Fake login behavior triggered by IOException

[deanguyton]

Background: Facebook authentication works initially, then after a short period of inactivity (say 12 hours), on the next next facebook login attempt the login page will display the standard spring security access violation message "Sorry, you're not authorized to view this page". Additionally, spring security is stuck in a strange state where the sec:ifLoggedIn tags allow access (which triggers the display of the nav bar that a logged in user would normally see) yet none of the links are accessible because the user isn't really authenticated.

With spring security in debug the following is logged (I've masked my id/secret):

2015-07-02 13:51:33,672 DEBUG ProviderManager Authentication attempt using com.the6hours.grails.springsecurity.facebook.FacebookAuthProvider
2015-07-02 13:51:33,683 WARN FacebookAuthUtils Can't read data from Facebook
java.io.IOException: Server returned HTTP response code: 400 for URL: https://graph.facebook.com/oauth/access_token?client_id=MYCLIENTID&redirect_uri=http%3A%2F%2Fwww.storyevolve.com%2Fj_sprin
g_security_facebook_check&client_secret=MYSECRET&code=AQDhCU7q8zJGFoRrbH9ThwUGcc2bkg8vUwAenIPISHY2mAFuYTVWJQUIEwESEQ-5f4cHcpH_3uH9RYgN8qKgj7uXCvRUTe0A1vMTiuhEMhyZ0RVhQA5mI4x
NEplbWvOA7t41Qh5-eNmhhzLGa_YVdi79U_zbtNsO8z3wlxJ8nxmyTWUcc4LpOGtLI5LHs4k1xLc1lwvmdydMaYTMO4-Ul7YEUBxm9Xam1GNltf4UGcjmCuh3fi_DAAgeAjuHUaaQexozgRp-RjnxKSBeYp3sp4SDP_bEGefnIQ_OuAzTaT5Ib8obs1DeVIlpf6Mm
IU-kH9Y
        at com.the6hours.grails.springsecurity.facebook.FacebookAuthUtils.requestAccessToken(FacebookAuthUtils.groovy:141)
        at com.the6hours.grails.springsecurity.facebook.FacebookAuthUtils.getAccessToken(FacebookAuthUtils.groovy:135)
        at com.the6hours.grails.springsecurity.facebook.FacebookAuthProvider.authenticate(FacebookAuthProvider.groovy:43)
        at grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter.doFilter(GrailsAnonymousAuthenticationFilter.java:53)
        at grails.plugin.springsecurity.web.authentication.RequestHolderAuthenticationFilter.doFilter(RequestHolderAuthenticationFilter.java:49)
        at com.the6hours.grails.springsecurity.facebook.FacebookAuthRedirectFilter.doFilter(FacebookAuthRedirectFilter.groovy:46)
        at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.java:82)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:744)
2015-07-02 13:51:33,683 ERROR FacebookAuthProvider Can't fetch access_token for code 'AQDhCU7q8zJGFoRrbH9ThwUGcc2bkg8vUwAenIPISHY2mAFuYTVWJQUIEwESEQ-5f4cHcpH_3uH9RYgN8qKgj7uXCvRUTe0A1vMTiuhEMhyZ0RV
hQA5mI4xNEplbWvOA7t41Qh5-eNmhhzLGa_YVdi79U_zbtNsO8z3wlxJ8nxmyTWUcc4LpOGtLI5LHs4k1xLc1lwvmdydMaYTMO4-Ul7YEUBxm9Xam1GNltf4UGcjmCuh3fi_DAAgeAjuHUaaQexozgRp-RjnxKSBeYp3sp4SDP_bEGefnIQ_OuAzTaT5Ib8obs1De
VIlpf6MmIU-kH9Y'
2015-07-02 13:51:33,683 DEBUG FilterSecurityInterceptor Successfully Authenticated: Principal: null, uid: -1, roles: []
2015-07-02 13:51:33,683 DEBUG FilterSecurityInterceptor Authorization successful

Now if I actually cut and paste the URL, FB responds with:

{
   "error": {
      "message": "This authorization code has expired.",
      "type": "OAuthException",
      "code": 100
   }
}

I will try to override the FacebookAuthUtils class to experiment with handling this somehow or to figure out why the IOException is consistently thrown on this. But I wanted to report what I am experiencing.

[deanguyton]

I can reproduce in dev environment by purposely throwing an IOException, it triggers a state where all of the sec:ifLoggedIn tags are true so the view displays all of the nav bars and the sign out link. However, none of the links are actually accessible as the user is still not identified as ROLE_USER.