Pre-authenticated configuration

[Natrezim]

Hi, I hope I can ask here for help with my problem. If not please refer me to correct place. And sorry for mistakes my English is not as good :)

I have server-webapp deployed on tomcat witch runs on apache server and to get access to any page it is required to login through kerberos. After this login I access the mitre-server-webapp, but I am trying to configure it to not take credentials on /login page but take me as a already authenticated user because I already authenticated.

I am using this filter org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter, but I always run into many problems. I do not understand all what happen when all those filters execute, so I don't know where the error could be. My last attempt was that my tomcat died on permGen Space.

This is my user-context.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:tx="http://www.springframework.org/schema/tx"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
    xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
        http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
        http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.1.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider>
            <security:jdbc-user-service data-source-ref="dataSource"/>
        </security:authentication-provider>
    </security:authentication-manager>

    <bean id="ssoFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
        <property name="principalRequestHeader" value="EPPN" />
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>

    <bean id="promptFilter" class="org.mitre.openid.connect.filter.AuthorizationRequestFilter" />

    <mvc:view-controller path="/login" view-name="login" />

    <security:http entry-point-ref="http403EntryPoint" use-expressions="true" disable-url-rewriting="true"
                   authentication-manager-ref="authenticationManager" pattern="/**">
        <security:intercept-url pattern="/login**" access="permitAll" />

        <security:custom-filter ref="promptFilter" after="SECURITY_CONTEXT_FILTER" />
        <security:custom-filter ref="ssoFilter" before="PRE_AUTH_FILTER" />

        <security:expression-handler ref="oauthWebExpressionHandler" />
        <security:logout logout-url="/logout" />
        <security:anonymous />
    </security:http>

</beans>

For now I added test user which I use to login to HSQLDB script and I edited server-config.xml. Thats all I did so far. Changes are base on https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Server-configuration and spring security (preauth) documentation. I am noob in this 'authentication stuff' so please do not stone me for this question.

I hope you understand about my problem. If I provide too few info ask for more. And I thank you in advance.

[jricher]

We've set up several servers like this before, and what usually works better is to have the /login page on a separate HTTP block so that the SSO filter only triggers there instead of on every request. So to log in you do need to hit /login but you won't be prompted for anything. MIT has a version of the server that uses Kerberos, PKI certificates, and regular username and password (backed by LDAP), so you might want to check that one out:

https://github.com/MIT-Mobile/oidc.mit.edu/blob/master/oidc-mit-overlay/src/main/webapp/WEB-INF/user-context.xml

[Natrezim]

Hi again and sorry for not answering before. I finally managed to get through this point. I authenticated on apache and now I am accessing SM_USER header in my requestHeaderAuthenticationFilter. But I can't access further. I can't go to any endpoint or access any Administrative, Personal(except View profile information) or developer menu items. In logs I can see that in those many executions of filter chains is my filter and its end up with successful authentication. I got roles user and admin. But after that more filters are executed and after that I am anonymous user and get access denied. The log file is really long and I dont even know if it is the last one which fails. Here is a part of it. http://pastebin.com/WjFYztw1. I can provide whole log if it is necessary.

Am I missing something? I am really hopeless right now. Anything would be helpful.

My user-context.xml now looks like this:

<security:http auto-config="false" entry-point-ref="http403EntryPoint">
        <!-- Additional http configuration omitted -->
        <security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
    </security:http>

    <bean id="siteminderFilter" class=
            "org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
        <property name="principalRequestHeader" value="REMOTE_USER"/>
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>

    <bean id="preauthAuthProvider"
          class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
        <property name="preAuthenticatedUserDetailsService">
            <bean id="userDetailsServiceWrapper"
                  class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
                <property name="userDetailsService" ref="userDetailsService"/>
            </bean>
        </property>
    </bean>

    <bean class="cz.metacentrum.perun.DlpUserDetailsService" id="userDetailsService"/>

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="preauthAuthProvider" />
    </security:authentication-manager>

[jricher]

You need to map your users to ROLE_USER for regular access and ROLE_ADMIN for administrative access.

[Natrezim]

I am doing that in my UserDetailsService. Every UserDetail is returned with set authorities collection attribute. So .getAuthorities() returns ROLE_USER and ROLE_ADMIN.

[isedrof]

To be able to configure an authentication by certificate, is it necessary to re-implement some Java Classes or just to configure the user-context.xml file as u've made here ?