-
FEATURED COMPONENTS
First time here? Check out the FAQ!
I'm trying to integrate Spring Security with ZK.
I stuck with error message: Invalid CSRF token found for xxx/cbpm/zkau.
My full stacktrace
2015-09-14 17:12:58,288 +0700 [http-nio-8787-exec-91] DEBUG (FilterChainProxy.java:324) - /zkau at position 1 of 14 in additional filter chain; firing Filter: 'ChannelProcessingFilter'
2015-09-14 17:12:58,288 +0700 [http-nio-8787-exec-91] DEBUG (AntPathRequestMatcher.java:151) - Checking match of request : '/zkau'; against '/zkau/**'
2015-09-14 17:12:58,288 +0700 [http-nio-8787-exec-91] DEBUG (ChannelProcessingFilter.java:142) - Request: FilterInvocation: URL: /zkau; ConfigAttributes: [ANY_CHANNEL]
2015-09-14 17:12:58,288 +0700 [http-nio-8787-exec-91] DEBUG (FilterChainProxy.java:324) - /zkau at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-09-14 17:12:58,288 +0700 [http-nio-8787-exec-91] DEBUG (HttpSessionSecurityContextRepository.java:192) - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@c363b976: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@c363b976: Principal: ptpn4.rawi.sso.client.authentication.SSOUser@4db176a9; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: SSORole{name=ROLE_ADMIN, privileges=null}'
2015-09-14 17:12:58,289 +0700 [http-nio-8787-exec-91] DEBUG (FilterChainProxy.java:324) - /zkau at position 3 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-09-14 17:12:58,289 +0700 [http-nio-8787-exec-91] DEBUG (FilterChainProxy.java:324) - /zkau at position 4 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2015-09-14 17:12:58,289 +0700 [http-nio-8787-exec-91] DEBUG (HstsHeaderWriter.java:128) - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@244bd1a9
2015-09-14 17:12:58,289 +0700 [http-nio-8787-exec-91] DEBUG (FilterChainProxy.java:324) - /zkau at position 5 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
2015-09-14 17:12:58,290 +0700 [http-nio-8787-exec-91] DEBUG (CsrfFilter.java:106) - Invalid CSRF token found for xxx/cbpm/zkau
2015-09-14 17:12:58,291 +0700 [http-nio-8787-exec-91] DEBUG (SecurityContextPersistenceFilter.java:105) - SecurityContextHolder now cleared, as request processing completed
I don't use Spring Security default authentication provider. I made custom provider and call it not with login form, but with an url like xxx/cbpm/sso/checkpoint.zul?token=xxxxxxx
and then I processed that token with this code:
public class SSOTokenHandler implements Initiator {
private static final Logger logger = Logger.getLogger(SSOTokenHandler.class.getName());
@Autowired
@Qualifier("authenticationManager")
AuthenticationManager authenticationManager;
@Override
public void doInit(Page page, Map<String, Object> map) throws Exception {
authenticationManager = (AuthenticationManager) SpringUtil.getBean("authenticationManager");
//org.zkoss.zkplus.spring.SpringUtil
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(null, Executions.getCurrent().getParameter("token"));
try {
if (authenticationManager != null) {
Authentication auth = authenticationManager.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(auth);
Executions.sendRedirect(SSOConstant.getMAIN_URL());
}
} catch (AuthenticationException e) {
Executions.sendRedirect(SSOConstant.getPORTAL_SSO_URL());
}
}
}
Above code run well, and show index page.
But, every I do click something (fired ajax request), then 403 error arise with my attached log.
Please help me. :)
My spring-security.xml
<http auto-config="true">
<form-login login-page="xxx/PortalSSO/auth/login.do?redirect=/sso/checkpoint/SDM02.do"/>
<!-- <intercept-url pattern="/api/auth/**" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_USER')" />
<intercept-url pattern="/resources/**" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_USER')" />
<intercept-url pattern="/auth/login.do" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_USER')" />-->
<intercept-url pattern="/zkau/**" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_ADMIN')" requires-channel="any"/>
<intercept-url pattern="/css/**" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_ADMIN')" requires-channel="any"/>
<intercept-url pattern="/img/**" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_ADMIN')" requires-channel="any"/>
<intercept-url pattern="/sso/checkpoint.zul" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_ADMIN')" />
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
<session-management session-fixation-protection="none" />
<!--<logout logout-success-url="/login.zul"/>-->
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="SSOAuthenticationProvider" />
</authentication-manager>
<beans:bean id="SSOAuthenticationProvider" class="ptpn4.rawi.sso.client.authentication.SSOAuthenticationProvider"/>
My library stack: - ZK EE 7.0.6.1 - ZK Spring Core 3.1.1 - ZK Spring Security 3.1.1 - Spring Framework 4.2.1 (core, web, beans, context, aop, expression) - Spring Security 4.0.2 (core, web, config)
Asked: 2015-09-14 10:38:23 +0800
Seen: 44 times
Last updated: Sep 14 '15