I have a Spring Boot web application that serves up both web content and exposes REST Services. I want to protect the REST Services with "Basic Auth" and the web content with SiteMinder. I'm using Spring Security version 4.2.3.
My problem is that I'm seeing the error:
[9/13/18 16:11:20:711 EDT] 000000bc SystemOut O 2018-09-13 16:11:20.710 ERROR 19260 --- [ebContainer : 1] o.s.boot.web.support.ErrorPageFilter : Forwarding to error page from request [/services/ews/meetinglocations] due to exception [SM_USER header not found in request.]
Both when I attempt to call the REST Service from PostMan, and when I attempt to load web content from a web browser. I expect to see the error when loading content from the web browser because I don't have SiteMinder set up yet, but why am I not able to call the REST Service?
Here's the WebSecurityConfigurerAdapter class:
package eacmanager.security;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
import org.springframework.stereotype.Component;
import eacmanager.utility.ApplicationConstants;
@Configuration
@Component
@EnableWebSecurity
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
private static final Logger LOGGER = Logger.getLogger(CustomWebSecurityConfigurerAdapter.class.getName());
private PreAuthenticatedAuthenticationProvider preAuthenticatedProvider;
public CustomWebSecurityConfigurerAdapter() {
super();
UserDetailsService userDetailsService = new CustomUserDetailsService();
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper =
new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(userDetailsService);
preAuthenticatedProvider = new PreAuthenticatedAuthenticationProvider();
preAuthenticatedProvider.setPreAuthenticatedUserDetailsService(wrapper);
}
@Override
protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder.authenticationProvider(preAuthenticatedProvider);
}
@Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity.ignoring().antMatchers("/resources/**", "/assets/**", "/eacmanager/error.html");
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
LOGGER.log(Level.INFO, "Creating in memory Authentication");
auth.inMemoryAuthentication()
.withUser("user").password("pass")
.roles("USER");
}
// Use of multiple URLs to protect: https://stackoverflow.com/questions/33037559/spring-rest-security-secure-different-urls-differently
@Configuration
@Order(1)
public static class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
LOGGER.info("Creating SiteMinder filter 4");
RequestHeaderAuthenticationFilter siteMinderFilter = new RequestHeaderAuthenticationFilter();
siteMinderFilter.setAuthenticationManager(authenticationManager());
http
.addFilter(siteMinderFilter)
.authorizeRequests()
.antMatchers("/eacmanager/**")
.permitAll()
.anyRequest()
.hasRole(ApplicationConstants.SITE_MINDER_AUTHORITY);
}
}
@Configuration
@Order(2)
public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
private EACManagerBasicAuthenticationEntryPoint authenticationEntryPoint;
@Override
protected void configure(HttpSecurity http) throws Exception {
LOGGER.info("Creating REST Services filter");
http
.requestMatcher(new NegatedRequestMatcher(new AntPathRequestMatcher("/eacmanager/**")))
.authorizeRequests()
.antMatchers("/eacmanager/services/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.httpBasic()
.realmName(ApplicationConstants.SITE_REALM_NAME)
.authenticationEntryPoint(authenticationEntryPoint);
}
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterAfter(new CustomFilter(), BasicAuthenticationFilter.class);
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
If I reverse the order of the two filters, I can call the REST Service using "Basic Auth", but the web content gets served up WITHOUT the SiteMinder error. I should be getting the SiteMinder header missing error.
