SInce Version 4.1.1 the authentificationEntryPoints dosent work as expected.
I have two authentificationEntryPoints in delegatingAuthenticationEntryPoint:
http.httpBasic().authenticationEntryPoint(delegatingAuthenticationEntryPoint())
they should handle InsufficientAuthenticationException for /oauth/authorize endpoint based on the request parameters:
Expected Behavior
till version 4.1.0 The client is forwarded to SAML login page via IMDSAMLEntryPoint as configured:
s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@1ea56448, matchingMediaTypes=[application/atom+xml, application/x-www-form-urlencoded, application/json, application/octet-stream, application/xml, multipart/form-data, text/xml], useEquals=false, ignoredMediaTypes=[*/*]]
o.s.s.w.u.m.MediaTypeRequestMatcher : httpRequestMediaTypes=[text/html, application/xhtml+xml, image/webp, application/xml;q=0.9, */*;q=0.8]
o.s.s.w.u.m.MediaTypeRequestMatcher : Processing text/html
o.s.s.w.u.m.MediaTypeRequestMatcher : application/atom+xml .isCompatibleWith text/html = false
o.s.s.w.u.m.MediaTypeRequestMatcher : application/x-www-form-urlencoded .isCompatibleWith text/html = false
o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith text/html = false
o.s.s.w.u.m.MediaTypeRequestMatcher : application/octet-stream .isCompatibleWith text/html = false
o.s.s.w.u.m.MediaTypeRequestMatcher : application/xml .isCompatibleWith text/html = false
o.s.s.w.u.m.MediaTypeRequestMatcher : multipart/form-data .isCompatibleWith text/html = false
o.s.s.w.u.m.MediaTypeRequestMatcher : text/xml .isCompatibleWith text/html = false
o.s.s.w.u.m.MediaTypeRequestMatcher : Processing application/xhtml+xml
o.s.s.w.u.m.MediaTypeRequestMatcher : application/atom+xml .isCompatibleWith application/xhtml+xml = false
o.s.s.w.u.m.MediaTypeRequestMatcher : application/x-www-form-urlencoded .isCompatibleWith application/xhtml+xml = false
o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith application/xhtml+xml = false
o.s.s.w.u.m.MediaTypeRequestMatcher : application/octet-stream .isCompatibleWith application/xhtml+xml = false
o.s.s.w.u.m.MediaTypeRequestMatcher : application/xml .isCompatibleWith application/xhtml+xml = false
o.s.s.w.u.m.MediaTypeRequestMatcher : multipart/form-data .isCompatibleWith application/xhtml+xml = false
o.s.s.w.u.m.MediaTypeRequestMatcher : text/xml .isCompatibleWith application/xhtml+xml = false
o.s.s.w.u.m.MediaTypeRequestMatcher : Processing image/webp
o.s.s.w.u.m.MediaTypeRequestMatcher : application/atom+xml .isCompatibleWith image/webp = false
o.s.s.w.u.m.MediaTypeRequestMatcher : application/x-www-form-urlencoded .isCompatibleWith image/webp = false
o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith image/webp = false
o.s.s.w.u.m.MediaTypeRequestMatcher : application/octet-stream .isCompatibleWith image/webp = false
o.s.s.w.u.m.MediaTypeRequestMatcher : application/xml .isCompatibleWith image/webp = false
o.s.s.w.u.m.MediaTypeRequestMatcher : multipart/form-data .isCompatibleWith image/webp = false
o.s.s.w.u.m.MediaTypeRequestMatcher : text/xml .isCompatibleWith image/webp = false
o.s.s.w.u.m.MediaTypeRequestMatcher : Processing application/xml;q=0.9
o.s.s.w.u.m.MediaTypeRequestMatcher : application/atom+xml .isCompatibleWith application/xml;q=0.9 = false
o.s.s.w.u.m.MediaTypeRequestMatcher : application/x-www-form-urlencoded .isCompatibleWith application/xml;q=0.9 = false
o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith application/xml;q=0.9 = false
o.s.s.w.u.m.MediaTypeRequestMatcher : application/octet-stream .isCompatibleWith application/xml;q=0.9 = false
o.s.s.w.u.m.MediaTypeRequestMatcher : application/xml .isCompatibleWith application/xml;q=0.9 = true
s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint@4175993b
s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using .imd.idp.requestmatcher.AuthEntryPointRequestMatcher@7eea6beb
stomAnnotationTransactionAttributeSource : Adding transactional method 'findOne' with attribute: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly; ''
o.s.orm.jpa.JpaTransactionManager : Opened new EntityManager [org.hibernate.jpa.internal.EntityManagerImpl@3b6ccb52] for JPA transaction
d.s.b.i.i.r.AuthEntryPointRequestMatcher : The request match: true
s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing .imd.idp.saml.IMDSAMLEntryPoint@69eab001
tor$SharedEntityManagerInvocationHandler : Creating new EntityManager for shared EntityManager invocation
o.s.orm.jpa.EntityManagerFactoryUtils : Closing JPA EntityManager
d.s.b.imd.idp.saml.IMDSAMLEntryPoint : Get authorize request from clientID=gwmanager with the redirectURI=http://localhost:8080/core/login.jsf and responseType=code
Actual Behavior
From Version 4.1.1 (Actual Behavior) The client is forwarded to standard login Page (with LDAP authentication) instead of SAML provider as configured. The authenticationEntryPoints are ignored:
o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=Ant [pattern='/**/favicon.ico']]
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/authorize'; against '/**/favicon.ico'
o.s.s.w.u.matcher.NegatedRequestMatcher : matches = true
o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@2acadde6, matchingMediaTypes=[application/json], useEquals=false, ignoredMediaTypes=[*/*]]]
o.s.s.w.u.m.MediaTypeRequestMatcher : httpRequestMediaTypes=[text/html, application/xhtml+xml, image/webp, application/xml;q=0.9, */*;q=0.8]
o.s.s.w.u.m.MediaTypeRequestMatcher : Processing text/html
o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith text/html = false
o.s.s.w.u.m.MediaTypeRequestMatcher : Processing application/xhtml+xml
o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith application/xhtml+xml = false
o.s.s.w.u.m.MediaTypeRequestMatcher : Processing image/webp
o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith image/webp = false
o.s.s.w.u.m.MediaTypeRequestMatcher : Processing application/xml;q=0.9
o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith application/xml;q=0.9 = false
o.s.s.w.u.m.MediaTypeRequestMatcher : Processing */*;q=0.8
o.s.s.w.u.m.MediaTypeRequestMatcher : Ignoring
o.s.s.w.u.m.MediaTypeRequestMatcher : Did not match any media types
o.s.s.w.u.matcher.NegatedRequestMatcher : matches = true
o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]]
o.s.s.w.u.matcher.NegatedRequestMatcher : matches = true
o.s.s.w.util.matcher.AndRequestMatcher : All requestMatchers returned true
o.s.s.w.s.HttpSessionRequestCache : DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8084/imd/oauth/authorize?response_type=code&client_id=gwmanager&redirect_uri=http://localhost:8080/core/login.jsf]
o.s.s.w.a.ExceptionTranslationFilter : Calling Authentication entry point.
s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using AndRequestMatcher [requestMatchers=[NegatedRequestMatcher [requestMatcher=MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@2acadde6, matchingMediaTypes=[text/html], useEquals=false, ignoredMediaTypes=[]]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@2acadde6, matchingMediaTypes=[application/atom+xml, application/x-www-form-urlencoded, application/json, application/octet-stream, application/xml, multipart/form-data, text/xml], useEquals=false, ignoredMediaTypes=[*/*]]]]
o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@2acadde6, matchingMediaTypes=[text/html], useEquals=false, ignoredMediaTypes=[]]]
o.s.s.w.u.m.MediaTypeRequestMatcher : httpRequestMediaTypes=[text/html, application/xhtml+xml, image/webp, application/xml;q=0.9, */*;q=0.8]
o.s.s.w.u.m.MediaTypeRequestMatcher : Processing text/html
o.s.s.w.u.m.MediaTypeRequestMatcher : text/html .isCompatibleWith text/html = true
o.s.s.w.u.matcher.NegatedRequestMatcher : matches = false
o.s.s.w.util.matcher.AndRequestMatcher : Did not match
s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using AndRequestMatcher [requestMatchers=[NegatedRequestMatcher [requestMatcher=RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@2acadde6, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]]
o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]]
o.s.s.w.u.matcher.NegatedRequestMatcher : matches = true
o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@2acadde6, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]
o.s.s.w.u.m.MediaTypeRequestMatcher : httpRequestMediaTypes=[text/html, application/xhtml+xml, image/webp, application/xml;q=0.9, */*;q=0.8]
o.s.s.w.u.m.MediaTypeRequestMatcher : Processing text/html
o.s.s.w.u.m.MediaTypeRequestMatcher : application/xhtml+xml .isCompatibleWith text/html = false
o.s.s.w.u.m.MediaTypeRequestMatcher : image/* .isCompatibleWith text/html = false
o.s.s.w.u.m.MediaTypeRequestMatcher : text/html .isCompatibleWith text/html = true
o.s.s.w.util.matcher.AndRequestMatcher : All requestMatchers returned true
s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@620d05a1
o.s.s.web.DefaultRedirectStrategy : Redirecting to 'http://localhost:8084/imd/loginIMD'
o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6fd5d03d
w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
Thanks in forward Piotr
Comment From: rwinch
Thanks for the report! I'm sorry I don't understand the problem. Please provide the complete configuration, the HTTP Servlet Request, and the Http Servlet Response. Please also state why you believe the response is incorrect.
Comment From: czarnyckm
Our authentication/ authorization server handle multiple authentication machanisms. From the clients side remains an OAuth2+JWT, but allows the application to connect and authenticate in front of SAML Identity Provider, configured login page or some other authentication protocols.
Everything works fine if I use spring-security-config version=4.1.0.RELEASE
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.1.0.RELEASE</version>
</dependency>
but with the version=RELEASE i.e. (4.1.1.RELEASE) all clients are always forwared to the configured login page instead of the SAML IdP
I think, that the problem is introduced in the HttpBasicConfigurer additional RequestMatchers. They match and ignore provided custom request matchers and force an user to be forwarded to the standard login page:
o.s.s.w.util.matcher.AndRequestMatcher : All requestMatchers returned true
s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@620d05a1
o.s.s.web.DefaultRedirectStrategy : Redirecting to 'http://localhost:8084/imd/loginIMD'
o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6fd5d03d
w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
Up to spring-security-config version 4.1.0.RELEASE the custom request matchers (AuthEntryPointRequestMatcher) are used as configured:
o.s.s.w.u.m.MediaTypeRequestMatcher : application/xml .isCompatibleWith application/xml;q=0.9 = true
s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint@4175993b
s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using .imd.idp.requestmatcher.AuthEntryPointRequestMatcher@7eea6beb
d.s.b.i.i.r.AuthEntryPointRequestMatcher : The request match: true
s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing .imd.idp.saml.IMDSAMLEntryPoint@69eab001
d.s.b.imd.idp.saml.IMDSAMLEntryPoint : Get authorize request from clientID=gwmanager with the redirectURI=http://localhost:8080/core/login.jsf and responseType=code
My configuration:
http.httpBasic().authenticationEntryPoint(delegatingAuthenticationEntryPoint());
http.csrf().disable();
http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
.addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
http.authorizeRequests()
.antMatchers("/", "/revoke_token", "/resources/css/**", "/resources/images/**",
"/resources/js/**","/saml/**", "/", "/idpchooser", "/oauth/authorize", "/loginIMD", "/login.do")
.permitAll()
.antMatchers("/error").permitAll()
.antMatchers("/saml/**").permitAll()
.and()
.formLogin().loginPage("/loginIMD").loginProcessingUrl("/login.do")
.failureUrl("/loginIMD?error=true").permitAll()
.and()
.authorizeRequests().anyRequest().authenticated();
http.logout().logoutSuccessUrl("/");
Comment From: mrunalpatel
Hey guys, Is there any update/workaround on this issue? I am having same problem, my custom entry point is not getting called by delegatingAuthenticationEntryPoint.
Comment From: nemalh
Hi All,
Facing similar kind of issue for IE11, instead of samlentry point getting delegated login page.Though its working in FF and chrome.
Spring security version being used is 4.0.4 release
Comment From: czarnyckm
The problem was gone. I fixed it with exceptionHandling registration :
http.exceptionHandling().defaultAuthenticationEntryPointFor(...