3

I am using Spring Security and Waffle within a Spring Boot application. I have configured waffle using Java-based Spring configuration. (See below.)

I have Spring Boot configured to use Tomcat (default) with SSL, but the problem exists even if I revert to using an unencrypted http connection.

I can authenticate correctly if I access the website using Google Chrome, but it fails in odd ways in IE11. Waffle produces the following log:

[DEBUG] [http-nio-8443-exec-1] w.s.NegotiateSecurityFilter: - GET /, contentlength: -1
[DEBUG] [http-nio-8443-exec-1] w.s.s.NegotiateSecurityFilterProvider: - security package: Negotiate, connection id: 0:0:0:0:0:0:0:1:52047
[DEBUG] [http-nio-8443-exec-1] w.s.s.NegotiateSecurityFilterProvider: - token buffer: 126 byte(s)
[DEBUG] [http-nio-8443-exec-1] w.s.s.NegotiateSecurityFilterProvider: - continue token: xxxx
[DEBUG] [http-nio-8443-exec-1] w.s.s.NegotiateSecurityFilterProvider: - continue required: true
[DEBUG] [http-nio-8443-exec-6] w.s.NegotiateSecurityFilter: - GET /, contentlength: -1
[DEBUG] [http-nio-8443-exec-6] w.s.s.NegotiateSecurityFilterProvider: - security package: Negotiate, connection id: 0:0:0:0:0:0:0:1:52047
[DEBUG] [http-nio-8443-exec-6] w.s.s.NegotiateSecurityFilterProvider: - token buffer: 121 byte(s)
[DEBUG] [http-nio-8443-exec-6] w.s.s.NegotiateSecurityFilterProvider: - continue token: xxxx
[DEBUG] [http-nio-8443-exec-6] w.s.s.NegotiateSecurityFilterProvider: - continue required: false
[DEBUG] [http-nio-8443-exec-6] w.s.NegotiateSecurityFilter: - logged in user: DOMAIN\username (xxxx)
[DEBUG] [http-nio-8443-exec-6] w.s.NegotiateSecurityFilter: - roles: DOMAIN\username, xxxx, xxxxxxxxxxxxxxxxxx
[INFO ] [http-nio-8443-exec-6] w.s.NegotiateSecurityFilter: - successfully logged in user: DOMAIN\username
[DEBUG] [http-nio-8443-exec-6] w.s.NegotiateSecurityFilter: - GET /, contentlength: -1
[DEBUG] [http-nio-8443-exec-6] w.s.s.NegotiateSecurityFilterProvider: - security package: Negotiate, connection id: 0:0:0:0:0:0:0:1:52047
[DEBUG] [http-nio-8443-exec-6] w.s.s.NegotiateSecurityFilterProvider: - token buffer: 121 byte(s)
[WARN ] [http-nio-8443-exec-6] w.s.NegotiateSecurityFilter: - error logging in user: com.sun.jna.platform.win32.Win32Exception: The token supplied to the function is invalid

So, it appears to me as though the authentication succeeded, but then for some reason, it attempts to reauthenticate and it fails.

The logs when I access the site through Chrome are similar, but after the successful login, it shows:

[DEBUG] [http-nio-8443-exec-1] w.s.NegotiateSecurityFilter: - GET /, contentlength: -1
[DEBUG] [http-nio-8443-exec-1] w.s.NegotiateSecurityFilter: - GET /index.html, contentlength: -1
[DEBUG] [http-nio-8443-exec-1] w.s.NegotiateSecurityFilter: - GET /index.html, contentlength: -1

... and so on from there.

There also seems to be a timing problem in the IE case. Sometimes, it succeeds in loading some content from the server: Fonts, images, whatnot, before it suddenly fails again. This is inconsistent and it stops at a different place at different times.

Is this a Waffle bug?

My Spring Boot Java-based configuration:

@Configuration
public class WaffleConfig {

    @Bean
    public WindowsAuthProviderImpl waffleWindowsAuthProvider() {
        return new WindowsAuthProviderImpl();
    }

    @Bean
    @Autowired
    public NegotiateSecurityFilterProvider negotiateSecurityFilterProvider(
            final WindowsAuthProviderImpl windowsAuthProvider) {
        return new NegotiateSecurityFilterProvider(windowsAuthProvider);
    }

    @Bean
    @Autowired
    public BasicSecurityFilterProvider basicSecurityFilterProvider(final WindowsAuthProviderImpl windowsAuthProvider) {
        return new BasicSecurityFilterProvider(windowsAuthProvider);
    }

    @Bean
    @Autowired
    public SecurityFilterProviderCollection waffleSecurityFilterProviderCollection(
            final NegotiateSecurityFilterProvider negotiateSecurityFilterProvider,
            final BasicSecurityFilterProvider basicSecurityFilterProvider) {
        final SecurityFilterProvider[] securityFilterProviders = {
                negotiateSecurityFilterProvider,
                basicSecurityFilterProvider };
        return new SecurityFilterProviderCollection(securityFilterProviders);
    }

    @Bean
    @Autowired
    public NegotiateSecurityFilterEntryPoint negotiateSecurityFilterEntryPoint(
            final SecurityFilterProviderCollection securityFilterProviderCollection) {
        final NegotiateSecurityFilterEntryPoint negotiateSecurityFilterEntryPoint = new NegotiateSecurityFilterEntryPoint();
        negotiateSecurityFilterEntryPoint.setProvider(securityFilterProviderCollection);
        return negotiateSecurityFilterEntryPoint;
    }

    @Bean
    @Autowired
    public NegotiateSecurityFilter waffleNegotiateSecurityFilter(final SecurityFilterProviderCollection securityFilterProviderCollection) {
        final NegotiateSecurityFilter negotiateSecurityFilter = new NegotiateSecurityFilter();
        negotiateSecurityFilter.setProvider(securityFilterProviderCollection);
        return negotiateSecurityFilter;
    }

}

And:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig {

    @Configuration
    public static class ProductionConfig extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests()
                    .anyRequest()
                    .authenticated()
                    .and()
                .addFilterBefore(negotiateSecurityFilter, BasicAuthenticationFilter.class)
                .httpBasic()
                    .authenticationEntryPoint(entryPoint);
        }

        @Autowired
        public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth.inMemoryAuthentication().withUser("user").password("pa").roles("USER");
        }

        @Autowired
        private NegotiateSecurityFilter negotiateSecurityFilter;

        @Autowired
        private NegotiateSecurityFilterEntryPoint entryPoint;
    }
}
Mike
  • 1,791
  • 1
  • 17
  • 23
  • Is your situation similar to what I've met and [described here](http://stackoverflow.com/questions/38436566/spring-security-waffle-kerberos-authentication-fails-with-ie-11-in-firefox-w)? – Scorchio Jul 18 '16 at 14:33
  • Perhaps; I'm not sure. Do you see exceptions thrown on the server logs? When I attempt to authenticate through IE (IE11), I see exceptions from Waffle on the server: "The token supplied to the function is invalid". But prior to that exception, if I enable debug logging for Waffle, I see that it authenticated correctly. – Mike Jul 18 '16 at 18:11
  • [This issue](http://stackoverflow.com/questions/28432399/migrating-a-waffle-spring-security-xml-configuration-to-spring-boot) seems to mimic what I'm seeing, but unfortunately does not have a solution. Seems to be related to either Spring Boot, or some unknown difference between using Java-based configuration versus XML-based configuration. – Mike Jul 18 '16 at 18:24
  • Can you show us your security configuration? I could check mine to see if there are any obvious differences. Mine doesn't give such Waffle exceptions in my lab setup. – Scorchio Jul 19 '16 at 10:46
  • Sure. I added the relevant configuration classes. I'd love to hear if you find any differences. – Mike Jul 19 '16 at 15:45
  • Did any of you guys manage to solve this issue? I too am facing the exact same problem. – Ron Dec 22 '16 at 15:36
  • I did not ever solve the issue, unfortunately. I gave up temporarily, but was actually just about to look into it again. I will update here if I figure anything out, but it sounds like the problem still exists. – Mike Dec 22 '16 at 16:35
  • @Ron - FYI, it sounds like the issue may be related to use of the embedded Tomcat server in Spring Boot. I haven't tried using a standalone Tomcat, but you may try that. See here: https://groups.google.com/forum/#!topic/waffle-users/Sm-gdYF-9cM – Mike Dec 22 '16 at 18:53

0 Answers0