6
votes

I am using OpenAM as my IDP and my SP (an angular2 SPA) is based on the example shared at: https://github.com/vdenotaris/spring-boot-security-saml-sample

After authentication, my webapp is supposed to invoke few REST services which are secured via http-basic authentication(using spring security) whose sessions are managed via Spring Session.

I am trying to create spring-session based sessions after a user is authenticated through OpenAM IDP. My intent is to use these sessions to talk to my http-basic-secured REST services.

Following is the "configure()" of my webapp's WebSecurityConfig before I attempted integrating spring-session with spring-saml and this works just fine.

@Override  
protected void configure(HttpSecurity http) throws Exception {
    http
    .httpBasic()
    .authenticationEntryPoint(samlEntryPoint());
    http
    .csrf()
    .disable();
    http
    .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
    .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
    http        
    .authorizeRequests()
    .antMatchers("/").permitAll()
    .antMatchers("/publicUrl").permitAll()
    .antMatchers("/app/**").permitAll()
    .antMatchers("/error").permitAll()
    .antMatchers("/saml/**").permitAll()
    .anyRequest().authenticated();  
    http
    .logout()
    .logoutSuccessUrl("/");

}

And the authentication works just fine. In the POST fired from IDP (OpenAM) I can see the cookie being set properly. eg : Set-Cookie: JSESSIONID=8DD6CDBF8079E83C8F4E7976C970BB27; Path=/; HttpOnly

Response
    Headers
        Pragma:  no-cache
        Date:  Sun, 31 Jul 2016 02:12:06 GMT
        X-Content-Type-Options:  nosniff
        Server:  Apache-Coyote/1.1
        X-Frame-Options:  DENY
        Location:  http://localhost:8097/
        Cache-Control:  no-cache, no-store, max-age=0, must-revalidate
        Set-Cookie:  JSESSIONID=8DD6CDBF8079E83C8F4E7976C970BB27; Path=/; HttpOnly
        Content-Length:  0
        X-XSS-Protection:  1; mode=block
        Expires:  0
    Cookies
        JSESSIONID:  8DD6CDBF8079E83C8F4E7976C970BB27

Following is the "configure()" of my webapp's WebSecurityConfig after I tried integrating spring-session with spring-saml and this breaks the authentication.

@Override  
protected void configure(HttpSecurity http) throws Exception {
    http
    .httpBasic()
    .authenticationEntryPoint(samlEntryPoint());
    http
    .csrf()
    .disable();
    http
    .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
    .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
    http        
    .authorizeRequests()
    .antMatchers("/").permitAll()
    .antMatchers("/publicUrl").permitAll()
    .antMatchers("/app/**").permitAll()
    .antMatchers("/error").permitAll()
    .antMatchers("/saml/**").permitAll()
    .anyRequest().authenticated();  
    http
    .logout()
    .logoutSuccessUrl("/");

    http
    .addFilterBefore(sessionRepositoryFilter(sessionRepository(), httpSessionStrategy()),
            ChannelProcessingFilter.class)
    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);

}

In the POST fired back from IDP (OpenAM) I dont see the cookie being set.

Response
    Headers
        Pragma:  no-cache
        Date:  Sun, 31 Jul 2016 02:18:44 GMT
        X-Content-Type-Options:  nosniff
        Server:  Apache-Coyote/1.1
        X-Frame-Options:  DENY
        Location:  http://localhost:8097/
        Cache-Control:  no-cache, no-store, max-age=0, must-revalidate
        x-auth-token:  666412f1-b293-49fa-bacb-0aa6fc3d2fe0
        Content-Length:  0
        X-XSS-Protection:  1; mode=block
        Expires:  0
    Cookies

The SAML response was ok as I can see the Subjects details from IDP post authentication.

snippet from the SAML response

    <saml:Subject>
        <saml:NameID 
            Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" 
            NameQualifier="http://openam.example.com:8080/OpenAM-13.0.0">vin@example.com
        </saml:NameID>
        <saml:SubjectConfirmation 
            Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData 
                InResponseTo="a1f07e22gi7db1h425hfj65i5gh0464" 
                NotOnOrAfter="2016-07-31T02:28:44Z" 
                Recipient="http://localhost:8097/saml/SSO"/>
        </saml:SubjectConfirmation>
    </saml:Subject>

Since the cookie is not set, I am not able to get hold of the principal object. My UI assumes the user is not authenticated and redirects the user again to IDP and it keeps running in a loop.

Your response is highly appreciated.

1
Did you try enabling Third Party Cookies?Alok Singh

1 Answers

0
votes

Try to add this: server.session.tracking-modes=cookie in your properties file. Also, try to add an SSL. The cookie may be marked as secure and without SSL cannot be visible.