i have an issue with redirecting to login.jsp page after a request to a rotected resource made by an unauthenticated user; my JSF 2 web app is deployed on WAS 8.5 where i set a custom security domain with a custom database realm and stands under a classic preAuthenticated scenario with spring-security framework. I state that all works fine on JBoss 6.1.0 !!! Well, i set up my app with classic FORM-BASED login (j2ee standard ):
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
protecting page by classic security-constraint configuration as Spring Security guide shows:
<security-constraint>
<display-name>Access Agent Security</display-name>
<web-resource-collection>
<web-resource-name>Secured resource</web-resource-name>
<url-pattern>/views/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
My Spring security appears like so:
<bean class="org.springframework.web.context.support.ServletContextPropertyPlaceholderConfigurer"/>
<bean id="securityInfo" class="it.xxxxxx.common.security.SecurityInfo"/>
<bean id="securityService"
class="org.springframework.ejb.access.SimpleRemoteStatelessSessionProxyFactoryBean">
<property name="jndiName" value="AccessAgent/SecurityServiceBean/remote"/>
<property name="businessInterface" value="it.pegaso2000.access.service.bean.SecurityService"/>
</bean>
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<sec:filter-chain-map path-type="ant">
<sec:filter-chain pattern="/**" filters="sif,j2eePreAuthFilter,logoutFilter,etf,fsi"/>
</sec:filter-chain-map>
</bean>
<bean id="sif" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref='preAuthenticatedAuthenticationProvider'/>
</sec:authentication-manager>
<bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"/>
</bean>
<bean id="preAuthenticatedUserDetailsService"
class="it.pegaso2000.access.web.security.auth.PreAuthenticatedUserDetailsService"/>
<bean id="mappableRolesRetriever"
class="it.pegaso2000.access.web.security.auth.preauth.j2ee.DatabaseMappableAttributesRetriever"/>
<bean id="authenticationDetailsSource" class="org.springframework.security.web.authentication.preauth.websphere.WebSpherePreAuthenticatedWebAuthenticationDetailsSource">
<property name="webSphereGroups2GrantedAuthoritiesMapper">
<bean class="org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper">
<property name="convertAttributeToUpperCase" value="true"/>
</bean>
</property>
</bean>
<bean id="j2eePreAuthFilter" class="it.xxxxx.access.web.security.auth.preauth.websphere.WebSpherePreAuthenticatedProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
</bean>
<bean id="preAuthenticatedProcessingFilterEntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="/"/>
<constructor-arg>
<list>
<bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</list>
</constructor-arg>
</bean>
<bean id="servletContext" class="org.springframework.web.context.support.ServletContextFactoryBean"/>
<bean id="etf" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="preAuthenticatedProcessingFilterEntryPoint"/>
</bean>
<bean id="httpRequestAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false"/>
<property name="decisionVoters">
<list>
<ref bean="roleVoter"/>
</list>
</property>
</bean>
<bean id="securityMetadataSource" class="it.xxxxx.access.web.security.auth.DatabaseFilterInvocationSecurityMetadataSource"/>
<bean id="fsi" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
<property name="securityMetadataSource" ref="securityMetadataSource"/>
</bean>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter"/>
<bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter"/>
As you can see i have overloaded org.springframework.security.web.authentication.preauth.websphere.WebSpherePreAuthenticatedProcessingFilter because i noted that doAuthentication() method returns a principal value equals "UNAUTHENTICATED" from WAS for anonymous requests, while spring AbstractPreAuthenticatedProcessingFilter class matches principal with null like so:
if (principal == null) {
if (logger.isDebugEnabled()) {
logger.debug("No pre-authenticated principal found in request");
}
enter code here
return;
}
and the result is it never do return statement if a user is anonymous.
But this not solve my problem...i would like my container (WAS) redirect to login.jsp page if an unauthenticated user request is done for protected resources. What miss my configuration ? This scenario works successfully on JBoss 6, does anybody help me ?
Thanks in advance !!
