0

i am currently working on a project involving spring security (for OAuth2).

We are using the authorization_code flow.

However when the client hits the AuthorizationEndpoint (/oauth/authorize) we get an "InsufficientAuthenticationException". This may be due to an external system which is also involved in this flow which performs a redirect for the client, sending him to the /oauth/authorize endpoint.

From what I understand by looking through the debug logfile and from reading the source code, the principal is null which is used in the AuthorizationEndpoint.authorize method (specifically line 138, we are using spring-security-oauth2-2.0.7.RELEASE).

I understand what spring's problem is at this point (it does not "know" the user who is already authenticated with the system) but I do not understand which information specifically spring uses to identify the user (I guess this would be my central question)

I tried performing a GET against /oauth/authorize with the correct parameters and sending with the request the authorization header containing the bearer access token but spring always throws the InsufficientAuthenticationException. I'm hoping somebody can help me with this.

Best regards p.s.

salgmachine
  • 519
  • 1
  • 3
  • 14
  • In the default implementation, the authentication information is present in the session. When you see `InsufficientAuthenticationException`, this indicates that the authentication could not be fetched from the session. This `User user = (User)SecurityContextHolder.getContext().getAuthentication().getPrincipal();` could tell you if the information about the authentication of a user is present in the session or not. – TJ- May 05 '15 at 17:49
  • The [principal](https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.java#L118) (authentication) is injected to the /authorize endpoint. – TJ- May 05 '15 at 17:50
  • hey, thanks for the answer. I'm with you so far, the principal used in the authorize method is provided by spring. But somehow despite successful authentication by the user prior to the request being sent, spring is unable to fetch the user's session from the sessionregistry. This is where I am stuck, I don't know what identifies a request sent to spring as coming from a particular user. Is it the Bearer access token sent in the header? Is it the jsessionid cookie? – salgmachine May 05 '15 at 18:12
  • Typically, it should be the jsessionId. What is the bearer access token doing in the /authorize **request**? – TJ- May 05 '15 at 18:14
  • Hopefully nothing, just grasping at straws here ;D you already helped me by clarifying this, I'll have a look tomorrow and update this post. – salgmachine May 05 '15 at 18:18
  • Thanks @TJ, you actually helped in solving my problem =) – salgmachine May 08 '15 at 21:24

1 Answers1

0

I am going to answer my own question here for the sake of documentation. TJ basically pointed me in the right direction.

In my case, the InsufficientAuthenticationException stems from a slightly wrong setup of the whole stack. For delivering the content to users an apache is used which also serves as a reverse proxy, truncating the root context of the application deployed on the tomcat behind it.

The answer which finally solved my problem can be found here. The problem actually was, that the session cookie contained an invalid path (the path attribute still contained the rootcontext, because tomcat has not been made aware that the apache in front of it is truncating the rootcontext to just "/".) So setting the path on tomcat side via setSessionCookie="/" in tomcat's context.xml did the trick.

So, when a redirect hit spring's oauth/authorize endpoint it did so with a session cookie containing the wrong path. because of this, for spring the request seemed to originate from an unauthenticated source, thus leaving me scratching my head about the InsufficientAuthenticationException.

Community
  • 1
  • 1
salgmachine
  • 519
  • 1
  • 3
  • 14
  • Just a comment: Sometimes you have to restart Apache after redeploying! Thanks for your response. – Kasas Jun 25 '19 at 16:12
  • Well, it is still happening to me. I have to restart tomcat and apache several times in order to get Spring security working again. InsufficientAuthenticationException is a nightmare to me. – Kasas Jun 26 '19 at 05:55