I am using OpenAM as my IDP and my SP (an angular2 SPA) is based on the example shared at: https://github.com/vdenotaris/spring-boot-security-saml-sample
After authentication, my webapp is supposed to invoke few REST services which are secured via http-basic authentication(using spring security) whose sessions are managed via Spring Session.
I am trying to create spring-session based sessions after a user is authenticated through OpenAM IDP. My intent is to use these sessions to talk to my http-basic-secured REST services.
Following is the "configure()" of my webapp's WebSecurityConfig before I attempted integrating spring-session with spring-saml and this works just fine.
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.authenticationEntryPoint(samlEntryPoint());
http
.csrf()
.disable();
http
.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
.addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/publicUrl").permitAll()
.antMatchers("/app/**").permitAll()
.antMatchers("/error").permitAll()
.antMatchers("/saml/**").permitAll()
.anyRequest().authenticated();
http
.logout()
.logoutSuccessUrl("/");
}
And the authentication works just fine. In the POST fired from IDP (OpenAM) I can see the cookie being set properly. eg : Set-Cookie: JSESSIONID=8DD6CDBF8079E83C8F4E7976C970BB27; Path=/; HttpOnly
Response
Headers
Pragma: no-cache
Date: Sun, 31 Jul 2016 02:12:06 GMT
X-Content-Type-Options: nosniff
Server: Apache-Coyote/1.1
X-Frame-Options: DENY
Location: http://localhost:8097/
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Set-Cookie: JSESSIONID=8DD6CDBF8079E83C8F4E7976C970BB27; Path=/; HttpOnly
Content-Length: 0
X-XSS-Protection: 1; mode=block
Expires: 0
Cookies
JSESSIONID: 8DD6CDBF8079E83C8F4E7976C970BB27
Following is the "configure()" of my webapp's WebSecurityConfig after I tried integrating spring-session with spring-saml and this breaks the authentication.
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.authenticationEntryPoint(samlEntryPoint());
http
.csrf()
.disable();
http
.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
.addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/publicUrl").permitAll()
.antMatchers("/app/**").permitAll()
.antMatchers("/error").permitAll()
.antMatchers("/saml/**").permitAll()
.anyRequest().authenticated();
http
.logout()
.logoutSuccessUrl("/");
http
.addFilterBefore(sessionRepositoryFilter(sessionRepository(), httpSessionStrategy()),
ChannelProcessingFilter.class)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
}
In the POST fired back from IDP (OpenAM) I dont see the cookie being set.
Response
Headers
Pragma: no-cache
Date: Sun, 31 Jul 2016 02:18:44 GMT
X-Content-Type-Options: nosniff
Server: Apache-Coyote/1.1
X-Frame-Options: DENY
Location: http://localhost:8097/
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
x-auth-token: 666412f1-b293-49fa-bacb-0aa6fc3d2fe0
Content-Length: 0
X-XSS-Protection: 1; mode=block
Expires: 0
Cookies
The SAML response was ok as I can see the Subjects details from IDP post authentication.
snippet from the SAML response
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="http://openam.example.com:8080/OpenAM-13.0.0">vin@example.com
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="a1f07e22gi7db1h425hfj65i5gh0464"
NotOnOrAfter="2016-07-31T02:28:44Z"
Recipient="http://localhost:8097/saml/SSO"/>
</saml:SubjectConfirmation>
</saml:Subject>
Since the cookie is not set, I am not able to get hold of the principal object. My UI assumes the user is not authenticated and redirects the user again to IDP and it keeps running in a loop.
Your response is highly appreciated.
