3

I have the following scenario for single sign on:

  1. Clicking link for web app on portal (http) get sso integration page.
  2. sso integration page comes for a while on browser..then it automatically (http)post data to the web-app with hidden fields
  3. Web app receives the request, extract user info from request parameters
  4. Web app makes a web service call to sso integration to see if the user is active
  5. on receiving positive response, web app display page.

I am using a preauthentication filter extending AbstractPreAuthenticatedProcessingFilter in spring security where I have overridden this function:

protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
    String username = getUserName(request);  // Line1
   // String username = "userA";             // Line2 
    return username;                         // Line 3
}

The function getUserName performs steps 3 and 4.

When I use Line 2(and not Line 1), everything works fine and user is able to see the web app page. When I use Line 1 and debug it, username is extracted same as in Line 2 without any exception but the user get HTTP error code 404. At Line 3, both scenarios have same value.

I am totally clueless about why this is happening or where is the error? :( Can anyone point me to the right direction?

UPDATE: The Http 404 response I recive is like this:

Response Headers    Value
Set-Cookie  JSESSIONID=b8f8615855da6e92d780f12e2bbe; Path=/<webapp>; Secure; HttpOnly

And on page refresh in browser, user is logged in and able to see the page. The jsessionid is not present as url parameter in case of refresh but when I am using Line 2, jsessionid is there as url parameter? I am not able to understand this behaviour.

user3516088
  • 155
  • 2
  • 11
  • try putting a system.out print, of `username`, I dont know how many times this method will be called in a request cycle, may be you see that `userA` is extracted correctly in some of the calls and not in other calls. – Subin Sebastian Jul 06 '14 at 10:18
  • I put sys.out.print and the username is printed only once. This function is called once. Should it be called more than once? – user3516088 Jul 06 '14 at 10:52
  • Not sure about that. So you are saying if you give "userA" it works and if you give `getUserName(request)` which `.equals("userA")`, it doesnt work ? that s wierd – Subin Sebastian Jul 06 '14 at 11:00
  • Yes its wierd. I updated question with more information. – user3516088 Jul 06 '14 at 12:18
  • any chance when username is returned from getUserName(), it has some trailing white spaces ? – coder Jul 30 '14 at 11:09
  • also can you enable debug logs for spring security and send the log output ? – coder Jul 30 '14 at 14:19
  • I think there's a call to `request.getSession(true)` inside the `getUsername(req)` and session gets created. That is why the jaession appears. – eduyayo Sep 04 '14 at 22:29
  • For the preauth not to be working have no advice. But in a project i had to do something similar, the preauth failed if the password returned by getCredentials, the one rerurning the password, was null or empty. Even when not used it should be populated. – eduyayo Sep 04 '14 at 22:31

0 Answers0