Login Dialog appears in IE8 when accessed remotely - Spring Security 3-Tomcat6

Jan 27, 2011 at 8:43 AM

Hi,

We're using Waffle 1.3 with Spring Security 3 - Tomcat 6 and we keep getting the login dialog whenever we access the application remotely.

FYI, the other (client) machine is in the same domain as the machine which hosts the app. I have gone through the Q&A on troubleshooting Negotiate authentication (link below) but still we cannot do SSO remotely.

http://waffle.codeplex.com/wikipage?title=Troubleshooting%20Negotiate&referringTitle=Home

Here's our configuration:

<security:http entry-point-ref="negotiateSecurityFilterEntryPoint">
        
        <security:intercept-url pattern="/**" access="ROLE_USER" />

        <security:access-denied-handler error-page="/login_error.jsp"/>

        <security:custom-filter ref="waffleNegotiateSecurityFilter" before="BASIC_AUTH_FILTER"/>

</security:http>
Here's the Spring log: (sorry, it's a bit long)
17:23:26,319 DEBUG [org.springframework.security.web.FilterChainProxy] - Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
17:23:26,319 DEBUG [org.springframework.security.web.FilterChainProxy] - Candidate is: '/index.jsp'; pattern is /resources/images/**; matched=false
17:23:26,319 DEBUG [org.springframework.security.web.FilterChainProxy] - Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
17:23:26,319 DEBUG [org.springframework.security.web.FilterChainProxy] - Candidate is: '/index.jsp'; pattern is /resources/css/**; matched=false
17:23:26,320 DEBUG [org.springframework.security.web.FilterChainProxy] - Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
17:23:26,320 DEBUG [org.springframework.security.web.FilterChainProxy] - Candidate is: '/index.jsp'; pattern is /**; matched=true
17:23:26,320 DEBUG [org.springframework.security.web.FilterChainProxy] - /index.jsp at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
17:23:26,320 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - No HttpSession currently exists
17:23:26,320 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - No SecurityContext was available from the HttpSession: null. A new one will be created.
17:23:26,320 DEBUG [org.springframework.security.web.FilterChainProxy] - /index.jsp at position 2 of 8 in additional filter chain; firing Filter: 'NegotiateSecurityFilter'
17:23:26,320 INFO  [waffle.spring.NegotiateSecurityFilter] - GET /springapp/, contentlength: -1
17:23:26,320 DEBUG [org.springframework.security.web.FilterChainProxy] - /index.jsp at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
17:23:26,320 DEBUG [org.springframework.security.web.FilterChainProxy] - /index.jsp at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
17:23:26,320 DEBUG [org.springframework.security.web.FilterChainProxy] - /index.jsp at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
17:23:26,320 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faaf9b0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 172.25.2.7; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
17:23:26,320 DEBUG [org.springframework.security.web.FilterChainProxy] - /index.jsp at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
17:23:26,321 DEBUG [org.springframework.security.web.FilterChainProxy] - /index.jsp at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
17:23:26,321 DEBUG [org.springframework.security.web.FilterChainProxy] - /index.jsp at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
17:23:26,321 DEBUG [org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource] - Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
17:23:26,321 DEBUG [org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource] - Candidate is: '/index.jsp'; pattern is /visitorentry.html*; matched=false
17:23:26,321 DEBUG [org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource] - Candidate is: '/index.jsp'; pattern is /registervisitor.html*; matched=false
17:23:26,321 DEBUG [org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource] - Candidate is: '/index.jsp'; pattern is /editregistervisitor.html*; matched=false
17:23:26,321 DEBUG [org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource] - Candidate is: '/index.jsp'; pattern is /proceedregistervisitor.html*; matched=false
17:23:26,322 DEBUG [org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource] - Candidate is: '/index.jsp'; pattern is /**; matched=true
17:23:26,322 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - Secure object: FilterInvocation: URL: /index.jsp; Attributes: [ROLE_USER]
17:23:26,322 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faaf9b0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 172.25.2.7; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
17:23:26,322 DEBUG [org.springframework.security.access.vote.AffirmativeBased] - Voter: org.springframework.security.access.vote.RoleVoter@42702c, returned: -1
17:23:26,322 DEBUG [org.springframework.security.access.vote.AffirmativeBased] - Voter: org.springframework.security.access.vote.AuthenticatedVoter@1d26318, returned: 0
17:23:26,322 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	at waffle.spring.NegotiateSecurityFilter.doFilter(Unknown Source)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
	at java.lang.Thread.run(Thread.java:619)
17:23:26,325 DEBUG [org.springframework.security.web.savedrequest.HttpSessionRequestCache] - DefaultSavedRequest added to Session: DefaultSavedRequest[http://172.25.2.25:8080/springapp/]
17:23:26,325 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] - Calling Authentication entry point.
17:23:26,325 DEBUG [waffle.spring.NegotiateSecurityFilterEntryPoint] - [waffle.spring.NegotiateEntryPoint] commence
17:23:26,325 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - SecurityContext is empty or anonymous - context will not be stored in HttpSession. 
17:23:26,325 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
17:23:26,329 DEBUG [org.springframework.security.web.FilterChainProxy] - Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
17:23:26,329 DEBUG [org.springframework.security.web.FilterChainProxy] - Candidate is: '/index.jsp'; pattern is /resources/images/**; matched=false
17:23:26,329 DEBUG [org.springframework.security.web.FilterChainProxy] - Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
17:23:26,329 DEBUG [org.springframework.security.web.FilterChainProxy] - Candidate is: '/index.jsp'; pattern is /resources/css/**; matched=false
17:23:26,330 DEBUG [org.springframework.security.web.FilterChainProxy] - Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
17:23:26,330 DEBUG [org.springframework.security.web.FilterChainProxy] - Candidate is: '/index.jsp'; pattern is /**; matched=true
17:23:26,330 DEBUG [org.springframework.security.web.FilterChainProxy] - /index.jsp at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
17:23:26,330 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - HttpSession returned null object for SPRING_SECURITY_CONTEXT
17:23:26,330 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@e2262b. A new one will be created.
17:23:26,330 DEBUG [org.springframework.security.web.FilterChainProxy] - /index.jsp at position 2 of 8 in additional filter chain; firing Filter: 'NegotiateSecurityFilter'
17:23:26,330 INFO  [waffle.spring.NegotiateSecurityFilter] - GET /springapp/, contentlength: -1
17:23:26,330 INFO  [waffle.servlet.spi.NegotiateSecurityFilterProvider] - security package: Negotiate, connection id: 172.25.2.7:54742
17:23:26,330 INFO  [waffle.servlet.spi.NegotiateSecurityFilterProvider] - token buffer: 40 byte(s)
17:23:26,331 INFO  [waffle.servlet.spi.NegotiateSecurityFilterProvider] - continue token: TlRMTVNTUAACAAAAEgASADgAAAAVgoni2gWLgSNABV4AAAAAAAAAAMAAwABKAAAABgGwHQAAAA9UAEUATABPAFcATwBSAEsAUwACABIAVABFAEwATwBXAE8AUgBLAFMAAQASAFQASQBXAC0AMAAwADIANgA4AAQAKABUAGUAbABvAHcAbwByAGsAcwAuAFQAZQBsAG8AcwAuAEMAbwByAHAAAwA8AFQASQBXAC0AMAAwADIANgA4AC4AVABlAGwAbwB3AG8AcgBrAHMALgBUAGUAbABvAHMALgBDAG8AcgBwAAUAFABUAGUAbABvAHMALgBDAG8AcgBwAAcACADoBhfaA77LAQAAAAA=
17:23:26,331 INFO  [waffle.servlet.spi.NegotiateSecurityFilterProvider] - continue required: true
17:23:26,332 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - SecurityContext is empty or anonymous - context will not be stored in HttpSession. 
17:23:26,332 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
17:23:26,340 DEBUG [org.springframework.security.web.FilterChainProxy] - Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
17:23:26,340 DEBUG [org.springframework.security.web.FilterChainProxy] - Candidate is: '/index.jsp'; pattern is /resources/images/**; matched=false
17:23:26,340 DEBUG [org.springframework.security.web.FilterChainProxy] - Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
17:23:26,340 DEBUG [org.springframework.security.web.FilterChainProxy] - Candidate is: '/index.jsp'; pattern is /resources/css/**; matched=false
17:23:26,341 DEBUG [org.springframework.security.web.FilterChainProxy] - Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
17:23:26,341 DEBUG [org.springframework.security.web.FilterChainProxy] - Candidate is: '/index.jsp'; pattern is /**; matched=true
17:23:26,341 DEBUG [org.springframework.security.web.FilterChainProxy] - /index.jsp at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
17:23:26,341 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - HttpSession returned null object for SPRING_SECURITY_CONTEXT
17:23:26,341 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@e2262b. A new one will be created.
17:23:26,341 DEBUG [org.springframework.security.web.FilterChainProxy] - /index.jsp at position 2 of 8 in additional filter chain; firing Filter: 'NegotiateSecurityFilter'
17:23:26,341 INFO  [waffle.spring.NegotiateSecurityFilter] - GET /springapp/, contentlength: -1
17:23:26,341 INFO  [waffle.servlet.spi.NegotiateSecurityFilterProvider] - security package: Negotiate, connection id: 172.25.2.7:54742
17:23:26,341 INFO  [waffle.servlet.spi.NegotiateSecurityFilterProvider] - token buffer: 534 byte(s)
17:23:26,343 WARN  [waffle.spring.NegotiateSecurityFilter] - error logging in user: No authority could be contacted for authentication.
17:23:26,343 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - SecurityContext is empty or anonymous - context will not be stored in HttpSession. 
17:23:26,343 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed

Am I missing any configuration client or server side?
All the best!
Coordinator
Jan 27, 2011 at 1:56 PM

Hm. The real error is this one.

17:23:26,343 WARN  [waffle.spring.NegotiateSecurityFilter] - error logging in user: No authority could be contacted for authentication

This clearly means that the Kerberos implementation can't talk to AD.

This thread talks about the same problem and suggests the following.

  • Check the DNS configuration (Under TCP/IP settings) of your web server and see that it points to your AD DNS (probably your AD server).
    If it points to e.g. your ISP DNS change it so that it points to your AD DNS. If it is already set to point to AD DNS can it actually communicate with DNS server?
    Run nslookup command to see if it can resolve computer names.
  • Are there any firewalls or other filters between your web server and AD server?

Google has a lot more results for this error, so I would start reading that. Post what you find in this thread. Thx.

 

Feb 4, 2011 at 6:38 AM

Thanks for the prompt reply.

Spent a couple of days figuring out the problem and it turned out that there is something in my dev Domain that's preventing SSO (still under investigation).

Tried it in 2 different domains and finally remote WAFFLE authentication worked!

 

Thanks a lot!