Home Spring Security - SAMLRequest triggered in infinite loop
Reply: 0

Spring Security - SAMLRequest triggered in infinite loop

user9874
1#
user9874 Published in April 19, 2018, 10:01 am

I have implemented Spring Security in Grail's 3.x application without the use of plugins based on the demo application provided by Spring.I am connecting to ADFS server via SAML 2.

https://saml-federation.appspot.com/saml/discovery?returnIDParam=idp&entityID=saml-federation.appspot.com

**Filter config for samlEntryPoint in securitycontext.xml**
<security:http entry-point-ref="samlEntryPoint" use-expressions="false">
        <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
        <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
        <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</security:http>

When I navigate to a protected URL for the first time,I am redirected to the ADFS login page and on a successful SAML response, I am redirected back to the URL from where the SAML request was initiated.This however re-triggers another SAMLRequest and causes the request to fire in an infinite loop.

I have attached the logs.Any reason why request gets retriggered even though response was successful.There are no errors in processing the SAML response in the logs and authentication object is stored successfully.

15:24:55.074 DEBUG org.springframework.security.saml.SAMLEntryPoint - Processing SSO using WebSSO profile
15:24:55.074 DEBUG org.springframework.security.saml.websso.WebSSOProfileImpl - Using default consumer service with binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
15:24:55.087 DEBUG org.springframework.security.saml.storage.HttpSessionStorage - Storing message a1a79f2d37g2e6hi3e8ci7hei090dbe to session D08537BA04C926C051C9531E09684DAC
15:24:55.088 DEBUG org.springframework.security.saml.util.SAMLUtil - XMLObject already had cached DOM, returning that element
15:24:55.089 INFO  org.springframework.security.saml.log.SAMLDefaultLogger - AuthNRequest;SUCCESS;https://my-app.com:8443;http://adfs.server.com/adfs/services/trust;;
15:24:55.703 DEBUG org.springframework.security.saml.SAMLProcessingFilter - Request is to process authentication
15:24:55.703 DEBUG org.springframework.security.saml.SAMLProcessingFilter - Attempting SAML2 authentication using profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser
15:24:55.707 DEBUG o.springframework.security.saml.processor.SAMLProcessorImpl - Retrieving message using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
15:24:55.712 DEBUG org.springframework.security.saml.util.SAMLUtil - Found endpoint org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@759b2b42 for request URL https://my-app.com:8443/testapp/saml/SSO based on location attribute in metadata
15:24:55.713 DEBUG org.springframework.security.saml.storage.HttpSessionStorage - Message a1a79f2d37g2e6hi3e8ci7hei090dbe found in session D08537BA04C926C051C9531E09684DAC, clearing
15:24:55.713 DEBUG o.s.security.saml.websso.WebSSOProfileConsumerImpl - Verifying issuer of the Response
15:24:55.713 DEBUG o.s.security.saml.websso.WebSSOProfileConsumerImpl - Verifying signature
15:24:55.716 DEBUG o.s.security.saml.websso.WebSSOProfileConsumerImpl - Processing Bearer subject confirmation
15:24:55.716 DEBUG o.s.security.saml.websso.WebSSOProfileConsumerImpl - Verifying received AuthnContext org.opensaml.saml2.core.impl.AuthnContextImpl@325714b5 against requested null
15:24:55.716 DEBUG o.s.security.saml.websso.WebSSOProfileConsumerImpl - Validation of authentication statement in assertion _c1a1c5b4-9f57-4f41-be6e-b3960d99a087 was successful
15:24:55.716 DEBUG o.s.security.saml.websso.WebSSOProfileConsumerImpl - Including attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn from assertion _c1a1c5b4-9f57-4f41-be6e-b3960d99a087
15:24:55.716 DEBUG o.s.security.saml.websso.WebSSOProfileConsumerImpl - Including attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name from assertion _c1a1c5b4-9f57-4f41-be6e-b3960d99a087
15:24:55.716 DEBUG o.s.security.saml.websso.WebSSOProfileConsumerImpl - Including attribute http://schemas.microsoft.com/ws/2008/06/identity/claims/role from assertion _c1a1c5b4-9f57-4f41-be6e-b3960d99a087
15:24:55.716 DEBUG org.springframework.security.saml.util.SAMLUtil - XMLObject already had cached DOM, returning that element
15:24:55.716 INFO  org.springframework.security.saml.log.SAMLDefaultLogger - AuthNResponse;SUCCESS;https://my-app.com:8443;http://adfs.server.com/adfs/services/trust; test@test.local;
15:24:55.717 DEBUG org.springframework.security.saml.SAMLProcessingFilter - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.providers.ExpiringUsernameAuthenticationToken@44b6bf69: Principal:  test@test.local; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.core.userdetails.User@4a035b76: Username:  test@test.local; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Granted Authorities: ROLE_USER
15:24:55.718 DEBUG o.s.s.w.a.SavedRequestAwareAuthenticationSuccessHandler - Redirecting to DefaultSavedRequest Url: https://my-app.com:8443/testapp/
15:24:55.728 DEBUG o.s.security.saml.context.SAMLContextProviderImpl - No IDP specified, using default http://adfs.server.com/adfs/services/trust
15:24:55.728 DEBUG org.springframework.security.saml.util.SAMLUtil - Index for AssertionConsumerService not specified, returning default
15:24:55.728 DEBUG org.springframework.security.saml.SAMLEntryPoint - Processing SSO using WebSSO profile
15:24:55.728 DEBUG org.springframework.security.saml.websso.WebSSOProfileImpl - Using default consumer service with binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
15:24:55.739 DEBUG org.springframework.security.saml.storage.HttpSessionStorage - Storing message a40bd1f7ii3ai71e1hc38bfb5a282eg to session D08537BA04C926C051C9531E09684DAC
15:24:55.739 DEBUG org.springframework.security.saml.util.SAMLUtil - XMLObject already had cached DOM, returning that element
15:24:55.739 INFO  org.springframework.security.saml.log.SAMLDefaultLogger - AuthNRequest;SUCCESS;https://my-app.com:8443;http://adfs.server.com/adfs/services/trust;
15:24:56.351 DEBUG org.springframework.security.saml.SAMLProcessingFilter - Request is to process authentication
15:24:56.351 DEBUG org.springframework.security.saml.SAMLProcessingFilter - Attempting SAML2 authentication using profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser
15:24:56.353 DEBUG o.springframework.security.saml.processor.SAMLProcessorImpl - Retrieving message using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
15:24:56.359 DEBUG org.springframework.security.saml.util.SAMLUtil - Found endpoint org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@759b2b42 for request URL https://my-app.com:8443/testapp/saml/SSO based on location attribute in metadata
15:24:56.359 DEBUG org.springframework.security.saml.storage.HttpSessionStorage - Message a40bd1f7ii3ai71e1hc38bfb5a282eg found in session D08537BA04C926C051C9531E09684DAC, clearing
15:24:56.360 DEBUG o.s.security.saml.websso.WebSSOProfileConsumerImpl - Verifying issuer of the Response
15:24:56.360 DEBUG o.s.security.saml.websso.WebSSOProfileConsumerImpl - Verifying signature
15:24:56.362 DEBUG o.s.security.saml.websso.WebSSOProfileConsumerImpl - Processing Bearer subject confirmation
15:24:56.362 DEBUG o.s.security.saml.websso.WebSSOProfileConsumerImpl - Verifying received AuthnContext org.opensaml.saml2.core.impl.AuthnContextImpl@71ba7915 against requested null
15:24:56.362 DEBUG o.s.security.saml.websso.WebSSOProfileConsumerImpl - Validation of authentication statement in assertion _f756adf7-0bb2-417d-8635-e620aade31be was successful
15:24:56.362 DEBUG o.s.security.saml.websso.WebSSOProfileConsumerImpl - Including attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn from assertion _f756adf7-0bb2-417d-8635-e620aade31be
15:24:56.362 DEBUG o.s.security.saml.websso.WebSSOProfileConsumerImpl - Including attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name from assertion _f756adf7-0bb2-417d-8635-e620aade31be
15:24:56.362 DEBUG o.s.security.saml.websso.WebSSOProfileConsumerImpl - Including attribute http://schemas.microsoft.com/ws/2008/06/identity/claims/role from assertion _f756adf7-0bb2-417d-8635-e620aade31be
15:24:56.362 DEBUG org.springframework.security.saml.util.SAMLUtil - XMLObject already had cached DOM, returning that element
15:24:56.362 INFO  org.springframework.security.saml.log.SAMLDefaultLogger - AuthNResponse;SUCCESS;https://my-app.com:8443;http://adfs.server.com/adfs/services/trust; test@test.local
15:24:56.362 DEBUG org.springframework.security.saml.SAMLProcessingFilter - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.providers.ExpiringUsernameAuthenticationToken@4dfe888c: Principal:  test@test.local; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.core.userdetails.User@4a035b76: Username:  test@test.local; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Granted Authorities: ROLE_USER
15:24:56.363 DEBUG o.s.s.w.a.SavedRequestAwareAuthenticationSuccessHandler - Redirecting to DefaultSavedRequest Url: https://my-app.com:8443/testapp/
15:24:56.373 DEBUG o.s.security.saml.context.SAMLContextProviderImpl - No IDP specified, using default http://adfs.server.com/adfs/services/trust
15:24:56.373 DEBUG org.springframework.security.saml.util.SAMLUtil - Index for AssertionConsumerService not specified, returning default
15:24:56.373 DEBUG org.springframework.security.saml.SAMLEntryPoint - Processing SSO using WebSSO profile
You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.447439 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO