Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-05-30 15:33:42.630 DEBUG 13897 --- [io-9999-exec-10] o.s.security.web.FilterChainProxy : /oauth/token at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
- 2016-05-30 15:33:42.631 DEBUG 13897 --- [io-9999-exec-10] o.s.security.web.FilterChainProxy : /oauth/token at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
- 2016-05-30 15:33:42.631 DEBUG 13897 --- [io-9999-exec-10] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
- 2016-05-30 15:33:42.631 DEBUG 13897 --- [io-9999-exec-10] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
- 2016-05-30 15:33:42.631 DEBUG 13897 --- [io-9999-exec-10] o.s.security.web.FilterChainProxy : /oauth/token at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
- 2016-05-30 15:33:42.631 DEBUG 13897 --- [io-9999-exec-10] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@2fe29f4b
- 2016-05-30 15:33:42.631 DEBUG 13897 --- [io-9999-exec-10] o.s.security.web.FilterChainProxy : /oauth/token at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
- 2016-05-30 15:33:42.644 DEBUG 13897 --- [io-9999-exec-10] o.s.security.web.csrf.CsrfFilter : Invalid CSRF token found for http://localhost:9999/uaa/oauth/token
- 2016-05-30 15:33:42.644 DEBUG 13897 --- [io-9999-exec-10] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
- 2016-05-30 15:33:42.644 DEBUG 13897 --- [io-9999-exec-10] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
- @Override
- protected void configure(HttpSecurity http) throws Exception {
- // @formatter:off
- http
- .formLogin().loginPage("/login").permitAll()
- .and()
- .requestMatchers().antMatchers("/login", "/oauth/authorize", "/secure/two_factor_authentication", "/pincode")
- .and()
- .authorizeRequests().anyRequest().authenticated();
- // @formatter:on
- }
- @Bean
- public OAuth2RequestFactory customOAuth2RequestFactory(){
- return new CustomOAuth2RequestFactory(clientDetailsService);
- }
- @Controller
- @RequestMapping(TwoFactorAuthenticationController.PATH)
- public class TwoFactorAuthenticationController {
- private static final Logger LOG = LoggerFactory.getLogger(TwoFactorAuthenticationController.class);
- public static final String PATH = "/secure/two_factor_authentication";
- public static final String AUTHORIZE_PATH = "/oauth/authorize";
- public static final String ROLE_TWO_FACTOR_AUTHENTICATED = "ROLE_TWO_FACTOR_AUTHENTICATED";
- private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
- @RequestMapping(method = RequestMethod.GET)
- public String auth(HttpServletRequest request, HttpSession session, HttpServletResponse resp/*, ....*/) {
- System.out.println("-------- inside GET /secure/two_factor_authentication --------------");
- if (AuthenticationUtil.isAuthenticatedWithAuthority(ROLE_TWO_FACTOR_AUTHENTICATED)) {
- LOG.info("User {} already has {} authority - no need to enter code again", ROLE_TWO_FACTOR_AUTHENTICATED);
- // throw ....;
- }
- else if (session.getAttribute(CustomOAuth2RequestFactory.SAVED_AUTHORIZATION_REQUEST_SESSION_ATTRIBUTE_NAME) == null) {
- // LOG.warn("Error while entering 2FA code - attribute {} not found in session.", CustomOAuth2RequestFactory.SAVED_AUTHORIZATION_REQUEST_SESSION_ATTRIBUTE_NAME);
- // throw ....;
- }
- return "pinCode";
- }
- @RequestMapping(method = RequestMethod.POST)
- public String auth(FormData formData, HttpServletRequest req, HttpServletResponse resp,
- SessionStatus sessionStatus, Principal principal, Model model)
- throws IOException{
- if (formData.getPinVal()!=null) {
- if(formData.getPinVal().equals("5309")){
- AuthenticationUtil.addAuthority(ROLE_TWO_FACTOR_AUTHENTICATED);
- return "redirect:"+AUTHORIZE_PATH;
- };
- };
- return "pinCode";
- }
- }
- public class HttpSessionCollector implements HttpSessionListener, ServletContextListener {
- private static final Set<HttpSession> sessions = ConcurrentHashMap.newKeySet();
- public void sessionCreated(HttpSessionEvent event) {
- sessions.add(event.getSession());
- }
- public void sessionDestroyed(HttpSessionEvent event) {
- sessions.remove(event.getSession());
- }
- public static Set<HttpSession> getSessions() {
- return sessions;
- }
- public void contextCreated(ServletContextEvent event) {
- event.getServletContext().setAttribute("HttpSessionCollector.instance", this);
- }
- public static HttpSessionCollector getCurrentInstance(ServletContext context) {
- return (HttpSessionCollector) context.getAttribute("HttpSessionCollector.instance");
- }
- @Override
- public void contextDestroyed(ServletContextEvent arg0) {
- }
- @Override
- public void contextInitialized(ServletContextEvent arg0) {
- }
- }
- @Component
- public class DiagnoseSessionFilter extends OncePerRequestFilter implements ServletContextAware {
- @Override
- protected void doFilterInternal(HttpServletRequest req, HttpServletResponse res, FilterChain fc) throws ServletException, IOException {
- System.out.println("...........///////////// START OF DiagnoseSessionFilter.doFilterInternal() ///////////...........");
- //start of request stuff
- System.out.println("\\\\\ REQUEST ATTRIBUTES ARE: ");
- if(req.getAttribute("_csrf")!=null){
- System.out.println("_csrf is: " + req.getAttribute("_csrf").toString());
- }
- if(req.getAttribute("org.springframework.security.web.csrf.CsrfToken")!=null){
- CsrfToken ucsrf = (CsrfToken) req.getAttribute("org.springframework.security.web.csrf.CsrfToken");
- System.out.println("ucsrf.getToken() is: " + ucsrf.getToken());
- }
- String reqXSRF = req.getHeader("XSRF-TOKEN");
- System.out.println("request XSRF-TOKEN header is: " + reqXSRF);
- String reqCookie = req.getHeader("Cookie");
- System.out.println("request Cookie header is: " + reqCookie);
- String reqSetCookie = req.getHeader("Set-Cookie");
- System.out.println("request Set-Cookie header is: " + reqSetCookie);
- String reqReferrer = req.getHeader("referrer");
- System.out.println("request referrer header is: " + reqReferrer);
- HttpSession rsess = req.getSession(false);
- System.out.println("request.getSession(false) is: " + rsess);
- if(rsess!=null){
- String sessid = rsess.getId();
- System.out.println("session.getId() is: "+sessid);
- }
- System.out.println("/////////// END OF REQUEST ATTRIBUTES ");
- //end of request stuff
- ServletContext servletContext = req.getServletContext();
- System.out.println("\\\\\ START OF SESSION COLLECTOR STUFF ");
- HttpSessionCollector collector = HttpSessionCollector.getCurrentInstance(servletContext);
- Set<HttpSession> sessions = collector.getSessions();
- System.out.println("sessions.size() is: " + sessions.size());
- for(HttpSession sess : sessions){
- System.out.println("sess is: " + sess);
- System.out.println("sess.getId() is: " + sess.getId());
- CsrfToken sessCsrf = (CsrfToken) sess.getAttribute("org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository.CSRF_TOKEN");
- System.out.println("csrf is: " + sessCsrf);
- if(sessCsrf!=null){
- if(sessCsrf.getToken()!=null){
- System.out.println("sessCsrf.getToken() is: " + sessCsrf.getToken());
- } else { System.out.println("sessCsrf.getToken() is: null "); }
- } else { System.out.println("sessCsrf is: null "); }
- System.out.println("sess.getAttribute(SPRING_SECURITY_SAVED_REQUEST) is: " + sess.getAttribute("SPRING_SECURITY_SAVED_REQUEST") );
- if(sess.getAttribute("SPRING_SECURITY_SAVED_REQUEST") instanceof DefaultSavedRequest){
- System.out.println("_____ START PRINTING SAVED REQUEST");
- DefaultSavedRequest savedReq = (DefaultSavedRequest) sess.getAttribute("SPRING_SECURITY_SAVED_REQUEST");
- List<Cookie> savedCookies = savedReq.getCookies();
- for(Cookie cook : savedCookies){
- String name = cook.getName();String value = cook.getValue();
- System.out.println("cookie name, value are: " + name + " , " + value);
- }
- Collection<String> savedHeaderNames = savedReq.getHeaderNames();
- for(String headerName : savedHeaderNames){
- System.out.println("headerName is: " + headerName);
- }
- List<Locale> savedLocales = savedReq.getLocales();
- for(Locale loc : savedLocales){
- System.out.println("loc.getLanguage() is: " + loc.getLanguage());
- }
- String savedMethod = savedReq.getMethod();
- System.out.println("savedMethod is: " + savedMethod);
- Map<String, String[]> savedParamMap = savedReq.getParameterMap();
- Iterator<Entry<String, String[]>> it = savedParamMap.entrySet().iterator();
- while (it.hasNext()) {
- Entry<String, String[]> pair = it.next();
- System.out.println("savedParamMap: " + pair.getKey() + " = " + pair.getValue());
- it.remove(); // avoids a ConcurrentModificationException
- }
- Collection<String> savedParamNames = savedReq.getParameterNames();
- for(String savedParamName : savedParamNames){
- System.out.println("savedParamName: " + savedParamNames);
- }
- System.out.println("_____ DONE PRINTING SAVED REQUEST");
- }
- // System.out.println("sess.getAttribute(SPRING_SECURITY_CONTEXT) is: " + sess.getAttribute("SPRING_SECURITY_CONTEXT") );
- if(sess.getAttribute("SPRING_SECURITY_CONTEXT") instanceof SecurityContextImpl){
- SecurityContext ctxt = (SecurityContext) sess.getAttribute("SPRING_SECURITY_CONTEXT");
- Authentication auth = ctxt.getAuthentication();
- if(auth.getDetails() instanceof WebAuthenticationDetails){
- WebAuthenticationDetails dets = (WebAuthenticationDetails) auth.getDetails();
- System.out.println( "dets.getSessionId() is: " + dets.getSessionId() );
- }
- System.out.println("auth.getAuthorities() is: " + auth.getAuthorities() );
- System.out.println("auth.isAuthenticated() is: " + auth.isAuthenticated() );
- }
- }
- SecurityContext context = SecurityContextHolder.getContext();
- System.out.println("...........///////////// END OF DiagnoseSessionFilter.doFilterInternal() ///////////...........");
- fc.doFilter(req, res);
- }
- }
- 1.) POST http://localhost:9999/uaa/secure/two_factor_authentication
- request headers:
- Referer: 9999/uaa/secure/two_factor_authentication
- Cookie:
- JSESSIONID: ....95CB77
- ....918636
- XSRF-TOKEN: ....862a73
- filter chain:
- DiagnoseSessionFilter:
- request stuff:
- Cookie header:
- JSESSIONID: ....95CB77
- ....918636
- XSRF-TOKEN: ....862a73
- request.getSession(false).getId(): ....95CB77
- session collector stuff:
- JSESSIONID: ....95CB77
- csrf: ....862a73
- SPRING_SECURITY_SAVED_REQUEST is null
- user details (from Authentication object with user/request
- JSESSIONID: ....ED927C
- Authenticated = true, with roles
- Complete the filter chain
- DiagnoseSessionFilter (again)
- request stuff:
- csrf attribute: ....862a73
- Cookie header:
- JSESSIONID: ....95CB77
- ....918636
- XSRF-TOKEN: ....862a73
- request.getSession(false).getId(): 95CB77
- session collector stuff:
- JSESSIONID: ....95CB77
- csrf is: 862a73
- SPRING_SECURITY_SAVED_REQUEST is null
- user details (Authentication for user/session/request)
- JSESSIONID: ....ED927C
- Authenticated = true, with authorities
- POST/secure/two_factor_authenticationControllerMethod
- do some stuff
- response:
- Location: 9999/uaa/oauth/authorize?....
- XSRF-TOKEN: ....862a73
- 2.) GET http://localhost:9999/uaa/oauth/authorize?...
- request headers:
- Host: localhost:9999
- Referer: 9999/uaa/secure/two_factor_authentication
- Cookie:
- JSESSIONID: ....95CB77
- ....918636
- XSRF-TOKEN: ....862a73
- FilterChain
- DiagnoseSessionFilter
- request stuff:
- Cookie header is: JSESSIONID: ....95CB77
- ....918636
- XSRF-TOKEN: ....862a73
- request.getSession(false).getId(): 95CB77
- session collector stuff:
- JSESSIONID: ....95CB77
- csrf is: ....862a73
- SPRING_SECURITY_SAVED_REQUEST is: null
- user details (Authentication object with user/session/req)
- JSESSIONID: ....ED927C
- Authenticated = true with ALL roles.
- rest of filter chain
- TwoFactorAuthenticationFilter
- request stuff:
- csrf request attribute is: ....862a73
- cookie header:
- JSESSIONID: ....95CB77
- ....918636
- XSRF-TOKEN: ....862a73
- request.getSession(false).getId() is: ....95CB77
- updateCsrf is: ....862a73
- response stuff:
- XSRF-TOKEN header (after manual update): ....862a73
- DiagnoseSessionFilter:
- request stuff:
- _csrf request attribute: ....862a73
- Cookie header:
- JSESSIONID: ....95CB77
- ....918636
- XSRF-TOKEN: ....862a73
- request.getSession(false).getId() is: ....95CB77
- session collector stuff:
- JSESSIONID: ....95CB77
- csrf is: ....862a73
- SPRING_SECURITY_SAVED_REQUEST is: null
- user details (Authentication for user/session/request)
- JSESSIONID: ....ED927C
- Authenticated is true, with ALL roles.
- CustomOAuth2RequestFactory
- request stuff:
- _csrf request parameter is: ....862a73
- Cookie header:
- JSESSIONID: ....95CB77
- ....918636
- XSRF-TOKEN: ....862a73
- request.getSession(false).getId() is: ....95CB77
- updateCsrf: ....862a73
- response stuff:
- XSRF-TOKEN header: ....862a73
- session attribute printout
- csrf: ....862a73
- SPRING_SECURITY_CONTEXT (not printed, so don't know values)
- response:
- Location: 8080/login?code=myNwd7&state=f6b3Km
- XSRF-TOKEN: ....862a73
- 3.) GET http://localhost:8080/login?code=myNwd7&state=f6b3Km
- request headers:
- Host: localhost:8080
- Referer: 9999/uaa/secure/two_factor_authentication
- Cookie:
- JSESSIONID: ....918636
- XSRF-TOKEN: ....862a73
- UiAppFilterChain:
- HttpSessionSecurityContextRepository
- creates new SPRING_SECURITY_CONTEXT to replace null one
- OAuth2ClientAuthenticationProcessingFilter (position 8 of 14)
- AuthorizationCodeAccessTokenProvider
- Retrieving token from 9999/uaa/oauth/token
- AuthServerFilterChain:
- DiagnoseSessionFilter
- request stuff:
- XSRF-TOKEN header is: null
- Cookie header is: null
- Set-Cookie header is: null
- referrer header is: null
- request.getSession(false) is: null
- session collector stuff:
- JSESSIONID: ....95CB77
- sessCsrf.getToken() is: 862a73
- SPRING_SECURITY_SAVED_REQUEST is: null
- Authenticated is true but with ONLY these roles:
- ROLE_HOBBIT, ROLE_TWO_FACTOR_AUTHENTICATION_ENABLED
- SecurityContextPersistenceFilter
- reports no HttpSession and no SPRING_SECURITY_CONTEXT
- CsrfFilter
- rejects request to /oauth/token due to no session % csrf
- response headers:
- Set-Cookie:
- XSRF-TOKEN: ....527fbe
- X-Frame-Options: DENY
Add Comment
Please, Sign In to add comment