I am working with an application that allows the user to login using NTLM and a form login simultaneously. I mean that a user can log using their windows credentials (using jespa), but it is possible to logout and use a formulary that checks your user/password in a database. It works fine if you work with IE8 (build bigger than 8.0.6001.18702), IE9, Firefox or Chrome, but when you get to work with IE7 (at least with 7.0.5730.13) and IE8 (build 8.0.6001.18702).
The issue is that after loging out, when the user tries to log back in with a valid user it is getting the following error:
java.lang.IllegalStateException: Cannot create a session after the response has been committed
at org.apache.catalina.connector.Request.doGetSession(Request.java:2433)
at org.apache.catalina.connector.Request.getSession(Request.java:2153)
at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833)
at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216)
at org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy.onAuthentication(SessionFixationProtectionStrategy.java:91)
at org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy.onAuthentication(ConcurrentSessionControlStrategy.java:63)
at webapp.security.RedirectConcurrentSessionControlStrategy.onAuthentication(RedirectConcurrentSessionControlStrategy.java:33)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:204)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at webapp.security.jespa.filter.NtlmSecurityFilter$1.doFilter(NtlmSecurityFilter.java:170)
at jespa.http.HttpSecurityService.doFilter(HttpSecurityService.java:1465)
at webapp.security.jespa.filter.NtlmSecurityFilter.doFilter(NtlmSecurityFilter.java:178)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:177)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:109)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.valves.RequestDumperValve.invoke(RequestDumperValve.java:156)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:291)
at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:877)
at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:594)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1675)
at java.lang.Thread.run(Thread.java:662)
The securityContext.xml is the following one:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:crypt="http://code.google.com/p/spring-crypto-utils/schema/crypt"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://code.google.com/p/spring-crypto-utils/schema/crypt http://code.google.com/p/spring-crypto-utils/schema/crypt.xsd"
default-lazy-init="true">
<bean id="ntlmEntryPoint" class="webapp.security.jespa.authentication.NtlmAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/beans"/>
<bean id="loginEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" p:loginFormUrl="/login.html"
xmlns="http://www.springframework.org/schema/beans"/>
<bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter"
xmlns="http://www.springframework.org/schema/beans">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint"/>
</bean>
<bean id="basicAuthenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/beans">
<property name="realmName" value="remote eFrame"/>
</bean>
<http access-decision-manager-ref="accessDecisionManager" entry-point-ref="ntlmEntryPoint" security-context-repository-ref="securityContextRepository">
<anonymous/>
<intercept-url pattern="/**" access="PERMISSION_SYSTEM"/>
<custom-filter ref="basicAuthenticationFilter" before="PRE_AUTH_FILTER"/>
<custom-filter ref="concurrentSessionFilter" position="CONCURRENT_SESSION_FILTER"/>
<custom-filter ref="${security.sso}ProcessingFilter" position="PRE_AUTH_FILTER"/>
<!-- TODO make these URLs configurable -->
<form-login login-page="/login.html" default-target-url="/index.html?formlogin=true" always-use-default-target="false"
login-processing-url="/j_spring_security_check" authentication-failure-url="/login.html?login_error=1"
authentication-success-handler-ref="postAuthenticationSuccessHandler"
authentication-failure-handler-ref="postAuthenticationFailureHandler"/>
<session-management invalid-session-url="/sessionExpired.html"
session-authentication-strategy-ref="redirectConcurrentSessionControlStrategy"/>
</http>
<bean id="postAuthenticationSuccessHandler" class="webapp.security.PostAuthenticationSuccessHandler"
xmlns="http://www.springframework.org/schema/beans">
<property name="defaultTargetUrl" value="/index.html?formlogin=true"/>
<property name="alwaysUseDefaultTargetUrl" value="true"/>
</bean>
<bean id="postAuthenticationFailureHandler" class="webapp.security.PostAuthenticationFailureHandler"
p:defaultFailureUrl="/login.html?login_error=1"
xmlns="http://www.springframework.org/schema/beans"/>
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"
xmlns="http://www.springframework.org/schema/beans"/>
<bean id="ajaxRedirectStrategy" class="webapp.security.AjaxRedirectStrategy"
xmlns="http://www.springframework.org/schema/beans"/>
<bean id="concurrentSessionFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"
xmlns="http://www.springframework.org/schema/beans">
<property name="sessionRegistry" ref="sessionRegistry"/>
<property name="expiredUrl" value="/sessionExpired.html"/>
<property name="redirectStrategy" ref="ajaxRedirectStrategy"/>
</bean>
<bean id="redirectConcurrentSessionControlStrategy" class="webapp.security.RedirectConcurrentSessionControlStrategy"
xmlns="http://www.springframework.org/schema/beans">
<constructor-arg ref="sessionRegistry"/>
</bean>
<bean id="securityContextRepository" class="webapp.security.SecurityContextRepositoryDecorator" xmlns="http://www.springframework.org/schema/beans">
<property name="target">
<bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">
</bean>
</property>
<property name="sessionRegistry" ref="sessionRegistry"/>
</bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="ntlmAuthenticationProvider"/>
<authentication-provider ref="databaseAuthenticationProvider"/>
</authentication-manager>
<!-- DATABASE Security Provider -->
<bean id="databaseAuthenticationProvider" class="webapp.security.db.DBAuthenticationProvider"
xmlns="http://www.springframework.org/schema/beans">
<property name="userDetailsService" ref="databaseUserDetailsService"/>
<property name="fallbackPasswordEncoder">
<bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>
</property>
<property name="passwordEncoder" ref="passwordEncoder"/>
</bean>
<bean id="databaseUserDetailsService" class="webapp.security.DBUserDetailsService"
xmlns="http://www.springframework.org/schema/beans"/>
<!-- NTLM provider -->
<bean id="ntlmAuthenticationProvider" class="webapp.security.jespa.provider.NtlmAuthenticationProvider"
xmlns="http://www.springframework.org/schema/beans"/>
<bean id="ntlmProcessingFilter" class="webapp.security.jespa.filter.NtlmSecurityFilter"
p:authenticationEntryPoint-ref="ntlmEntryPoint"
p:authenticationManager-ref="authenticationManager" p:properties-ref="ntlmProperties"
p:authenticationSuccessHandler-ref="postAuthenticationSuccessHandler"
xmlns="http://www.springframework.org/schema/beans"/>
<bean id="ntlmProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean"
xmlns="http://www.springframework.org/schema/beans">
<property name="ignoreResourceNotFound" value="true"/>
<property name="localOverride" value="true"/>
<property name="properties">
<props>
<prop key="jespa.bindstr">${jespa.bindstr}</prop>
<prop key="jespa.dns.servers">${jespa.dns.servers}</prop>
<prop key="jespa.dns.site">${jespa.dns.site}</prop>
<prop key="jespa.service.acctname">${jespa.service.acctname}</prop>
<prop key="jespa.service.password">${jespa.service.password}</prop>
<prop key="jespa.log.level">${jespa.log.level}</prop>
<prop key="jespa.account.canonicalForm">${jespa.account.canonicalForm}</prop>
<prop key="fallback.location">${fallback.location}</prop>
<prop key="http.parameter.anonymous.name">formlogin</prop>
<prop key="excludes">/j_spring_security_check,/login.html,/sessionExpired.html,logout.html,/images/*,/css/*,/styles/*,/js/*
</prop>
</props>
</property>
</bean>
<global-method-security jsr250-annotations="enabled" access-decision-manager-ref="accessDecisionManager"/>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
xmlns="http://www.springframework.org/schema/beans">
<property name="allowIfAllAbstainDecisions" value="false"/>
<property name="decisionVoters">
<list>
<bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter"/>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix" value="PERMISSION_"/>
</bean>
<bean id="jsr250Voter" class="org.springframework.security.access.annotation.Jsr250Voter"/>
<bean id="dataTypeVoter" class="webapp.DataTypeAccessVoter"/>
</list>
</property>
</bean>
The last method that is failing is:
public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException {
// nest inside the HttpSecurityService to get access to the authenticated SecurityProvider
FilterChain nestedChain = new FilterChain() {
public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse) throws IOException, ServletException {
final HttpServletResponse httpResponse = (HttpServletResponse) response;
if (servletRequest instanceof HttpSecurityServletRequest) {
final HttpSecurityServletRequest securityRequest = (HttpSecurityServletRequest) servletRequest;
SecurityPrincipal principal = (SecurityPrincipal) securityRequest.getUserPrincipal();
setCookie("NTLM-Auth-Capable", "true", (HttpServletRequest) request, httpResponse);
try {
if (authenticationIsRequired(securityRequest, principal)) {
SecurityProvider securityProvider = securityRequest.getSecurityProvider();
NtlmAuthenticationToken authenticationToken = createNtlmAuthenticationToken(principal, securityProvider);
Authentication authResult = authenticationManager.authenticate(authenticationToken);
LOG.debug("Authentication success: {}", authResult.toString());
setCookie("NTLM-Auth-Enabled", "true", (HttpServletRequest) request, httpResponse);
SecurityContextHolder.getContext().setAuthentication(authResult);
onSuccessfulAuthentication((HttpServletRequest) servletRequest, httpResponse, authResult);
}
} catch (AuthenticationException e) {
LOG.debug("Authentication request for NTLM principal [{}] failed: ", principal, e.getMessage());
SecurityContextHolder.getContext().setAuthentication(null);
onUnsuccessfulAuthentication((HttpServletRequest) servletRequest, httpResponse, e);
authenticationEntryPoint.commence(securityRequest, httpResponse, e);
return;
} catch (SecurityProviderException e) {
LOG.debug("Authentication request for NTLM principal [{}] failed: ", principal, e.getMessage());
SecurityContextHolder.getContext().setAuthentication(null);
}
}
// do not use wrapped (Jespa) instance, instead use the originals (Spring wrapped) versions.
chain.doFilter(request, response);
}
};
// call the super doFilter with the nested chain, which should call the code above.
httpSecurityService.doFilter(request, response, nestedChain);
}
In that method, when it checks the servletRequest class: if (servletRequest instanceof HttpSecurityServletRequest) {
With the IE7 and IE8 that fails servletRequest is jespa.http.HttpSecurityServletRequest, but with the IE8 build that does not fail, IE9, FF and Chrome the servlet request is not that one. So, for some reason the ofending IE versions seems to keep on sending NTLM information so SpringSecurity tries to authenticate.
The version of Spring is 3.1.2 (core and security), jespa is 1.1.7 and jcifs is 1.3.15.
Have any of you ever had this issue? If so, what did you do to solve it?
Thanks a lot!