0

I am using Spring MVC(for REST), Spring Security 3 and Apache Wicket (UI) on Google App Engine. Everything is working fine except I am having trouble in getting the Authentication on the Wicket Page through the SecurityContextHolder after login.

I have google'd this issue, but none seems to be working for me. I suspect this is something wrong with my web xml. Can anyone please help. Thanks.

I am using the tutorials for Spring Security on Google App Engine from http://blog.springsource.org/2010/08/02/spring-security-in-google-app-engine/

Here is my web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app>        
 <display-name>MTP Portal</display-name>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/mtp-web-servlet.xml, /WEB-INF/mtp-web-security-context.xml
    </param-value>
</context-param>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<servlet>
    <servlet-name>mtp-web</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
</servlet>

<servlet-mapping>
    <servlet-name>mtp-web</servlet-name>
    <url-pattern>/api/*</url-pattern>
</servlet-mapping>

<filter>
    <filter-name>WicketApp</filter-name>
    <filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
    <init-param>
        <param-name>applicationFactoryClassName</param-name>
        <param-value>org.apache.wicket.spring.SpringWebApplicationFactory</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>WicketApp</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Here is my spring security config:

<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
     xmlns:b="http://www.springframework.org/schema/beans"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<global-method-security pre-post-annotations="enabled"/>

<http pattern="/images/**" security="none"/>
<http pattern="/css/**" security="none"/>
<http pattern="/js/**" security="none"/>
<http pattern="/api/**" security="none"/>
<http pattern="/favicon.ico" security="none"/>
<http pattern="/disabled" security="none"/>

<http use-expressions="true" entry-point-ref="gaeEntryPoint" auto-config="true">
    <intercept-url pattern="/" access="permitAll"/>
    <intercept-url pattern="/api/**" access="permitAll"/>
    <intercept-url pattern="/admin/logout" access="permitAll"/>
    <intercept-url pattern="/register" access="hasRole('NEW_USER')"/>
    <intercept-url pattern="/admin/**" access="hasRole('ADMIN')"/>
    <custom-filter position="PRE_AUTH_FILTER" ref="gaeFilter"/>
</http>

<b:bean id="gaeEntryPoint"
        class="com.peerbuccoss.apps.mtp.web.authentication.impl.GoogleAccountsAuthenticationEntryPoint"/>

<b:bean id="gaeFilter" class="com.peerbuccoss.apps.mtp.web.authentication.filter.GaeAuthenticationFilter">
    <b:property name="authenticationManager" ref="authenticationManager"/>
    <b:property name="failureHandler">
        <b:bean class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
            <b:property name="exceptionMappings">
                <b:map>
                    <b:entry key="org.springframework.security.authentication.DisabledException"
                             value="/disabled"/>
                </b:map>
            </b:property>
        </b:bean>
    </b:property>
</b:bean>

<authentication-manager alias="authenticationManager">
    <authentication-provider ref="gaeAuthenticationProvider"/>
</authentication-manager>

<b:bean id="gaeAuthenticationProvider"
        class="com.peerbuccoss.apps.mtp.web.authentication.provider.GoogleAccountsAuthenticationProvider"/>

shameem_z
  • 71
  • 2
  • 6
  • I am able to get the Authentication Object from the Security Context if i change the intercept-url from **** to **** – shameem_z Jul 01 '12 at 20:11

1 Answers1

1

I'm not sure what URL is failing to obtain the SecurityContext (perhaps you can provide an example URL), but the SecurityContext will not be populated for any URL that is mapped to security="none". This is because security="none" instructs Spring Security to ignore this URL entirely. If you need to access the SecurityContext on a URL that is allowed for every user, then you need to use permitAll.

PS: If this does not help you might provide an example URL that you are having trouble with getting the Authentication. You might also provide details on what you mean by "having trouble in getting the Authentication on the Wicket Page" (i.e. is it null, throwing an Exception, etc).

Rob Winch
  • 21,440
  • 2
  • 59
  • 76
  • Thanks for your response. Basically I am trying to access the admin page at the following url http://localhost:8080/admin which redirects me to the Google login Page. After successful login using an email account (@peerbuccoss.com), if the email is not found, i would redirect to a registration page to prompt the user to enter his personal info to complete the registration process, else should redirect to the admin page. Login is scuccessful, but I am getting null when calling the SecurityContextHolder.getContext().getAuthentication() on the Registration Page. http://localhost:8080/register. – shameem_z Jul 01 '12 at 19:00
  • I have added a new role so the my page redirects to the registration page. . Here you can have the code sample which am referring to (https://github.com/SpringSource/spring-security/tree/master/samples/gae). But it is using Spring MVC + Security and GAE. For spring wicket I have some additional filters. – shameem_z Jul 01 '12 at 19:06
  • I am having the same problem and my register.htm(jsp) is giving me a 403 error. How did you solve this because my authenticated user has authorities={NEW_USER} – Axwack Jun 11 '15 at 20:50