API tools faq
paste
Guest User

Untitled

a guest
Jul 21st, 2018
86
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.90 KB | None | 0 0
raw download clone embed print report
  1. 2016-05-30 15:33:42.630 DEBUG 13897 --- [io-9999-exec-10] o.s.security.web.FilterChainProxy : /oauth/token at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
  2. 2016-05-30 15:33:42.631 DEBUG 13897 --- [io-9999-exec-10] o.s.security.web.FilterChainProxy : /oauth/token at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
  3. 2016-05-30 15:33:42.631 DEBUG 13897 --- [io-9999-exec-10] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
  4. 2016-05-30 15:33:42.631 DEBUG 13897 --- [io-9999-exec-10] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
  5. 2016-05-30 15:33:42.631 DEBUG 13897 --- [io-9999-exec-10] o.s.security.web.FilterChainProxy : /oauth/token at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
  6. 2016-05-30 15:33:42.631 DEBUG 13897 --- [io-9999-exec-10] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@2fe29f4b
  7. 2016-05-30 15:33:42.631 DEBUG 13897 --- [io-9999-exec-10] o.s.security.web.FilterChainProxy : /oauth/token at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
  8. 2016-05-30 15:33:42.644 DEBUG 13897 --- [io-9999-exec-10] o.s.security.web.csrf.CsrfFilter : Invalid CSRF token found for http://localhost:9999/uaa/oauth/token
  9. 2016-05-30 15:33:42.644 DEBUG 13897 --- [io-9999-exec-10] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
  10. 2016-05-30 15:33:42.644 DEBUG 13897 --- [io-9999-exec-10] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
  11.  
  12. @Override
  13. protected void configure(HttpSecurity http) throws Exception {
  14. // @formatter:off
  15. http
  16. .formLogin().loginPage("/login").permitAll()
  17. .and()
  18. .requestMatchers().antMatchers("/login", "/oauth/authorize", "/secure/two_factor_authentication", "/pincode")
  19. .and()
  20. .authorizeRequests().anyRequest().authenticated();
  21. // @formatter:on
  22. }
  23.  
  24. @Bean
  25. public OAuth2RequestFactory customOAuth2RequestFactory(){
  26. return new CustomOAuth2RequestFactory(clientDetailsService);
  27. }
  28.  
  29. @Controller
  30. @RequestMapping(TwoFactorAuthenticationController.PATH)
  31. public class TwoFactorAuthenticationController {
  32. private static final Logger LOG = LoggerFactory.getLogger(TwoFactorAuthenticationController.class);
  33. public static final String PATH = "/secure/two_factor_authentication";
  34. public static final String AUTHORIZE_PATH = "/oauth/authorize";
  35. public static final String ROLE_TWO_FACTOR_AUTHENTICATED = "ROLE_TWO_FACTOR_AUTHENTICATED";
  36.  
  37. private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
  38.  
  39. @RequestMapping(method = RequestMethod.GET)
  40. public String auth(HttpServletRequest request, HttpSession session, HttpServletResponse resp/*, ....*/) {
  41. System.out.println("-------- inside GET /secure/two_factor_authentication --------------");
  42. if (AuthenticationUtil.isAuthenticatedWithAuthority(ROLE_TWO_FACTOR_AUTHENTICATED)) {
  43. LOG.info("User {} already has {} authority - no need to enter code again", ROLE_TWO_FACTOR_AUTHENTICATED);
  44. // throw ....;
  45. }
  46. else if (session.getAttribute(CustomOAuth2RequestFactory.SAVED_AUTHORIZATION_REQUEST_SESSION_ATTRIBUTE_NAME) == null) {
  47. // LOG.warn("Error while entering 2FA code - attribute {} not found in session.", CustomOAuth2RequestFactory.SAVED_AUTHORIZATION_REQUEST_SESSION_ATTRIBUTE_NAME);
  48. // throw ....;
  49. }
  50. return "pinCode";
  51. }
  52.  
  53. @RequestMapping(method = RequestMethod.POST)
  54. public String auth(FormData formData, HttpServletRequest req, HttpServletResponse resp,
  55. SessionStatus sessionStatus, Principal principal, Model model)
  56. throws IOException{
  57.  
  58. if (formData.getPinVal()!=null) {
  59. if(formData.getPinVal().equals("5309")){
  60. AuthenticationUtil.addAuthority(ROLE_TWO_FACTOR_AUTHENTICATED);
  61. return "redirect:"+AUTHORIZE_PATH;
  62. };
  63. };
  64.  
  65. return "pinCode";
  66. }
  67. }
  68.  
  69. public class HttpSessionCollector implements HttpSessionListener, ServletContextListener {
  70.  
  71. private static final Set<HttpSession> sessions = ConcurrentHashMap.newKeySet();
  72.  
  73. public void sessionCreated(HttpSessionEvent event) {
  74. sessions.add(event.getSession());
  75. }
  76.  
  77. public void sessionDestroyed(HttpSessionEvent event) {
  78. sessions.remove(event.getSession());
  79. }
  80.  
  81. public static Set<HttpSession> getSessions() {
  82. return sessions;
  83. }
  84.  
  85. public void contextCreated(ServletContextEvent event) {
  86. event.getServletContext().setAttribute("HttpSessionCollector.instance", this);
  87. }
  88.  
  89. public static HttpSessionCollector getCurrentInstance(ServletContext context) {
  90. return (HttpSessionCollector) context.getAttribute("HttpSessionCollector.instance");
  91. }
  92.  
  93. @Override
  94. public void contextDestroyed(ServletContextEvent arg0) {
  95. }
  96.  
  97. @Override
  98. public void contextInitialized(ServletContextEvent arg0) {
  99. }
  100.  
  101. }
  102.  
  103. @Component
  104. public class DiagnoseSessionFilter extends OncePerRequestFilter implements ServletContextAware {
  105.  
  106. @Override
  107. protected void doFilterInternal(HttpServletRequest req, HttpServletResponse res, FilterChain fc) throws ServletException, IOException {
  108.  
  109. System.out.println("...........///////////// START OF DiagnoseSessionFilter.doFilterInternal() ///////////...........");
  110. //start of request stuff
  111. System.out.println("\\\\\ REQUEST ATTRIBUTES ARE: ");
  112. if(req.getAttribute("_csrf")!=null){
  113. System.out.println("_csrf is: " + req.getAttribute("_csrf").toString());
  114. }
  115. if(req.getAttribute("org.springframework.security.web.csrf.CsrfToken")!=null){
  116. CsrfToken ucsrf = (CsrfToken) req.getAttribute("org.springframework.security.web.csrf.CsrfToken");
  117. System.out.println("ucsrf.getToken() is: " + ucsrf.getToken());
  118. }
  119. String reqXSRF = req.getHeader("XSRF-TOKEN");
  120. System.out.println("request XSRF-TOKEN header is: " + reqXSRF);
  121. String reqCookie = req.getHeader("Cookie");
  122. System.out.println("request Cookie header is: " + reqCookie);
  123. String reqSetCookie = req.getHeader("Set-Cookie");
  124. System.out.println("request Set-Cookie header is: " + reqSetCookie);
  125. String reqReferrer = req.getHeader("referrer");
  126. System.out.println("request referrer header is: " + reqReferrer);
  127. HttpSession rsess = req.getSession(false);
  128. System.out.println("request.getSession(false) is: " + rsess);
  129. if(rsess!=null){
  130. String sessid = rsess.getId();
  131. System.out.println("session.getId() is: "+sessid);
  132. }
  133. System.out.println("/////////// END OF REQUEST ATTRIBUTES ");
  134.  
  135. //end of request stuff
  136. ServletContext servletContext = req.getServletContext();
  137. System.out.println("\\\\\ START OF SESSION COLLECTOR STUFF ");
  138.  
  139. HttpSessionCollector collector = HttpSessionCollector.getCurrentInstance(servletContext);
  140. Set<HttpSession> sessions = collector.getSessions();
  141.  
  142. System.out.println("sessions.size() is: " + sessions.size());
  143. for(HttpSession sess : sessions){
  144. System.out.println("sess is: " + sess);
  145. System.out.println("sess.getId() is: " + sess.getId());
  146. CsrfToken sessCsrf = (CsrfToken) sess.getAttribute("org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository.CSRF_TOKEN");
  147. System.out.println("csrf is: " + sessCsrf);
  148. if(sessCsrf!=null){
  149. if(sessCsrf.getToken()!=null){
  150. System.out.println("sessCsrf.getToken() is: " + sessCsrf.getToken());
  151. } else { System.out.println("sessCsrf.getToken() is: null "); }
  152. } else { System.out.println("sessCsrf is: null "); }
  153.  
  154. System.out.println("sess.getAttribute(SPRING_SECURITY_SAVED_REQUEST) is: " + sess.getAttribute("SPRING_SECURITY_SAVED_REQUEST") );
  155. if(sess.getAttribute("SPRING_SECURITY_SAVED_REQUEST") instanceof DefaultSavedRequest){
  156. System.out.println("_____ START PRINTING SAVED REQUEST");
  157. DefaultSavedRequest savedReq = (DefaultSavedRequest) sess.getAttribute("SPRING_SECURITY_SAVED_REQUEST");
  158. List<Cookie> savedCookies = savedReq.getCookies();
  159. for(Cookie cook : savedCookies){
  160. String name = cook.getName();String value = cook.getValue();
  161. System.out.println("cookie name, value are: " + name + " , " + value);
  162. }
  163. Collection<String> savedHeaderNames = savedReq.getHeaderNames();
  164. for(String headerName : savedHeaderNames){
  165. System.out.println("headerName is: " + headerName);
  166. }
  167. List<Locale> savedLocales = savedReq.getLocales();
  168. for(Locale loc : savedLocales){
  169. System.out.println("loc.getLanguage() is: " + loc.getLanguage());
  170. }
  171. String savedMethod = savedReq.getMethod();
  172. System.out.println("savedMethod is: " + savedMethod);
  173. Map<String, String[]> savedParamMap = savedReq.getParameterMap();
  174. Iterator<Entry<String, String[]>> it = savedParamMap.entrySet().iterator();
  175. while (it.hasNext()) {
  176. Entry<String, String[]> pair = it.next();
  177. System.out.println("savedParamMap: " + pair.getKey() + " = " + pair.getValue());
  178. it.remove(); // avoids a ConcurrentModificationException
  179. }
  180. Collection<String> savedParamNames = savedReq.getParameterNames();
  181. for(String savedParamName : savedParamNames){
  182. System.out.println("savedParamName: " + savedParamNames);
  183. }
  184. System.out.println("_____ DONE PRINTING SAVED REQUEST");
  185.  
  186. }
  187.  
  188. // System.out.println("sess.getAttribute(SPRING_SECURITY_CONTEXT) is: " + sess.getAttribute("SPRING_SECURITY_CONTEXT") );
  189. if(sess.getAttribute("SPRING_SECURITY_CONTEXT") instanceof SecurityContextImpl){
  190. SecurityContext ctxt = (SecurityContext) sess.getAttribute("SPRING_SECURITY_CONTEXT");
  191. Authentication auth = ctxt.getAuthentication();
  192.  
  193. if(auth.getDetails() instanceof WebAuthenticationDetails){
  194. WebAuthenticationDetails dets = (WebAuthenticationDetails) auth.getDetails();
  195. System.out.println( "dets.getSessionId() is: " + dets.getSessionId() );
  196. }
  197. System.out.println("auth.getAuthorities() is: " + auth.getAuthorities() );
  198. System.out.println("auth.isAuthenticated() is: " + auth.isAuthenticated() );
  199. }
  200. }
  201.  
  202. SecurityContext context = SecurityContextHolder.getContext();
  203. System.out.println("...........///////////// END OF DiagnoseSessionFilter.doFilterInternal() ///////////...........");
  204. fc.doFilter(req, res);
  205.  
  206. }
  207. }
  208.  
  209. 1.) POST http://localhost:9999/uaa/secure/two_factor_authentication
  210. request headers:
  211. Referer: 9999/uaa/secure/two_factor_authentication
  212. Cookie:
  213. JSESSIONID: ....95CB77
  214. ....918636
  215. XSRF-TOKEN: ....862a73
  216. filter chain:
  217. DiagnoseSessionFilter:
  218. request stuff:
  219. Cookie header:
  220. JSESSIONID: ....95CB77
  221. ....918636
  222. XSRF-TOKEN: ....862a73
  223. request.getSession(false).getId(): ....95CB77
  224. session collector stuff:
  225. JSESSIONID: ....95CB77
  226. csrf: ....862a73
  227. SPRING_SECURITY_SAVED_REQUEST is null
  228. user details (from Authentication object with user/request
  229. JSESSIONID: ....ED927C
  230. Authenticated = true, with roles
  231. Complete the filter chain
  232. DiagnoseSessionFilter (again)
  233. request stuff:
  234. csrf attribute: ....862a73
  235. Cookie header:
  236. JSESSIONID: ....95CB77
  237. ....918636
  238. XSRF-TOKEN: ....862a73
  239. request.getSession(false).getId(): 95CB77
  240. session collector stuff:
  241. JSESSIONID: ....95CB77
  242. csrf is: 862a73
  243. SPRING_SECURITY_SAVED_REQUEST is null
  244. user details (Authentication for user/session/request)
  245. JSESSIONID: ....ED927C
  246. Authenticated = true, with authorities
  247. POST/secure/two_factor_authenticationControllerMethod
  248. do some stuff
  249. response:
  250. Location: 9999/uaa/oauth/authorize?....
  251. XSRF-TOKEN: ....862a73
  252.  
  253. 2.) GET http://localhost:9999/uaa/oauth/authorize?...
  254. request headers:
  255. Host: localhost:9999
  256. Referer: 9999/uaa/secure/two_factor_authentication
  257. Cookie:
  258. JSESSIONID: ....95CB77
  259. ....918636
  260. XSRF-TOKEN: ....862a73
  261. FilterChain
  262. DiagnoseSessionFilter
  263. request stuff:
  264. Cookie header is: JSESSIONID: ....95CB77
  265. ....918636
  266. XSRF-TOKEN: ....862a73
  267. request.getSession(false).getId(): 95CB77
  268. session collector stuff:
  269. JSESSIONID: ....95CB77
  270. csrf is: ....862a73
  271. SPRING_SECURITY_SAVED_REQUEST is: null
  272. user details (Authentication object with user/session/req)
  273. JSESSIONID: ....ED927C
  274. Authenticated = true with ALL roles.
  275. rest of filter chain
  276. TwoFactorAuthenticationFilter
  277. request stuff:
  278. csrf request attribute is: ....862a73
  279. cookie header:
  280. JSESSIONID: ....95CB77
  281. ....918636
  282. XSRF-TOKEN: ....862a73
  283. request.getSession(false).getId() is: ....95CB77
  284. updateCsrf is: ....862a73
  285. response stuff:
  286. XSRF-TOKEN header (after manual update): ....862a73
  287. DiagnoseSessionFilter:
  288. request stuff:
  289. _csrf request attribute: ....862a73
  290. Cookie header:
  291. JSESSIONID: ....95CB77
  292. ....918636
  293. XSRF-TOKEN: ....862a73
  294. request.getSession(false).getId() is: ....95CB77
  295. session collector stuff:
  296. JSESSIONID: ....95CB77
  297. csrf is: ....862a73
  298. SPRING_SECURITY_SAVED_REQUEST is: null
  299. user details (Authentication for user/session/request)
  300. JSESSIONID: ....ED927C
  301. Authenticated is true, with ALL roles.
  302. CustomOAuth2RequestFactory
  303. request stuff:
  304. _csrf request parameter is: ....862a73
  305. Cookie header:
  306. JSESSIONID: ....95CB77
  307. ....918636
  308. XSRF-TOKEN: ....862a73
  309. request.getSession(false).getId() is: ....95CB77
  310. updateCsrf: ....862a73
  311. response stuff:
  312. XSRF-TOKEN header: ....862a73
  313. session attribute printout
  314. csrf: ....862a73
  315. SPRING_SECURITY_CONTEXT (not printed, so don't know values)
  316. response:
  317. Location: 8080/login?code=myNwd7&state=f6b3Km
  318. XSRF-TOKEN: ....862a73
  319.  
  320. 3.) GET http://localhost:8080/login?code=myNwd7&state=f6b3Km
  321. request headers:
  322. Host: localhost:8080
  323. Referer: 9999/uaa/secure/two_factor_authentication
  324. Cookie:
  325. JSESSIONID: ....918636
  326. XSRF-TOKEN: ....862a73
  327. UiAppFilterChain:
  328. HttpSessionSecurityContextRepository
  329. creates new SPRING_SECURITY_CONTEXT to replace null one
  330. OAuth2ClientAuthenticationProcessingFilter (position 8 of 14)
  331. AuthorizationCodeAccessTokenProvider
  332. Retrieving token from 9999/uaa/oauth/token
  333. AuthServerFilterChain:
  334. DiagnoseSessionFilter
  335. request stuff:
  336. XSRF-TOKEN header is: null
  337. Cookie header is: null
  338. Set-Cookie header is: null
  339. referrer header is: null
  340. request.getSession(false) is: null
  341. session collector stuff:
  342. JSESSIONID: ....95CB77
  343. sessCsrf.getToken() is: 862a73
  344. SPRING_SECURITY_SAVED_REQUEST is: null
  345. Authenticated is true but with ONLY these roles:
  346. ROLE_HOBBIT, ROLE_TWO_FACTOR_AUTHENTICATION_ENABLED
  347. SecurityContextPersistenceFilter
  348. reports no HttpSession and no SPRING_SECURITY_CONTEXT
  349. CsrfFilter
  350. rejects request to /oauth/token due to no session % csrf
  351.  
  352. response headers:
  353. Set-Cookie:
  354. XSRF-TOKEN: ....527fbe
  355. X-Frame-Options: DENY
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!