[mitreid-connect] Custom AuthenticationProvider

Justin Richer jricher at mit.edu
Tue Jun 6 18:21:50 EDT 2017 

I’ve found the method-not-allowed message from Spring to be misleading.  That’s likely due to missing a CSRF on the login form, but the LDAP overlay shouldn’t have any customizations there.

 — Justin

> On Jun 6, 2017, at 5:52 PM, Luiz Omori <luiz.omori at duke.edu> wrote:
> 
> The problem is that our LDAP server requires a little bit of customization so it’s a little bit more elaborate, but I just tried and it didn’t work. Ran into another weird issue: I get a 405 when the login page does a POST.
>  
> Request URL:
> http://localhost:8080/patient-openid-connect/login <http://localhost:8080/patient-openid-connect/login>
> Request Method:
> POST
> Status Code:
> 405 Method Not Allowed
> Remote Address:
> [::1]:8080
> Referrer Policy:
> no-referrer-when-downgrade
>  
> Here is my security:http (straight from the link you sent):
>  
>                 <security:http disable-url-rewriting="true" use-expressions="true">
>                                 <security:form-login login-page="/login" authentication-failure-url="/login?error=failure" authentication-success-handler-ref="authenticationTimeStamper" />
>                                 <security:intercept-url pattern="/authorize" access="hasRole('ROLE_USER')" />
>                                 <security:intercept-url pattern="/**" access="permitAll" />
>                                 <security:custom-filter ref="authRequestFilter" after="SECURITY_CONTEXT_FILTER" />
>                                 <security:logout logout-url="/logout" />
>                                 <security:anonymous />
>                                 <security:expression-handler ref="oauthWebExpressionHandler" />
>                                 <security:headers>
>                                                 <security:frame-options policy="DENY" />
>                                 </security:headers>
>                                 <security:csrf />
>                 </security:http> 
>  
>  
> From: Justin Richer <jricher at mit.edu>
> Date: Tuesday, June 6, 2017 at 5:24 PM
> To: Luiz Omori <luiz.omori at duke.edu>
> Cc: "mitreid-connect at mit.edu" <mitreid-connect at mit.edu>
> Subject: Re: [mitreid-connect] Custom AuthenticationProvider
>  
> To be honest, I haven’t personally tested the example LDAP overlay in a while as I don’t have an LDAP server set up to run it against. As a consequence, it might be out of date. Have you tried changing “alias” to “id”?
>  
>  — Justin
>  
> On Jun 6, 2017, at 5:08 PM, Luiz Omori <luiz.omori at duke.edu <mailto:luiz.omori at duke.edu>> wrote:
>  
> Well, is the LDAP overlay working? That one seems to be using “alias” instead of “id”.
>  
> Regards,
> Luiz
>  
> From: Justin Richer <jricher at mit.edu <mailto:jricher at mit.edu>>
> Date: Tuesday, June 6, 2017 at 3:34 PM
> To: Luiz Omori <luiz.omori at duke.edu <mailto:luiz.omori at duke.edu>>
> Cc: "mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>" <mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>>
> Subject: Re: [mitreid-connect] Custom AuthenticationProvider
>  
> The new version does upgrade the version of Spring Security and there were a few changes that were required in that upgrade. For one, if you’ve got your auth manager in with “alias” instead of “id”, it can fail in weird ways. Also note that the field names for username and password, as well as the username/password filter, have all changed by default. The other issues had to do with the default session and CSRF behavior in the new version of spring, but that shouldn’t affect the initial login. 
>  
>  — Justin
>  
> On Jun 6, 2017, at 1:40 PM, Luiz Omori <luiz.omori at duke.edu <mailto:luiz.omori at duke.edu>> wrote:
>  
> Thanks.  I took a look and my configuration is very similar. Maybe my problem is elsewhere. The login page shows up but it always fails even with proper username and password (obviously as the authentication provider is not being called). Nothing in the logs at info level and couldn’t find anything useful in debug. Interesting that when I try using a previous MitreID 1.2.x that we have it works. Maybe something new with 1.3.x?
>  
> Regards,
> Luiz
>  
> From: Justin Richer <jricher at mit.edu <mailto:jricher at mit.edu>>
> Date: Monday, June 5, 2017 at 4:33 PM
> To: Luiz Omori <luiz.omori at duke.edu <mailto:luiz.omori at duke.edu>>
> Cc: "mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>" <mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>>
> Subject: Re: [mitreid-connect] Custom AuthenticationProvider
>  
> MIT has a server that uses a stack of different providers for different authentication methods:
>  
> https://github.com/MIT-CSAIL-TIG/oidc.csail.mit.edu/blob/master/oidc-mit-overlay/src/main/webapp/WEB-INF/user-context.xml <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_MIT-2DCSAIL-2DTIG_oidc.csail.mit.edu_blob_master_oidc-2Dmit-2Doverlay_src_main_webapp_WEB-2DINF_user-2Dcontext.xml&d=DwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=bX9mWylWGUk4aJmRHhF98--u7tYmMkrOqvqnMatSQb4&s=a1JjBG13ol3etHvwxtoo2rb1WmqLl1K_VzeVGICxQHY&e=>
>  
>  — Justin
>  
> On Jun 5, 2017, at 1:35 PM, Luiz Omori <luiz.omori at duke.edu <mailto:luiz.omori at duke.edu>> wrote:
>  
> Hi,
>  
> We need to be able to authenticate an user using a third party application web service that does the password check and sends back the user details. For that I’ve been trying to implement a custom authentication provider but so far couldn’t make it to work. The constructor is called but neither supports nor authenticate methods are. Using an overlay project for that, overriding user-context.xml with the security:authentication-provider setting pointing to our custom provider. As far as I can see, our project is very similar to the LDAP overlay.
>  
> Has anybody tried this? If yes, would you mind sending me a skeleton project?
>  
> Regards,
> Luiz
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect <https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.mit.edu_mailman_listinfo_mitreid-2Dconnect&d=DwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=bX9mWylWGUk4aJmRHhF98--u7tYmMkrOqvqnMatSQb4&s=He3Mte3oSlW53K3UO9iF0wpf8-VnYsIjpOQFXpbUPFQ&e=>
>  
>  
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20170606/88e21a8d/attachment-0001.html

More information about the mitreid-connect mailing list