Spring Security Application

Added by Frankowski Piotr almost 5 years ago

Hello,

I have configured easySDI proxy with joomla and I have a strange problem. On development env everything is working ok. But on production (protected with basic auth)query for example [[http://localhost:8080/proxy/ogc/test?request=GetCapabilities]] asks me twice for credentials(first is 'EASY SDI proxy test', and second 'Spring Security Application'). I'm hosting proxy on tomcat7. There's turn off secured connection(https) - I have no cert. How turn off this Spring Security Application? Why is this showing?


Replies (29)

RE: Spring Security Application - Added by Blatti Yves almost 5 years ago

Hi!

Does the authentication works on the second dialog? Or does it fail?

Yves

RE: Spring Security Application - Added by Frankowski Piotr almost 5 years ago

Always fails, I have no credentials to this second dialog.

RE: Spring Security Application - Added by Blatti Yves almost 5 years ago

I tested on our install.

If I enter wrong credentials on the first dialog (EASY SDI proxy <servicename>), the second appears (Spring Security Application).
If I use a valid credential on the second, it works. So I assume it's just a wrong label on the second dialog, and you have an authentication problem.

Is your spring config OK? (in ...../webapps/proxy/WEB-INF/spring files : app-config.xml and security-config.xml)
Do you have anything in logs?

RE: Spring Security Application - Added by Frankowski Piotr almost 5 years ago

In logs there's nothing special:

[root@app1 logs]# cat easysdi-proxy.log
14 Nov 2013 13:07:11,071  INFO ContextLoader:187 - Root WebApplicationContext: initialization started
14 Nov 2013 13:07:11,104  INFO XmlWebApplicationContext:454 - Refreshing Root WebApplicationContext: startup date [Thu Nov 14 13:07:11 CET 2013]; root of context hierarchy
14 Nov 2013 13:07:11,154  INFO XmlBeanDefinitionReader:315 - Loading XML bean definitions from ServletContext resource [/WEB-INF/spring/security-config.xml]
14 Nov 2013 13:07:11,524  INFO HttpSecurityBeanDefinitionParser:184 - Checking sorted filter chain: [Root bean: class [org.springframework.security.web.context.SecurityContextPersistenceFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 300, <joomlaCookieAuthenticationFilter>, order = 1199, Root bean: class [org.springframework.security.web.authentication.www.BasicAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1200, Root bean: class [org.springframework.security.web.savedrequest.RequestCacheAwareFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1300, Root bean: class [org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1400, Root bean: class [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1600, Root bean: class [org.springframework.security.web.session.SessionManagementFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1700, Root bean: class [org.springframework.security.web.access.ExceptionTranslationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1800, <org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0>, order = 1900, <easySdiConfigFilter>, order = 1901, <getMapCacheFilter>, order = 2147483647]
14 Nov 2013 13:07:11,526  INFO XmlBeanDefinitionReader:315 - Loading XML bean definitions from ServletContext resource [/WEB-INF/spring/app-config.xml]
14 Nov 2013 13:07:11,725  INFO XmlBeanDefinitionReader:315 - Loading XML bean definitions from ServletContext resource [/WEB-INF/spring/ehcache-spring.xml]
14 Nov 2013 13:07:11,878  INFO DefaultListableBeanFactory:538 - Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@41e451e2: defining beans [org.springframework.security.authentication.DefaultAuthenticationEventPublisher#0,org.springframework.security.authenticationManager,joomlaProvider,org.springframework.security.web.PortMapperImpl#0,org.springframework.security.web.context.HttpSessionSecurityContextRepository#0,org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy#0,org.springframework.security.authentication.ProviderManager#0,org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0,org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator#0,org.springframework.security.authentication.AnonymousAuthenticationProvider#0,org.springframework.security.web.savedrequest.HttpSessionRequestCache#0,org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint#0,org.springframework.security.config.http.UserDetailsServiceInjectionBeanPostProcessor#0,org.springframework.security.filterChainProxy,basicAuthenticationEntryPoint,accessDecisionManager,roleVoter,joomlaCookieAuthenticationFilter,authenticatedVoter,org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,dataSource,cacheManager,getMapCacheFilter,easySdiConfigFilter]; root of factory hierarchy
14 Nov 2013 13:07:12,159  INFO FilterSecurityInterceptor:156 - Validated configuration attributes
14 Nov 2013 13:07:12,296  INFO ContextLoader:214 - Root WebApplicationContext: initialization completed in 1223 ms
14 Nov 2013 13:07:12,306  INFO OgcProxyServlet:96 - OgcProxyServlet initialization done.
14 Nov 2013 13:07:13,398  INFO XmlBeanDefinitionReader:315 - Loading XML bean definitions from class path resource [org/springframework/jdbc/support/sql-error-codes.xml]
14 Nov 2013 13:07:13,440  INFO SQLErrorCodesFactory:125 - SQLErrorCodes loaded: [DB2, Derby, H2, HSQL, Informix, MS-SQL, MySQL, Oracle, PostgreSQL, Sybase]

Configs are ok:
app-config.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xmlns:context="http://www.springframework.org/schema/context" 
        xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-3.0.xsd
                                        http://www.springframework.org/schema/context
          http://www.springframework.org/schema/context/spring-context-3.0.xsd">

        <context:annotation-config />
        <context:component-scan base-package="org.easysdi.proxy" />

        <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
                <property name="driverClassName" value="com.mysql.jdbc.Driver" />
                <property name="url" value="jdbc:mysql://localhost:3306/riip_wl" />
                <property name="username" value="root" />
                <property name="password" value="anotherpassword" />
                <property name="maxIdle" value="10" />
                <property name="maxActive" value="100" />
                <property name="maxWait" value="10000" />
                <property name="validationQuery" value="select 1" />
                <property name="testOnBorrow" value="false" />
                <property name="testWhileIdle" value="true" />
                <property name="timeBetweenEvictionRunsMillis" value="1200000" />
                <property name="minEvictableIdleTimeMillis" value="1800000" />
                <property name="numTestsPerEvictionRun" value="5" />
                <property name="defaultAutoCommit" value="false" />
        </bean>

</beans>

security-config.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-3.0.xsd">

        <security:authentication-manager alias="authenticationManager">
                <security:authentication-provider ref="joomlaProvider" />
        </security:authentication-manager>

        <bean id="joomlaProvider" class="org.easysdi.security.JoomlaProvider">
                <property name="prefix">
                        <value>fazk4_</value>
                </property>
                <property name="version" value="1.0.0" />
                <property name="dataSource" ref="dataSource" />
        </bean>

        <security:http auto-config="false" access-decision-manager-ref="accessDecisionManager" path-type="regex">
                <security:http-basic />
                <security:anonymous username="spring2a2d595e6ed9a0b24f027f2b63b134d6" granted-authority="anonymous" />
                <security:intercept-url pattern="(.*)" access="anonymous,proxy_user" />
                <security:custom-filter ref="joomlaCookieAuthenticationFilter" before="BASIC_AUTH_FILTER" />
                <security:custom-filter ref="easySdiConfigFilter" after="FILTER_SECURITY_INTERCEPTOR" />
                <security:custom-filter ref="getMapCacheFilter" position="LAST" />
        </security:http>

        <bean id="basicAuthenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
                <property name="realmName">
                        <value>EasySDI Proxy Security</value>
                </property>
        </bean>

        <bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
                <property name="decisionVoters">
                        <list>
                                <ref bean="authenticatedVoter" />
                                <ref bean="roleVoter" />
                        </list>
                </property>
        </bean>
        <bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
                <property name="rolePrefix" value="" />
        </bean>

        <bean id="joomlaCookieAuthenticationFilter" class="org.easysdi.security.JoomlaCookieAuthenticationFilter">
                <property name="joomlaProvider" ref="joomlaProvider" />
                <property name="authenticationManager" ref="authenticationManager" />
                <property name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint" />
        </bean>

        <bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter" />

</beans>

I have the fresh version(2.4.1) of easy sdi proxy.

RE: Spring Security Application - Added by Frankowski Piotr almost 5 years ago

Catalina logs says:

SEVERE: Failed to load keystore type JKS with path /root/.keystore due to /root/.keystore (No such file or directory)
java.io.FileNotFoundException: /root/.keystore (No such file or directory)
        at java.io.FileInputStream.open(Native Method)
        at java.io.FileInputStream.<init>(FileInputStream.java:146)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:385)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:291)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:549)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:489)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:434)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:181)
        at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:393)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:610)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:429)
        at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:981)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:640)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:665)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)

RE: Spring Security Application - Added by Blatti Yves almost 5 years ago

I suppose you have double checked your Database config (url, user,password) and the joomla prexif. So the problem has be somewhere else.

  • In my config, the version property matches the proxy version, did you change it from the original (downloaded) file?
    (I can't tell what it's used for, I just noticed the difference)
        <bean id="joomlaProvider" class="org.easysdi.security.JoomlaProvider">
            <property name="prefix">
                <value>sdi_</value>
            </property>
            <property name="version" value="2.2.0" />
            <property name="dataSource" ref="dataSource" />
        </bean>
    
  • One thing that you have to know that is maybe not documented, is that the username is case sensitive, you may have a look at it. (I know it's not common!)
  • The error you show in your catalina.log: "SEVERE: Failed to load keystore type JKS with path" is related to SSL connector, isn't it? But you wrote SSL was disabled. I can't tell if this may be related, but you should have a look at it (are the other tomcat applications running fine? tomcat manager for example)
  • I'm out of ideas now :(

RE: Spring Security Application - Added by Frankowski Piotr almost 5 years ago

Thanks for your answer. I've changed a version value to proxy 2.4.1, but it doesn't helped. The same as username. Today, I will have certs, so I'll try later. Did I mentioned that whatever I put in EasySDI dialog, then it went to Spring Security?

RE: Spring Security Application - Added by Blatti Yves almost 5 years ago

Just ton confirm, you have an Easysdi User created and linked to a Joomla User? Not just a Joomla user?

RE: Spring Security Application - Added by Frankowski Piotr almost 5 years ago

Yes, I have a couple of users, which are uncategorized, and all these users have a privillages to browse this service.

RE: Spring Security Application - Added by Frankowski Piotr almost 5 years ago

Two things,
I've add ketstore, so there's no logs that keystore isn't present.
And second, is that when I cancel first dialog, i get 401, and exception org.easysdi.proxy.exception.NoAnonymousPolicyFoundException: No anomnymous policy found.

RE: Spring Security Application - Added by Blatti Yves almost 5 years ago

Hi!
"org.easysdi.proxy.exception.NoAnonymousPolicyFoundException: No anomnymous policy found."
means that you don't have an anonymous policy, it's a normal behavior.

Have you tried accessing it without https?

RE: Spring Security Application - Added by Frankowski Piotr almost 5 years ago

Hi,

I've tired with, and without https.

Now, I have an error connected with db(sometime it's not visible, but I think that it could be connected with the previous problem):
[[HTTP Status 500 - StatementCallback; bad SQL grammar [select u.username, u.password from fazk4_easysdi_map_service_account s left join fazk4_easysdi_community_partner p on (p.partner_id = s.partner_id) left join fazk4_users u on (u.id = p.user_id) limit 1]; nested exception is com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Table '.fazk4_easysdi_map_service_account' doesn't exist]]

It's probably problem with inproper installation in joomla. I wonder, why this works on my development enviroment(table easysdi_map_service_account isn't present there).

RE: Spring Security Application - Added by Frankowski Piotr almost 5 years ago

This mysql error occurs when I call proxy without arguments:

http://localhost:8080/proxy/ogc/test

And when I use
?request=GetCapabilities&service=WFS
it's double dialog, and 401.

RE: Spring Security Application - Added by Blatti Yves almost 5 years ago

Woow, those are easysdi v1 tables (you can see this by the component prefix that changed between v1 and v2 <joomla_prefix>_easysdi_[table] became <joomla_prefix>_sdi_[table]).
Can you check that you're running one of the latest proxy versions (WAR file), current versions for the 2.x series is 2.3.0.
here: https://forge.easysdi.org/projects/proxy/files
Or direct download: https://forge.easysdi.org/attachments/download/458/proxy.war
(that would explain the MySQL error, the authetication error, and the version number you had in the XML)

RE: Spring Security Application - Added by Frankowski Piotr almost 5 years ago

Ok, I downloaded this version from your link, I've changed to java1.7_0_21(which I have on development enviroment) and I got error:

HTTP Status 500 - StatementCallback; bad SQL grammar [select u.username, u.password from fazk4_sdi_systemaccount s left join fazk4_sdi_account a on (a.id = s.account_id) left join fazk4_users u on (u.id = a.user_id) where s.code='guest' limit 1]; nested exception is com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Table 'riip_wl.fazk4_sdi_systemaccount' doesn't exist
Which means, that mod_easysdi was incorected installed? Or I havn't actual mod_easysdi?

RE: Spring Security Application - Added by Blatti Yves almost 5 years ago

Car you give me the result of those two queries, to see your install status:

select * from fazk4_sdi_list_module

select * from  INFORMATION_SCHEMA.tables
where TABLE_NAME LIKE '%_sdi_%'

RE: Spring Security Application - Added by Frankowski Piotr almost 5 years ago

mysql> select * from fazk4_sdi_list_module;
ERROR 1146 (42S02): Table 'fazk4_sdi_list_module' doesn't exist
mysql> select table_name from INFORMATION_SCHEMA.tables where TABLE_NAME LIKE '%_sdi_%';
+--------------------------------------------+
| table_name                                 |
+--------------------------------------------+
| fazk4_sdi_address                          |
| fazk4_sdi_layer                            |
| fazk4_sdi_map_context                      |
| fazk4_sdi_map_context_group                |
| fazk4_sdi_map_context_physicalservice      |
| fazk4_sdi_map_context_tool                 |
| fazk4_sdi_map_context_virtualservice       |
| fazk4_sdi_map_group                        |
| fazk4_sdi_map_layer                        |
| fazk4_sdi_physicalservice                  |
| fazk4_sdi_service_servicecompliance        |
| fazk4_sdi_sys_addresstype                  |
| fazk4_sdi_sys_authenticationconnector      |
| fazk4_sdi_sys_authenticationlevel          |
| fazk4_sdi_sys_civility                     |
| fazk4_sdi_sys_map_tool                     |
| fazk4_sdi_sys_operationcompliance          |
| fazk4_sdi_sys_servicecompliance            |
| fazk4_sdi_sys_servicecon_authenticationcon |
| fazk4_sdi_sys_serviceconnector             |
| fazk4_sdi_sys_serviceoperation             |
| fazk4_sdi_sys_serviceversion               |
| fazk4_sdi_sys_unit                         |
| fazk4_sdi_user                             |
| fazk4_sdi_virtualservice                   |
+--------------------------------------------+
25 rows in set (0.00 sec)

RE: Spring Security Application - Added by Blatti Yves almost 5 years ago

Whhoo, easysdi seems to be badly installed, or a mix of versions...

What does this one give (to check if there is old versions of components) ?

select * from  INFORMATION_SCHEMA.tables
where TABLE_NAME LIKE '%_easysdi_%'

RE: Spring Security Application - Added by Frankowski Piotr almost 5 years ago

mysql> select * from information_schema.tables where table_name like '%_easysdi_%';
Empty set (0.00 sec)

The problem with missing table isn't present now. Table is still missing(sic!). Now is the same problem as in the begining(with 2 dialogs).

RE: Spring Security Application - Added by Frankowski Piotr almost 5 years ago

I'm gonna to deinstall from joomla whole easysdi, and install it again. Which version should I use? The latest? 3.1.4?

RE: Spring Security Application - Added by Frankowski Piotr almost 5 years ago

Reinstall doesn't helped:/

RE: Spring Security Application - Added by Frankowski Piotr almost 5 years ago

I've dump tables(missing in target dev) from another installation and imported it. MYSQL error disapear, but there is still problem with dialogs.

RE: Spring Security Application - Added by Blatti Yves almost 5 years ago

You can't mix versions.

If you like to work with easysdi v2, you need at least:
- A joomla 1.5.26 on Mysql (see prerequisites)
- EasySdi Core 2.X (Joomla Component)
- EasySdi Proxy 2.X (Joomla Component)
- EasySdi Proxy 2.X (WAR webapp)

If you like to work with easysdi v3, you need:
- A joomla 2.5.x on Mysql (see prerequisites)
- EasySdi Fullpackage 3.X (Joomla Components + plugins, current is 3.1.4 I think)
- EasySdi Proxy 3.X (WAR webapp)

I can only help on easysdi v2.x, I never used v3.x (FYI: easysdi v4 will be available next year)

RE: Spring Security Application - Added by Frankowski Piotr almost 5 years ago

Fuck yeah, it works. I've get 3.X, and it works. I really appreciate your help.

RE: Spring Security Application - Added by Blatti Yves almost 5 years ago

Great news!
Have fun wih easysdi !!

1 2 (1-25/29)