenE2K3JuMmpKUWQ0djNUOXpFNWU5ZGNaMTRsS2RQTXFyNGRFZTF1MlQwVCtkemo1TDB0ZFB3R1QxS0I5R
WRKaTlHOVJFRk1jY3RhaVY3ZkZsNnNMQWVMWDJjWGxqN1czV3VGUlFtWHBEcVVoM2JiOGdORnU5cTdQRGpkZjNOT0RKK2dzc05FaHRUNWNBR3FaMGtMOVlcL2pvXC9IQjN4ZDdlWUxlMzN3RE
FlVXg1eEVEQUFBPSIsInJvbGVzIjpbIlJPTEVfQURNSU4iXSwiaWF0IjoxNDQ5NzcwMTczfQ.bI3MNYv6ALdxOyNBbhiJ1cHu6ln90L4Hn5ZVfnbNcws
2015-12-10 14:57:47,578 [http-bio-8090-exec-9] DEBUG rest.RestTokenValidationFilter - Trying to authenticate the token
2015-12-10 14:57:47,578 [http-bio-8090-exec-9] DEBUG rest.RestAuthenticationProvider - Trying to validate token eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE
0NDk4NTY1NzMsInN1YiI6ImFkbWluIiwicHJpbmNpcGFsIjoiSDRzSUFBQUFBQUFBQUpWU1AwXC9iUUJSXC9UaE5SRllrQ0VwVTZ3RkxZa0NPMVl4Yit0bXBsUWtXYUJTU3FpXC8xd0Q4NTM1
dTRNeVZKbGFnY0dFQzFTcFg0RnZna3NmSUFLQmxabVZ0NFpnbE1XeEUzMnU1OVwvXC81NlByNkJpTkx5TE5lUEMrS25JWWk1OWsyb3VZNE5ocHJudCtKbEJIYUhORVI5eVlKTW1jSHU4RW5nQ
mxIaGtZVFRZWkR1c0twaU1xOHV0VFF4dHJhM2hyZEx4SGVPR1pnbnVLcjNsMzNPSFN1TlwvQWdXMU4xT0NnVlVZWVdHb01tbnJTaTYyVTY0eFdvWGhZaGFvY011TnhrSzZRV2s1RTZZZk9vQ1
N0UVJHQVF5eXpINVRwTXJSV0hoNWF6YXpYRlFiYUdzQlBFK1pNZVR1UVpLR2RkYmR2Yk1wS2NFMmZJZHlPXC9Yb1VIZFREdW83SG45ZUNVR3B1Wkptc2lrVEZmRU43c1NKdnp0K2VMYlwvdDl
zc0FWQW4wNDlcL1U4eGZ6MEgzWlAxNklpXC9hQ3kyODZyTmV3R3J0bE55TUZNeGZORHJsZjM4K1wvenE2K3JuMmpKUWQ0djNUOXpFNWU5ZGNaMTRsS2RQTXFyNGRFZTF1MlQwVCtkemo1TDB0
ZFB3R1QxS0I5RWRKaTlHOVJFRk1jY3RhaVY3ZkZsNnNMQWVMWDJjWGxqN1czV3VGUlFtWHBEcVVoM2JiOGdORnU5cTdQRGpkZjNOT0RKK2dzc05FaHRUNWNBR3FaMGtMOVlcL2pvXC9IQjN4Z
DdlWUxlMzN3REFlVXg1eEVEQUFBPSIsInJvbGVzIjpbIlJPTEVfQURNSU4iXSwiaWF0IjoxNDQ5NzcwMTczfQ.bI3MNYv6ALdxOyNBbhiJ1cHu6ln90L4Hn5ZVfnbNcws
2015-12-10 14:57:47,667 [http-bio-8090-exec-9] DEBUG rest.JwtService - Parsed an HMAC signed JWT
2015-12-10 14:57:47,707 [http-bio-8090-exec-9] DEBUG jwt.JwtTokenStorageService - Successfully verified JWT
2015-12-10 14:57:47,707 [http-bio-8090-exec-9] DEBUG jwt.JwtTokenStorageService - Trying to deserialize the principal object
2015-12-10 14:57:47,757 [http-bio-8090-exec-9] DEBUG jwt.JwtTokenStorageService - UserDetails deserialized: grails.plugin.springsecurity.userdetails.GrailsUser@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN
2015-12-10 14:57:47,757 [http-bio-8090-exec-9] DEBUG rest.JwtService - Parsed an HMAC signed JWT
2015-12-10 14:57:47,766 [http-bio-8090-exec-9] DEBUG rest.RestAuthenticationProvider - Now is Thu Dec 10 14:57:47 GFT 2015 and token expires at Fri Dec 11 14:56:13 GFT 2015
2015-12-10 14:57:47,796 [http-bio-8090-exec-9] DEBUG rest.RestAuthenticationProvider - Expiration: 86305
2015-12-10 14:57:47,796 [http-bio-8090-exec-9] DEBUG rest.RestAuthenticationProvider - Authentication result: grails.plugin.springsecurity.rest.
token.AccessToken(accessToken:eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NDk4NTY1NzMsInN1YiI6ImFkbWluIiwicHJpbmNpcGFsIjoiSDRzSUFBQUFBQUFBQUpWU1AwXC9iUUJSXC
9UaE5SRllrQ0VwVTZ3RkxZa0NPMVl4Yit0bXBsUWtXYUJTU3FpXC8xd0Q4NTM1dTRNeVZKbGFnY0dFQzFTcFg0RnZna3NmSUFLQmxabVZ0NFpnbE1XeEUzMnU1OVwvXC81NlByNkJpTkx5TE5
lUEMrS25JWWk1OWsyb3VZNE5ocHJudCtKbEJIYUhORVI5eVlKTW1jSHU4RW5nQmxIaGtZVFRZWkR1c0twaU1xOHV0VFF4dHJhM2hyZEx4SGVPR1pnbnVLcjNsMzNPSFN1TlwvQWdXMU4xT0Nn
VlVZWVdHb01tbnJTaTYyVTY0eFdvWGhZaGFvY011TnhrSzZRV2s1RTZZZk9vQ1N0UVJHQVF5eXpINVRwTXJSV0hoNWF6YXpYRlFiYUdzQlBFK1pNZVR1UVpLR2RkYmR2Yk1wS2NFMmZJZHlPX
C9Yb1VIZFREdW83SG45ZUNVR3B1Wkptc2lrVEZmRU43c1NKdnp0K2VMYlwvdDlzc0FWQW4wNDlcL1U4eGZ6MEgzWlAxNklpXC9hQ3kyODZyTmV3R3J0bE55TUZNeGZORHJsZjM4K1wvenE2K3
JuMmpKUWQ0djNUOXpFNWU5ZGNaMTRsS2RQTXFyNGRFZTF1MlQwVCtkemo1TDB0ZFB3R1QxS0I5RWRKaTlHOVJFRk1jY3RhaVY3ZkZsNnNMQWVMWDJjWGxqN1czV3VGUlFtWHBEcVVoM2JiOGd
ORnU5cTdQRGpkZjNOT0RKK2dzc05FaHRUNWNBR3FaMGtMOVlcL2pvXC9IQjN4ZDdlWUxlMzN3REFlVXg1eEVEQUFBPSIsInJvbGVzIjpbIlJPTEVfQURNSU4iXSwiaWF0IjoxNDQ5NzcwMTcz
fQ.bI3MNYv6ALdxOyNBbhiJ1cHu6ln90L4Hn5ZVfnbNcws, expiration:86305, refreshToken:null, principal:grails.plugin.springsecurity.userdetails.GrailsUser@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN, super:grails.plugin.springsecurity.rest.token.AccessToken@4525caad: Principal: grails.plugin.springsecurity.userdetails.GrailsUser@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_ADMIN)
2015-12-10 14:57:47,796 [http-bio-8090-exec-9] DEBUG rest.RestTokenValidationFilter - Token authenticated. Storing the authentication result in the security context
2015-12-10 14:57:47,796 [http-bio-8090-exec-9] DEBUG rest.RestTokenValidationFilter - Authentication result: grails.plugin.springsecurity.rest.t
oken.AccessToken(accessToken:eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NDk4NTY1NzMsInN1YiI6ImFkbWluIiwicHJpbmNpcGFsIjoiSDRzSUFBQUFBQUFBQUpWU1AwXC9iUUJSXC9
UaE5SRllrQ0VwVTZ3RkxZa0NPMVl4Yit0bXBsUWtXYUJTU3FpXC8xd0Q4NTM1dTRNeVZKbGFnY0dFQzFTcFg0RnZna3NmSUFLQmxabVZ0NFpnbE1XeEUzMnU1OVwvXC81NlByNkJpTkx5TE5l
UEMrS25JWWk1OWsyb3VZNE5ocHJudCtKbEJIYUhORVI5eVlKTW1jSHU4RW5nQmxIaGtZVFRZWkR1c0twaU1xOHV0VFF4dHJhM2hyZEx4SGVPR1pnbnVLcjNsMzNPSFN1TlwvQWdXMU4xT0NnV
lVZWVdHb01tbnJTaTYyVTY0eFdvWGhZaGFvY011TnhrSzZRV2s1RTZZZk9vQ1N0UVJHQVF5eXpINVRwTXJSV0hoNWF6YXpYRlFiYUdzQlBFK1pNZVR1UVpLR2RkYmR2Yk1wS2NFMmZJZHlPXC
9Yb1VIZFREdW83SG45ZUNVR3B1Wkptc2lrVEZmRU43c1NKdnp0K2VMYlwvdDlzc0FWQW4wNDlcL1U4eGZ6MEgzWlAxNklpXC9hQ3kyODZyTmV3R3J0bE55TUZNeGZORHJsZjM4K1wvenE2K3J
uMmpKUWQ0djNUOXpFNWU5ZGNaMTRsS2RQTXFyNGRFZTF1MlQwVCtkemo1TDB0ZFB3R1QxS0I5RWRKaTlHOVJFRk1jY3RhaVY3ZkZsNnNMQWVMWDJjWGxqN1czV3VGUlFtWHBEcVVoM2JiOGdO
RnU5cTdQRGpkZjNOT0RKK2dzc05FaHRUNWNBR3FaMGtMOVlcL2pvXC9IQjN4ZDdlWUxlMzN3REFlVXg1eEVEQUFBPSIsInJvbGVzIjpbIlJPTEVfQURNSU4iXSwiaWF0IjoxNDQ5NzcwMTczf
Q.bI3MNYv6ALdxOyNBbhiJ1cHu6ln90L4Hn5ZVfnbNcws, expiration:86305, refreshToken:null, principal:grails.plugin.springsecurity.userdetails.GrailsUser
@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN, super:grails.plugin.springsecurity.rest.token.AccessToken@4525caad: Principal: grails.plugin.springsecurity.userdetails.GrailsUser@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_ADMIN)
2015-12-10 14:57:47,806 [http-bio-8090-exec-9] DEBUG rest.RestTokenValidationFilter - Continuing the filter chain
2015-12-10 14:57:47,806 [http-bio-8090-exec-9] DEBUG web.FilterChainProxy - /rest/ehrs at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2015-12-10 14:57:47,806 [http-bio-8090-exec-9] DEBUG web.FilterChainProxy - /rest/ehrs at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2015-12-10 14:57:47,806 [http-bio-8090-exec-9] DEBUG intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /rest/ehrs; Attributes: [_DENY_]
2015-12-10 14:57:47,806 [http-bio-8090-exec-9] DEBUG intercept.FilterSecurityInterceptor - Previously Authenticated: grails.plugin.springsecurit
y.rest.token.AccessToken(accessToken:eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NDk4NTY1NzMsInN1YiI6ImFkbWluIiwicHJpbmNpcGFsIjoiSDRzSUFBQUFBQUFBQUpWU1AwXC9
iUUJSXC9UaE5SRllrQ0VwVTZ3RkxZa0NPMVl4Yit0bXBsUWtXYUJTU3FpXC8xd0Q4NTM1dTRNeVZKbGFnY0dFQzFTcFg0RnZna3NmSUFLQmxabVZ0NFpnbE1XeEUzMnU1OVwvXC81NlByNkJp
Tkx5TE5lUEMrS25JWWk1OWsyb3VZNE5ocHJudCtKbEJIYUhORVI5eVlKTW1jSHU4RW5nQmxIaGtZVFRZWkR1c0twaU1xOHV0VFF4dHJhM2hyZEx4SGVPR1pnbnVLcjNsMzNPSFN1TlwvQWdXM
U4xT0NnVlVZWVdHb01tbnJTaTYyVTY0eFdvWGhZaGFvY011TnhrSzZRV2s1RTZZZk9vQ1N0UVJHQVF5eXpINVRwTXJSV0hoNWF6YXpYRlFiYUdzQlBFK1pNZVR1UVpLR2RkYmR2Yk1wS2NFMm
ZJZHlPXC9Yb1VIZFREdW83SG45ZUNVR3B1Wkptc2lrVEZmRU43c1NKdnp0K2VMYlwvdDlzc0FWQW4wNDlcL1U4eGZ6MEgzWlAxNklpXC9hQ3kyODZyTmV3R3J0bE55TUZNeGZORHJsZjM4K1w
venE2K3JuMmpKUWQ0djNUOXpFNWU5ZGNaMTRsS2RQTXFyNGRFZTF1MlQwVCtkemo1TDB0ZFB3R1QxS0I5RWRKaTlHOVJFRk1jY3RhaVY3ZkZsNnNMQWVMWDJjWGxqN1czV3VGUlFtWHBEcVVo
M2JiOGdORnU5cTdQRGpkZjNOT0RKK2dzc05FaHRUNWNBR3FaMGtMOVlcL2pvXC9IQjN4ZDdlWUxlMzN3REFlVXg1eEVEQUFBPSIsInJvbGVzIjpbIlJPTEVfQURNSU4iXSwiaWF0IjoxNDQ5N
zcwMTczfQ.bI3MNYv6ALdxOyNBbhiJ1cHu6ln90L4Hn5ZVfnbNcws, expiration:86305, refreshToken:null, principal:grails.plugin.springsecurity.userdetails.Gr
ailsUser@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked:
true; Granted Authorities: ROLE_ADMIN, super:grails.plugin.springsecurity.rest.token.AccessToken@4525caad: Principal: grails.plugin.springsecurity.userdetails.GrailsUser@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_ADMIN)
2015-12-10 14:57:47,806 [http-bio-8090-exec-9] DEBUG hierarchicalroles.RoleHierarchyImpl - getReachableGrantedAuthorities() - From the roles [RO
LE_ADMIN] one can reach [ROLE_ADMIN] in zero or more steps.
2015-12-10 14:57:47,846 [http-bio-8090-exec-9] DEBUG access.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
Message: Access is denied
Line | Method
->> 43 | decide in grails.plugin.springsecurity.access.vote.AuthenticatedVetoableDecisionManager
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 118 | processFilterChain in grails.plugin.springsecurity.rest.RestTokenValidationFilter
| 84 | doFilter . . . . . in ''
| 53 | doFilter in grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter
| 143 | doFilter . . . . . in grails.plugin.springsecurity.rest.RestAuthenticationFilter
| 62 | doFilter in grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter
| 148 | doFilter . . . . . in com.cabolabs.security.RestAuthFilter
| 82 | doFilter in com.brandseye.cors.CorsFilter
| 1145 | runWorker . . . . in java.util.concurrent.ThreadPoolExecutor
| 615 | run in java.util.concurrent.ThreadPoolExecutor$Worker
^ 744 | run . . . . . . . in java.lang.Thread
Pablo Pazos
Dec 20, 2015, 5:03:03 PM12/20/15
to Spring Security REST, pabl...@gmail.com
I'm reviewing the plugin's code and all the debug messages from my log and all seems to be working as expected, but yep the filter chain continues instead of returning the result to the client app.
My guess is that the order of the filters is the issue here.
My current config is:
1. custom auth from web filter (https://github.com/ppazos/cabolabs-ehrserver/blob/rest_security/src/groovy/com/cabolabs/security/AuthFilter.groovy) is on position: 1
2. custom rest auth filter (https://github.com/ppazos/cabolabs-ehrserver/blob/rest_security/src/groovy/com/cabolabs/security/RestAuthFilter.groovy) is on position: 2
3. The RestTokenValidationFilter is on position: 7
(see the log)
2. custom rest auth filter (https://github.com/ppazos/cabolabs-ehrserver/blob/rest_security/src/groovy/com/cabolabs/security/RestAuthFilter.groovy) is on position: 2
3. The RestTokenValidationFilter is on position: 7
(see the log)
Should the RestAuthFilter come after the RestTokenValidationFilter?
If it is not related with the filter order, does anybody knows what's the issue here?
Thanks!
Pablo Pazos
Dec 20, 2015, 5:30:21 PM12/20/15
to Spring Security REST, pabl...@gmail.com
Continuing with reading code,
if (actualUri == validationEndpointUrl) {
log.debug "Validation endpoint called. Generating response."
authenticationSuccessHandler.onAuthenticationSuccess(httpRequest, httpResponse, authenticationResult)
} else {
log.debug "Continuing the filter chain"
chain.doFilter(request, response)
}
I found that the point that decides to go further into the filter chain is this
if (actualUri == validationEndpointUrl) {
log.debug "Validation endpoint called. Generating response."
authenticationSuccessHandler.onAuthenticationSuccess(httpRequest, httpResponse, authenticationResult)
} else {
log.debug "Continuing the filter chain"
chain.doFilter(request, response)
}
Since I don't know what are the values of actualUri and validationEndpointUrl, I don't know hot to solve this. My request is to /rest/ehrs.
My guess is he validationEndpointUrl is set to the default config value of the plugin: /api/validate
But I don't get why a normal token validation for a request should consider the validationEndpointUrl when the token was validated. I think on that case it should go to authenticationSuccessHandler.onAuthenticationSuccess(httpRequest, httpResponse, authenticationResult) not chain.doFilter ...
Any ideas?
Reply all
Reply to author
Forward
0 new messages