1

I am having the session mgmt filter in the spring filter chain throw this exception in this class HttpSessionSecurityContextRepository . This is my snippet of my security-app.xml 

<beans:bean id="springSecurityFilterChain1" class="org.springframework.security.web.FilterChainProxy">
    <beans:constructor-arg>
        <beans:list>
            <security:filter-chain pattern="/resources/**" filters="none"/>
            <security:filter-chain pattern="/**"
                filters="securityContextPersistenceFilterWithASCTrue, 
                customBadgeAuthFilter,   
                                                      logoutFilter,   

                                                         requestCacheFilter,
                                                         securityContextHolderAwareRequestFilter,
                                                         sessionMgmtFilter,
                                                         formLoginExceptionTranslationFilter,
                                                         filterSecurityInterceptor" />
        </beans:list>

</beans:constructor-arg></beans:bean><beans:bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter"/> <beans:bean id="requestCacheFilter" class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter" /> <beans:bean id="securityContextPersistenceFilterWithASCTrue" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"> <beans:property name="securityContextRepository" ref="securityContextRepository"/> </beans:bean> <beans:bean id="securityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/><beans:bean id="sessionMgmtFilter" class="org.springframework.security.web.session.SessionManagementFilter"> <beans:constructor-arg ref="securityContextRepository"/> </beans:bean>

It is a class cast when it is trying to cast to SavedContextOnUpdateOrErrorResponseWrapper. This value is set by the ContextPersistentFilter which does get called in my security-chain as the first element

public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response) {
    SaveContextOnUpdateOrErrorResponseWrapper responseWrapper = (SaveContextOnUpdateOrErrorResponseWrapper)response;
    // saveContext() might already be called by the response wrapper
    // if something in the chain called sendError() or sendRedirect(). This ensures we only call it
    // once per request.
    if (!responseWrapper.isContextSaved() ) {
        responseWrapper.saveContext(context);
    }
}

Here is my stack trace 

java.lang.ClassCastException: org.springframework.security.web.firewall.FirewalledResponse cannot be cast to org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper
at org.springframework.security.web.context.HttpSessionSecurityContextRepository.saveContext(HttpSessionSecurityContextRepository.java:99)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:93)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
at edu.mayo.fss.security.filter.SecureLoginFilter.doFilter(SecureLoginFilter.java:83)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
at edu.mayo.fss.spring.util.LoggingFilter.doFilter(LoggingFilter.java:41)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
at

Can some please help out as to what I need to do to resolve this firewalled request classcast exception. The error starts in the sessionMgmtFilter when it tries to cast.

Thanks DJ

user2358826
  • 221
  • 1
  • 5
  • 17

2 Answers2

1

I had a secondary servlet filter before the spring-filter chain proxy. The instant I got rid of that filter , everything started working. So if the spring-filter chain is not getting called directly from the jsp but is routed through another filter which then invokes the filter chain, the firewalled request will throw a Class Cast Exception. The customFilter before spring-security was the cause of the FirewalledClass Cast Exception. 

<filter><filter-name>customFilter</filter-name><filter-class>sas.SecureLoginFilter</filter-class></filter><filter-mapping><filter-name>customFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping><filter><filter-name>springSecurityFilterChain</filter-name><filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class></filter>
user2358826
  • 221
  • 1
  • 5
  • 17
0

I had some what the same problem and I have added the solution here.

May be it helps some body.

Community
  • 1
  • 1
Kayvan Tehrani
  • 3,070
  • 2
  • 32
  • 46