We Keep Coding

Retrieve Keycloak Roles in reactive Spring Gateway security

I migrate from Zuul Gateway to Spring Gateway. This forced me to abandon Servlets for Webflux. I use KeyCloak and KeyCloak roles for authentication and authorization.
There is no official reactive KeyCloak implementation, so I use Spring OAuth2 instead. It works fine apart from retrieving the roles.
I cannot use servlet interceptors, because servlets are not allowed by WebFlux. Also, it seems Spring Gateway in general does not allow intercepting response bodies.
Thus my problem remains: How do I retrieve KeyCloak roles in Spring Gateway, so that they can be used by its security?
Here is some sample code I use:
In class SecurityConfig.java:
#Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.csrf().disable().authorizeExchange(exchanges -> exchanges.pathMatchers("/**").hasAnyRole("DIRECTOR")); }
application.yml:
spring.security.oauth2.client.provider.keycloak.issuer-uri: ..../realms/default

#Dave
Thank you for reminding me this question. I have since found a workaround in WebFlux. I have overriden ReactiveOAuth2UserService. By default it has two flavors a OAuth one and a Oidc one. In my case I have overriden the Oidc one:
#Component public class ReactiveKeycloakUserService extends OidcReactiveOAuth2UserService {
#Override
public Mono<OidcUser> loadUser(OidcUserRequest userRequest) throws ... {
// Call super and then replace result with roles
}
}
Spring will inject my instance instead of the default one. From userRequest you can retrieve the roles and after calling the same method on superclass you can intercept the result and add the roles on it.

I am having the same problem myself. One of the problems I am getting its getting copies of things like the JWT tag i.e. the text that Keycloak has encode you settings
#GetMapping("/whoami")
#ResponseBody
public Map<String, Object> index(
#RegisteredOAuth2AuthorizedClient OAuth2AuthorizedClient authorizedClient,
Authentication auth) {
log.error("XXAuth is {}",auth);
log.error("XXClient is {}", authorizedClient.getClientRegistration());
log.error("XXClient access is {}", authorizedClient.getAccessToken());
log.error("Token {}",authorizedClient.getAccessToken().getTokenValue());
}
This code will get you some of the values that are part of the conversation, the Token part is the JWT token, you can copy and paste that into jwt.io and find out what what Keycloak has actually sent.
This normally looks like
{
"exp": 1622299931,
"iat": 1622298731,
"auth_time": 1622298258,
"jti": "635ca59f-c87b-40da-b4ae-39774ed8098a",
"iss": "http://clunk:8080/auth/realms/spring-cloud-gateway-realm",
"sub": "6de0d95f-95b0-419d-87a4-b2862e8d0763",
"typ": "Bearer",
"azp": "spring-cloud-gateway-client",
"nonce": "2V8_3siQjTOIRbfs68BHwzvz3-dWeqXGUultzhJUWrA",
"session_state": "dd226823-90bc-429e-9cac-bb575b7d4fa0",
"acr": "0",
"realm_access": {
"roles": [
"ROLE_ANYONE"
]
},
"resource_access": {
"spring-cloud-gateway-client": {
"roles": [
"ROLE_ADMIN_CLIENT"
]
}
},
"scope": "openid email profile roles",
"email_verified": true,
"preferred_username": "anon"
}
As you can see Keycloak supports two different types of ROLE tokens, but they are not defined in top level, but under realm_access and resource_access, the difference being resource access defines ROLE that are part of a resource and real_access defines roles that are defined across all realms.
To get these values defined, its necessary to define a Mapper, as follows
To load these values in to Spring security you need to define a userAuthoritiesMapper Bean and export the settings found in the attributes as SimpleGrantedAuthority, as follows.
package foo.bar.com;
import lombok.extern.slf4j.Slf4j;
import net.minidev.json.JSONArray;
import net.minidev.json.JSONObject;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import java.util.stream.Collectors;
#Slf4j
#EnableWebFluxSecurity
#EnableReactiveMethodSecurity
public class RoleConfig {
#Bean
GrantedAuthoritiesMapper userAuthoritiesMapper() {
String ROLES_CLAIM = "roles";
return authorities -> {
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
for (Object authority : authorities) {
boolean isOidc = authority instanceof OidcUserAuthority;
if (isOidc) {
log.error("Discovered an Oidc type of object");
var oidcUserAuthority = (OidcUserAuthority) authority;
java.util.Map<String, Object> attribMap = oidcUserAuthority.getAttributes();
JSONObject jsonClaim;
for (String attrib : attribMap.keySet()) {
log.error("Attribute name {} type {} ", attrib, attrib.getClass().getName());
Object claim = attribMap.get(attrib);
if (attrib.equals("realm_access")) {
log.error("Define on roles for entire client");
jsonClaim = (JSONObject) claim;
if (!jsonClaim.isEmpty()) {
log.error("JobClaim is {}", jsonClaim);
Object roleStr = jsonClaim.get("roles");
if (roleStr != null) {
log.error("Role String {}", roleStr.getClass().getName());
JSONArray theRoles = (JSONArray) roleStr; //jsonClaim.get("roles");
for (Object roleName : theRoles) {
log.error("Name {} ", roleName);
}
}
}
}
if (attrib.equals("resource_access")) {
log.error("Unique to attrib client");
jsonClaim = (JSONObject) claim;
if (!jsonClaim.isEmpty()) {
log.error("Job is {}", jsonClaim);
String clientName = jsonClaim.keySet().iterator().next();
log.error("Client name {}", clientName);
JSONObject roleObj = (JSONObject) jsonClaim.get(clientName);
Object roleNames = roleObj.get("roles");
log.error("Role names {}", roleNames.getClass().getName());
JSONArray theRoles = (JSONArray) roleObj.get("roles");
for (Object roleName : theRoles) {
log.error("Name {} ", roleName);
}
}
}
}
var userInfo = oidcUserAuthority.getUserInfo();
log.error("UserInfo {}", userInfo);
for (String key : userInfo.getClaims().keySet()) {
log.error("UserInfo keys {}", key);
}
if (userInfo.containsClaim(ROLES_CLAIM)) {
var roles = userInfo.getClaimAsStringList(ROLES_CLAIM);
mappedAuthorities.addAll(generateAuthoritiesFromClaim(roles));
} else {
log.error("userInfo DID NOT FIND A claim");
}
} else {
var oauth2UserAuthority = (SimpleGrantedAuthority) authority;
log.error("Authority name " + authority.getClass().getName());
}
}
return mappedAuthorities;
};
}
private Collection<GrantedAuthority> generateAuthoritiesFromClaim(Collection<String> roles) {
return roles.stream()
.map(role -> new SimpleGrantedAuthority("ROLE_" + role))
.collect(Collectors.toList());
}
}
Please note this code is based on a sample found at OAuth2 Login with custom granted authorities from UserInfo
The access to Attributes is my own work.
Note an error message will be generated at the highest level if no realm_access or resource_access is found, as I assume that wanting to decode a Keycloak reference is the reason for using this code.
When working correctly, it generates the following output
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Discovered an Oidc type of object
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name at_hash type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name sub type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name resource_access type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Unique to attrib client
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Job is {"spring-cloud-gateway-client":{"roles":["ROLE_ADMIN_CLIENT"]}}
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Client name spring-cloud-gateway-client
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Role names net.minidev.json.JSONArray
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Name ROLE_ADMIN_CLIENT
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name email_verified type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name iss type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name typ type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name preferred_username type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name nonce type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name aud type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name acr type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name realm_access type java.lang.String
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Define on roles for entire client
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : JobClaim is {"roles":["ROLE_ANYONE"]}
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Role String net.minidev.json.JSONArray
2021-05-29 15:32:11.249 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Name ROLE_ANYONE
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name azp type java.lang.String
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name auth_time type java.lang.String
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name exp type java.lang.String
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name session_state type java.lang.String
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name iat type java.lang.String
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Attribute name jti type java.lang.String
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : UserInfo org.springframework.security.oauth2.core.oidc.OidcUserInfo#8be9a0b8
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : UserInfo keys sub
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : UserInfo keys email_verified
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : UserInfo keys preferred_username
2021-05-29 15:32:11.250 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : userInfo DID NOT FIND A claim
2021-05-29 15:32:11.252 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Authority name org.springframework.security.core.authority.SimpleGrantedAuthority
2021-05-29 15:32:11.252 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Authority name org.springframework.security.core.authority.SimpleGrantedAuthority
2021-05-29 15:32:11.252 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Authority name org.springframework.security.core.authority.SimpleGrantedAuthority
2021-05-29 15:32:11.252 ERROR 7394 --- [or-http-epoll-5] com.jdriven.gateway.RoleConfig : Authority name org.springframework.security.core.authority.SimpleGrantedAuthority
2021-05-29 15:32:11.252 DEBUG 7394 --- [or-http-epoll-5] o.s.w.r.f.client.ExchangeFunctions : [34ff3355] Cancel signal (to close connection)
2021-05-29 15:32:11.252 DEBUG 7394 --- [or-http-epoll-5] o.s.w.r.f.client.ExchangeFunctions : [1b083d68] Cancel signal (to close connection)
2021-05-29 15:32:11.254 DEBUG 7394 --- [or-http-epoll-5] ebSessionServerSecurityContextRepository : Saved SecurityContext 'SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=Name: [anon], Granted Authorities: [[ROLE_USER, SCOPE_email, SCOPE_openid, SCOPE_profile, SCOPE_roles]], User Attributes: [{at_hash=GCz2JybWiLc-42ACnjLJ6w, sub=6de0d95f-95b0-419d-87a4-b2862e8d0763, resource_access={"spring-cloud-gateway-client":{"roles":["ROLE_ADMIN_CLIENT"]}}, email_verified=true, iss=http://clunk:8080/auth/realms/spring-cloud-gateway-realm, typ=ID, preferred_username=anon, nonce=2V8_3siQjTOIRbfs68BHwzvz3-dWeqXGUultzhJUWrA, aud=[spring-cloud-gateway-client], acr=0, realm_access={"roles":["ROLE_ANYONE"]}, azp=spring-cloud-gateway-client, auth_time=2021-05-29T14:24:18Z, exp=2021-05-29T14:52:11Z, session_state=dd226823-90bc-429e-9cac-bb575b7d4fa0, iat=2021-05-29T14:32:11Z, jti=7d479a85-d76e-4930-9c86-b384a56d7af5}], Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession#69c3d462'

Test RestController Delete Crud method return 404 expected 400

I have problem with test method. I want to test delete method ( shouldNotDeletePersonByGivenId) but test doesn't work.
This is My test:
#Test
public void shouldNotDeletePersonByGivenId() throws Exception {
Mockito.doThrow(new PersonService.NoEntityFoundException()).when(personService).deleteById(1L);
mockMvc.perform(delete("/persons/{id}", 1))
.andExpect(status().isBadRequest());
}
In service I have this method:
public static class NoEntityFoundException extends RuntimeException {
public NoEntityFoundException() {
super("There is no Entity in database with given id.");
}
}
When I start test I have request:
java.lang.AssertionError: Status
Expected :400
Actual :404
In restController my delete method look's like this:
#DeleteMapping("/persons/{id}")
public ResponseEntity<?> deleteById(#PathVariable Long id) {
try {
personService.deleteById(id);
return ResponseEntity.ok().body("{Deleted}");
} catch (Exception e) {
return ResponseEntity.status(HttpStatus.NOT_FOUND).body("Cant delete! Entity not exist");
}
}
In restController is my path (#PathVariable Long id)
logs:
java.lang.AssertionError: Status
Expected :400
Actual :404
<Click to see difference>
at org.springframework.test.util.AssertionErrors.fail(AssertionErrors.java:55)
at org.springframework.test.util.AssertionErrors.assertEquals(AssertionErrors.java:82)
at org.springframework.test.web.servlet.result.StatusResultMatchers.lambda$matcher$9(StatusResultMatchers.java:617)
at org.springframework.test.web.servlet.MockMvc$1.andExpect(MockMvc.java:178)
at com.softwaremind.crew.people.controller.PersonRestControllerTest.shouldNotDeletePersonByGivenId(PersonRestControllerTest.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.springframework.test.context.junit4.statements.RunBeforeTestExecutionCallbacks.evaluate(RunBeforeTestExecutionCallbacks.java:73)
at org.springframework.test.context.junit4.statements.RunAfterTestExecutionCallbacks.evaluate(RunAfterTestExecutionCallbacks.java:83)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.springframework.test.context.junit4.statements.RunBeforeTestMethodCallbacks.evaluate(RunBeforeTestMethodCallbacks.java:75)
at org.springframework.test.context.junit4.statements.RunAfterTestMethodCallbacks.evaluate(RunAfterTestMethodCallbacks.java:86)
at org.springframework.test.context.junit4.statements.SpringRepeat.evaluate(SpringRepeat.java:84)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:251)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:97)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
at org.springframework.test.context.junit4.statements.RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61)
at org.springframework.test.context.junit4.statements.RunAfterTestClassCallbacks.evaluate(RunAfterTestClassCallbacks.java:70)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:190)
at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:68)
at com.intellij.rt.execution.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:47)
at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:242)
at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:70)
2018-05-07 12:25:02.218 INFO 11348 --- [ Thread-4] o.s.w.c.s.GenericWebApplicationContext : Closing org.springframework.web.context.support.GenericWebApplicationContext#6b6776cb: startup date [Mon May 07 12:24:57 CEST 2018]; root of context hierarchy
2018-05-07 12:25:02.223 INFO 11348 --- [ Thread-4] j.LocalContainerEntityManagerFactoryBean : Closing JPA EntityManagerFactory for persistence unit 'default'
2018-05-07 12:25:02.235 WARN 11348 --- [ Thread-4] o.s.b.f.support.DisposableBeanAdapter : Invocation of destroy method failed on bean with name 'inMemoryDatabaseShutdownExecutor': org.h2.jdbc.JdbcSQLException: Baza danych jest już zamknięta (aby zablokować samoczynne zamykanie podczas zamknięcia VM dodaj ";DB_CLOSE_ON_EXIT=FALSE" do URL bazy danych)
Database is already closed (to disable automatic closing at VM shutdown, add ";DB_CLOSE_ON_EXIT=FALSE" to the db URL) [90121-197]
2018-05-07 12:25:02.235 INFO 11348 --- [ Thread-4] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Shutdown initiated...
2018-05-07 12:25:02.237 INFO 11348 --- [ Thread-4] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Shutdown completed.

Check your mockito rule
=> Mockito.doThrow(new PersonService.NoEntityFoundException()).when(personService).deleteById(1L);
And in your code you are calling that function => personService.deleteById(id); => this throws an exception => your catch blocks catches it and =>
return ResponseEntity.status(HttpStatus.NOT_FOUND).body("Cant delete! Entity not exist"); => sends NOT_FOUND status which is 404 !!

From above I am expecting that /persons i syour base path . right ?
Can you see the body "Cant delete! Entity not exist" in error logs ?
404 may be coming from wrong path !
Replace HttpStatus.NOT_FOUND with HttpStatus.BAD_REQUEST .....in..........=>
return ResponseEntity.status(HttpStatus.NOT_FOUND).body("Cant delete! Entity not exist");

Grails spring security custom session authentication

I work on a legacy system and as a result can't follow the box standard documentation given with the Spring Security Core plugin (documentation), which means I don't have fancy to domain objects.
What I am trying to develop is a REST-API in grails with session based authentication (cannot use basic auth as the front end is Angular, and needs to be able to invalidate a user after 30 mins of inactivity)
I have found a resource which is doing what I am trying to do - although that is using domain objects, which is where I am running short.
The grails app will also end up on a Tomcat server so will have to be compatible with that too.
However, I have tried to make my own authentication provider. I have the following in application.groovy:
grails.plugin.springsecurity.providerNames = ['myAuthenticator','daoAuthenticationProvider']
grails.plugin.springsecurity.rest.login.endpointUrl = '/login'
grails.plugin.springsecurity.filterChain.chainMap = [
[pattern:'/login', filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'],
[pattern: '/assets/**', filters: 'none'],
[pattern: '/**/js/**', filters: 'none'],
[pattern: '/**/css/**', filters: 'none'],
[pattern: '/**/images/**', filters: 'none'],
[pattern: '/**/favicon.ico', filters: 'none']//,
[pattern: '/**', filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter']
]
In the resources.groovy I have
beans = {
myAuthenticator(MyAuthenticator)
}
My MyAuthenticator class:
class MyAuthenticator implements AuthenticationProvider {
#Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
ArrayList<SimpleGrantedAuthority> simpleGrantedAuthorities = new ArrayList<SimpleGrantedAuthority>();
simpleGrantedAuthorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"))
return new UsernamePasswordAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), simpleGrantedAuthorities)
}
#Override
public boolean supports(Class<?> authentication) {
return (authentication == UsernamePasswordAuthenticationToken.class);
}
}
To test whether or not this works I am firing off a CURL.
curl -i -H "Content-Type: application/json" --data '{"username":"user","password":"pass"}' http://localhost:8080/login
Which returns a 401. The stacktrace from the log is as following:
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login'; against '/login'
DEBUG o.s.security.web.FilterChainProxy - /login at position 1 of 9 in additional filter chain; firing Filter: 'SecurityRequestHolderFilter'
DEBUG o.s.security.web.FilterChainProxy - /login at position 2 of 9 in additional filter chain; firing Filter: 'MutableLogoutFilter'
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login'; against '/logoff'
DEBUG o.s.security.web.FilterChainProxy - /login at position 3 of 9 in additional filter chain; firing Filter: 'RestAuthenticationFilter'
DEBUG g.p.s.rest.RestAuthenticationFilter - Actual URI is /login; endpoint URL is /login
DEBUG g.p.s.rest.RestAuthenticationFilter - Applying authentication filter to this request
DEBUG g.p.s.r.c.DefaultJsonPayloadCredentialsExtractor - Extracted credentials from JSON payload. Username: user,password: [PROTECTED]
DEBUG g.p.s.rest.RestAuthenticationFilter - Trying to authenticate the request
DEBUG o.s.s.authentication.ProviderManager - Authentication attempt using MyAuthenticator
DEBUG g.p.s.rest.RestAuthenticationFilter - Request authenticated. Storing the authentication result in the security context
DEBUG g.p.s.rest.RestAuthenticationFilter - Authentication result: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#4095914d: Principal: user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ADMIN
DEBUG g.p.s.r.t.g.j.AbstractJwtTokenGenerator - Generating an access token with default expiration: 3600
DEBUG g.p.s.r.t.g.j.AbstractJwtTokenGenerator - Serializing the principal received
ERROR o.a.c.c.C.[.[.[.[grailsDispatcherServlet] - Servlet.service() for servlet [grailsDispatcherServlet] in context with path [] threw exception
groovy.lang.MissingMethodException: No signature of method: java.lang.String.getUsername() is applicable for argument types: () values: []
at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.unwrap(ScriptBytecodeAdapter.java:58)
at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.unwrap(ScriptBytecodeAdapter.java:64)
at org.codehaus.groovy.runtime.callsite.PogoGetPropertySite.getProperty(PogoGetPropertySite.java:52)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGetProperty(AbstractCallSite.java:296)
at grails.plugin.springsecurity.rest.token.generation.jwt.AbstractJwtTokenGenerator.generateClaims(AbstractJwtTokenGenerator.groovy:67)
at grails.plugin.springsecurity.rest.token.generation.jwt.AbstractJwtTokenGenerator$generateClaims$1.callCurrent(Unknown Source)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallCurrent(CallSiteArray.java:52)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:154)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:182)
at grails.plugin.springsecurity.rest.token.generation.jwt.AbstractJwtTokenGenerator.generateAccessToken(AbstractJwtTokenGenerator.groovy:51)
at grails.plugin.springsecurity.rest.token.generation.jwt.AbstractJwtTokenGenerator$generateAccessToken$0.callCurrent(Unknown Source)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallCurrent(CallSiteArray.java:52)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:154)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:182)
at grails.plugin.springsecurity.rest.token.generation.jwt.AbstractJwtTokenGenerator.generateAccessToken(AbstractJwtTokenGenerator.groovy:44)
at grails.plugin.springsecurity.rest.token.generation.jwt.AbstractJwtTokenGenerator$generateAccessToken.callCurrent(Unknown Source)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallCurrent(CallSiteArray.java:52)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:154)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:174)
at grails.plugin.springsecurity.rest.token.generation.jwt.AbstractJwtTokenGenerator.generateAccessToken(AbstractJwtTokenGenerator.groovy:39)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springsource.loaded.ri.ReflectiveInterceptor.jlrMethodInvoke(ReflectiveInterceptor.java:1426)
at org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite$PogoCachedMethodSite.invoke(PogoMetaMethodSite.java:169)
at org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite.call(PogoMetaMethodSite.java:71)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:125)
at grails.plugin.springsecurity.rest.RestAuthenticationFilter.doFilter(RestAuthenticationFilter.groovy:130)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.groovy:62)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at grails.plugin.springsecurity.web.SecurityRequestHolderFilter.doFilter(SecurityRequestHolderFilter.groovy:58)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.grails.web.servlet.mvc.GrailsWebRequestFilter.doFilterInternal(GrailsWebRequestFilter.java:75)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.grails.web.filters.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:67)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:103)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
As seen, it does actually think it authenticates shortly before the error. However, then something somewhere trips up, and tries to do a .getUsername() on a String.
I cannot figure out what is trying to do this. I would appreciate any thoughts on what could be causing this issue, or even if I am going about it in a completely wrong way.

Spring JPA cannot connect to Postgresql

I am trying to write a Spring Data JPA application with Postgres.
I am getting an error: FATAL: password authentication failed for user
I tried the same thing writing the connection using regular JDBC, and all worked fine, same username/password/database/hostname.
The property file I'm using for Spring Data JPA contains the following:
spring.jpa.database=POSTGRESQL
spring.datasource.platform=postgres
spring.jpa.show-sql=true
spring.jpa.hibernate.ddl-auto=create-drop
spring.database.driverClassName=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://localhost:5432/testdb
spring.datasource.username=test_java
spring.datasource.password=easy_password
server.port=8080
As compared to the property file I'm using for the java jdbc test:
db.url=jdbc:postgresql://localhost:5432/testdb
db.user=test_java
db.passwd=easy_password
The Java code looks like this:
public void testSelectWithPropertyFile() {
Logger lgr = Logger.getLogger(getClass().getName());
Connection con = null;
PreparedStatement pst = null;
ResultSet rs = null;
Properties props = new Properties();
FileInputStream in = null;
try {
in = new FileInputStream("target/classes/properties/database.properties");
props.load(in);
} catch (IOException ex) {
lgr.log(Level.SEVERE, ex.getMessage(), ex);
return;
} finally {
try {
if (in != null) {
in.close();
}
} catch (IOException ex) {
lgr.log(Level.SEVERE, ex.getMessage(), ex);
}
}
String url = props.getProperty("db.url");
String user = props.getProperty("db.user");
String passwd = props.getProperty("db.passwd");
try {
con = DriverManager.getConnection(url, user, passwd);
pst = con.prepareStatement("SELECT * FROM Authors");
rs = pst.executeQuery();
while (rs.next()) {
System.out.print(rs.getInt(1));
System.out.print(": ");
System.out.println(rs.getString(2));
}
} catch (Exception ex) {
lgr.log(Level.SEVERE, ex.getMessage(), ex);
} finally {
try {
if (rs != null) {
rs.close();
}
if (pst != null) {
pst.close();
}
if (con != null) {
con.close();
}
} catch (SQLException ex) {
lgr.log(Level.WARNING, ex.getMessage(), ex);
}
}
}
Here's the error log I get in Spring Boot JPA:
2016-10-14 11:09:21.593 INFO 6948 --- [ main] com.example.JpaPostgresApplication : Starting JpaPostgresApplication on DESKTOP-53J32BH with PID 6948 (C:\Users\charb\workspace\JPA_POSTGRES\target\classes started by charb in C:\Users\charb\workspace\JPA_POSTGRES)
2016-10-14 11:09:21.595 INFO 6948 --- [ main] com.example.JpaPostgresApplication : No active profile set, falling back to default profiles: default
2016-10-14 11:09:21.679 INFO 6948 --- [ main] ationConfigEmbeddedWebApplicationContext : Refreshing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext#72f926e6: startup date [Fri Oct 14 11:09:21 BST 2016]; root of context hierarchy
2016-10-14 11:09:23.402 INFO 6948 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration' of type [class org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration$$EnhancerBySpringCGLIB$$72d9bd3b] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2016-10-14 11:09:23.922 INFO 6948 --- [ main] s.b.c.e.t.TomcatEmbeddedServletContainer : Tomcat initialized with port(s): 8080 (http)
2016-10-14 11:09:23.933 INFO 6948 --- [ main] o.apache.catalina.core.StandardService : Starting service Tomcat
2016-10-14 11:09:23.934 INFO 6948 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet Engine: Apache Tomcat/8.5.5
2016-10-14 11:09:24.062 INFO 6948 --- [ost-startStop-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2016-10-14 11:09:24.062 INFO 6948 --- [ost-startStop-1] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 2387 ms
2016-10-14 11:09:24.230 INFO 6948 --- [ost-startStop-1] o.s.b.w.servlet.ServletRegistrationBean : Mapping servlet: 'dispatcherServlet' to [/]
2016-10-14 11:09:24.234 INFO 6948 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'characterEncodingFilter' to: [/*]
2016-10-14 11:09:24.235 INFO 6948 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'hiddenHttpMethodFilter' to: [/*]
2016-10-14 11:09:24.235 INFO 6948 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'httpPutFormContentFilter' to: [/*]
2016-10-14 11:09:24.235 INFO 6948 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'requestContextFilter' to: [/*]
2016-10-14 11:09:24.478 INFO 6948 --- [ main] j.LocalContainerEntityManagerFactoryBean : Building JPA container EntityManagerFactory for persistence unit 'default'
2016-10-14 11:09:24.492 INFO 6948 --- [ main] o.hibernate.jpa.internal.util.LogHelper : HHH000204: Processing PersistenceUnitInfo [
name: default
...]
2016-10-14 11:09:24.554 INFO 6948 --- [ main] org.hibernate.Version : HHH000412: Hibernate Core {5.0.11.Final}
2016-10-14 11:09:24.555 INFO 6948 --- [ main] org.hibernate.cfg.Environment : HHH000206: hibernate.properties not found
2016-10-14 11:09:24.557 INFO 6948 --- [ main] org.hibernate.cfg.Environment : HHH000021: Bytecode provider name : javassist
2016-10-14 11:09:24.602 INFO 6948 --- [ main] o.hibernate.annotations.common.Version : HCANN000001: Hibernate Commons Annotations {5.0.1.Final}
2016-10-14 11:09:24.828 ERROR 6948 --- [ main] o.a.tomcat.jdbc.pool.ConnectionPool : Unable to create initial connections of pool.
org.postgresql.util.PSQLException: FATAL: password authentication failed for user "test_java "
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:446) ~[postgresql-9.4.1211.jre7.jar:9.4.1211.jre7]
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:220) ~[postgresql-9.4.1211.jre7.jar:9.4.1211.jre7]
I can't understand how come Spring Data JPA can't authenticate while normal java JDBC is working ok.

Replace spring.database.driverClassName=org.postgresql.Driver with
spring.datasource.driverClassName=org.postgresql.Driver

Your problem is authentication,
Se message
password authentication failed for user "test_java "
Are sure correct this information connection? because that is your problem
if is correct then make a test, connect same other client in your base, with local.
If ok. the problem it's not ability connection remote.
For ability connect remote access pg_hba.config then ability remote connect (or other file that configuration, your database)
See: that part of my file configuration:
# IPv4 local connections:
host all all 127.0.0.1/32 md5
host all all 192.168.2.0/24 md5
the permit connection local and network 192.168.2.0, has many way configure that

“HTTP Status 401 - Authentication Failed: Incoming SAML message is invalid” spring-saml app and VMWare Horizon

We have application using spring saml auth, in combination with VMWare Horizon. We have been successfully using the application, but with the migration to new Horizon Workspace 2.0 there are issues.
Below is the debug log from catalina.out. All I see is that SAML is invalid, but don't understand why.
DEBUG org.apache.xml.security.utils.IdResolver - getElementByIdUsingDOM() Search for ID http___app.application.us_app_saml_metadata_alias_defaultAlias
2014-07-02 14:47:47,846 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.IdResolver - I could find an Element using the simple getElementByIdUsingDOM method: md:EntityDescriptor
2014-07-02 14:47:47,846 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.resolver.implementations.ResolverFragment - Try to catch an Element with ID http___app.application.us_app_saml_metadata_alias_defaultAlias and Element was [md:EntityDescriptor: null]
2014-07-02 14:47:47,848 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Transform", "null")
2014-07-02 14:47:47,848 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.transforms.Transforms - Perform the (0)th http://www.w3.org/2000/09/xmldsig#enveloped-signature transform
2014-07-02 14:47:47,849 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Transform", "null")
2014-07-02 14:47:47,854 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.DigesterOutputStream - Pre-digested input:
2014-07-02 14:47:47,855 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.DigesterOutputStream - <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="http___app.application.us_app_saml_metadata_alias_defaultAlias" entityID="http://app.application.us/app/saml/metadata/alias/defaultAlias"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIICgjCCAesCBGpSpuowDQYJKoZIhvcNAQEFBQAwgYcxLzAtBgkqhkiG9w0BCQEWIHZsYWRpbWly
LnNjaGFmZXJAcm01c29mdHdhcmUuY29tMQswCQYDVQQGEwJGSTERMA8GA1UEBxMISGVsc2lua2kx
FTATBgNVBAoTDFJNNSBTb2Z0d2FyZTEMMAoGA1UECxMDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcN
MDgxMTI5MjIxNjA0WhcNMDkxMjI4MjIwMDAwWjCBhzEvMC0GCSqGSIb3DQEJARYgdmxhZGltaXIu
c2NoYWZlckBybTVzb2Z0d2FyZS5jb20xCzAJBgNVBAYTAkZJMREwDwYDVQQHEwhIZWxzaW5raTEV
MBMGA1UEChMMUk01IFNvZnR3YXJlMQwwCgYDVQQLEwNSJkQxDzANBgNVBAMTBmFwb2xsbzCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsoEvHts4n4EwloxJNueekYYF8xjoV1AtXHAAW0c+Qtb
uEXR8wG1QzSlcasTua+iGsC+wK4T8l0IH9Y3+oVaDVbpzrWr2li9zhJB+htJYZ0t7m+3GEIeNlr1
qkUum/uNxUthklrhg2zCVW0b4NFDP/jI4rARsAkGXa7z/AgonrUCAwEAATANBgkqhkiG9w0BAQUF
AAOBgQArpq022JktjH3EHw0b4+CFrPzAXFuSd8WXWzoT6YZTgbcLR9K38383mMXoBjHdX3SYr0uF
njEwP6gqo8KyzXxsqlvTkUSkGAAzxLuQ4rwnandQMr8H0Wq7x5Cwa7Z3NDT/Q4EE3xRJOpoRgjyH
STdzW1akQ9dX2Et/8TiJe6SHuQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIICgjCCAesCBGpSpuowDQYJKoZIhvcNAQEFBQAwgYcxLzAtBgkqhkiG9w0BCQEWIHZsYWRpbWly
LnNjaGFmZXJAcm01c29mdHdhcmUuY29tMQswCQYDVQQGEwJGSTERMA8GA1UEBxMISGVsc2lua2kx
FTATBgNVBAoTDFJNNSBTb2Z0d2FyZTEMMAoGA1UECxMDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcN
MDgxMTI5MjIxNjA0WhcNMDkxMjI4MjIwMDAwWjCBhzEvMC0GCSqGSIb3DQEJARYgdmxhZGltaXIu
c2NoYWZlckBybTVzb2Z0d2FyZS5jb20xCzAJBgNVBAYTAkZJMREwDwYDVQQHEwhIZWxzaW5raTEV
MBMGA1UEChMMUk01IFNvZnR3YXJlMQwwCgYDVQQLEwNSJkQxDzANBgNVBAMTBmFwb2xsbzCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsoEvHts4n4EwloxJNueekYYF8xjoV1AtXHAAW0c+Qtb
uEXR8wG1QzSlcasTua+iGsC+wK4T8l0IH9Y3+oVaDVbpzrWr2li9zhJB+htJYZ0t7m+3GEIeNlr1
qkUum/uNxUthklrhg2zCVW0b4NFDP/jI4rARsAkGXa7z/AgonrUCAwEAATANBgkqhkiG9w0BAQUF
AAOBgQArpq022JktjH3EHw0b4+CFrPzAXFuSd8WXWzoT6YZTgbcLR9K38383mMXoBjHdX3SYr0uF
njEwP6gqo8KyzXxsqlvTkUSkGAAzxLuQ4rwnandQMr8H0Wq7x5Cwa7Z3NDT/Q4EE3xRJOpoRgjyH
STdzW1akQ9dX2Et/8TiJe6SHuQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://app.application.us/app/saml/SingleLogout/alias/defaultAlias"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://app.application.us/app/saml/SingleLogout/alias/defaultAlias"></md:SingleLogoutService><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://app.application.us/app/saml/SSO/alias/defaultAlias" index="0" isDefault="true"></md:AssertionConsumerService><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://app.application.us/app/saml/SSO/alias/defaultAlias" index="1"></md:AssertionConsumerService><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://app.application.us/app/saml/SSO/alias/defaultAlias" index="2"></md:AssertionConsumerService><md:AssertionConsumerService xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Location="http://app.application.us/app/saml/HoKSSO/alias/defaultAlias" index="3" hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"></md:AssertionConsumerService><md:AssertionConsumerService xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Location="http://app.application.us/app/saml/HoKSSO/alias/defaultAlias" index="4" hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"></md:AssertionConsumerService></md:SPSSODescriptor></md:EntityDescriptor>
2014-07-02 14:47:47,858 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.SignerOutputStream - Canonicalized SignedInfo:
2014-07-02 14:47:47,858 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.SignerOutputStream - <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#http___app.application.us_app_saml_metadata_alias_defaultAlias"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>p/YIWZw2jbJJB4tTVBrLt5jmLrM=</ds:DigestValue></ds:Reference></ds:SignedInfo>
2014-07-02 14:47:47,888 [http-bio-8080-exec-1] DEBUG org.apache.commons.httpclient.HttpConnection - Open connection to gateway-va.application.us:443
2014-07-02 14:47:52,891 [http-bio-8080-exec-1] DEBUG org.apache.commons.httpclient.HttpMethodDirector - Closing the connection.
2014-07-02 14:47:52,891 [http-bio-8080-exec-1] DEBUG org.apache.commons.httpclient.HttpMethodDirector - Method retry handler returned false. Automatic recovery will not be attempted
2014-07-02 14:47:52,891 [http-bio-8080-exec-1] DEBUG org.apache.commons.httpclient.HttpConnection - Releasing connection back to connection manager.
2014-07-02 14:47:52,893 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /saml/SSO/alias/defaultAlias at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-07-02 14:47:52,894 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2014-07-02 14:47:52,894 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade#3e0a52d3. A new one will be created.
2014-07-02 14:47:52,897 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /saml/SSO/alias/defaultAlias at position 3 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2014-07-02 14:47:52,906 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /saml/SSO/alias/defaultAlias at position 4 of 10 in additional filter chain; firing Filter: 'FilterChainProxy'
2014-07-02 14:47:52,906 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/saml/sso/alias/defaultalias'; against '/saml/login/**'
2014-07-02 14:47:52,906 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/saml/sso/alias/defaultalias'; against '/saml/logout/**'
2014-07-02 14:47:52,906 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/saml/sso/alias/defaultalias'; against '/saml/metadata/**'
2014-07-02 14:47:52,907 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/saml/sso/alias/defaultalias'; against '/saml/sso/**'
2014-07-02 14:47:52,907 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /saml/SSO/alias/defaultAlias at position 1 of 1 in additional filter chain; firing Filter: 'SAMLProcessingFilter'
2014-07-02 14:47:52,907 [http-bio-8080-exec-1] DEBUG org.springframework.security.saml.SAMLProcessingFilter - Request is to process authentication
2014-07-02 14:47:52,959 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Signature", "")
2014-07-02 14:47:52,959 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:SignedInfo", "")
2014-07-02 14:47:52,960 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:SignatureMethod", "")
2014-07-02 14:47:52,962 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Signature", "")
2014-07-02 14:47:52,962 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:SignedInfo", "")
2014-07-02 14:47:52,962 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:SignatureMethod", "")
2014-07-02 14:47:52,972 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Reference", "")
2014-07-02 14:47:52,972 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Transforms", "")
2014-07-02 14:47:52,973 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.IdResolver - getElementByIdType() Search for ID _99f9607e4086b3e566244a576acf6b69
2014-07-02 14:47:52,973 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.IdResolver - getElementByIdUsingDOM() Search for ID _99f9607e4086b3e566244a576acf6b69
2014-07-02 14:47:52,973 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.IdResolver - I could find an Element using the simple getElementByIdUsingDOM method: samlp:Response
2014-07-02 14:47:52,973 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Transform", "")
2014-07-02 14:47:52,973 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Transform", "")
2014-07-02 14:47:52,974 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.algorithms.JCEMapper - Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1
2014-07-02 14:47:52,976 [http-bio-8080-exec-1] DEBUG org.springframework.security.saml.SAMLProcessingFilter - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid
2014-07-02 14:47:52,977 [http-bio-8080-exec-1] DEBUG org.springframework.security.saml.SAMLProcessingFilter - Updated SecurityContextHolder to contain null Authentication
2014-07-02 14:47:52,977 [http-bio-8080-exec-1] DEBUG org.springframework.security.saml.SAMLProcessingFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler#5409ae
2014-07-02 14:47:52,977 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler - No failure URL set, sending 401 Unauthorized error
2014-07-02 14:47:52,977 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2014-07-02 14:47:52,979 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2014-07-02 14:48:07,001 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/web/**'
2014-07-02 14:48:07,002 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/logout.jsp'
2014-07-02 14:48:07,002 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/favicon.ico'
2014-07-02 14:48:07,002 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 1 of 10 in additional filter chain; firing Filter: 'MetadataGeneratorFilter'
2014-07-02 14:48:07,002 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-07-02 14:48:07,003 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2014-07-02 14:48:07,003 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade#33125360. A new one will be created.
2014-07-02 14:48:07,003 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 3 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2014-07-02 14:48:07,003 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 4 of 10 in additional filter chain; firing Filter: 'FilterChainProxy'
2014-07-02 14:48:07,003 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/login/**'
2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/logout/**'
2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/metadata/**'
2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/sso/**'
2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/ssohok/**'
2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/singlelogout/**'
2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/discovery/**'
2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp has no matching filters
2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo: both null (property equals)
2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - queryString: both null (property equals)
2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURI: arg1=/app/; arg2=/app/ (property equals)
2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - serverPort: arg1=8080; arg2=8080 (property equals)
2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURL: arg1=http://application.us:8080/app/; arg2=http://application.us:8080/app/ (property equals)
2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - scheme: arg1=http; arg2=http (property equals)
2014-07-02 14:48:07,006 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - serverName: arg1=application.us; arg2=application.us (property equals)
2014-07-02 14:48:07,006 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - contextPath: arg1=/app; arg2=/app (property equals)
2014-07-02 14:48:07,006 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - servletPath: arg1=/index.jsp; arg2=/index.jsp (property equals)
2014-07-02 14:48:07,006 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
2014-07-02 14:48:07,009 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2014-07-02 14:48:07,011 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2014-07-02 14:48:07,012 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#6fa8dbd0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: 606210049192D854D1A0CB2BBB41861D; Granted Authorities: ROLE_ANONYMOUS'
2014-07-02 14:48:07,012 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
2014-07-02 14:48:07,013 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2014-07-02 14:48:07,013 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2014-07-02 14:48:07,014 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /index.jsp; Attributes: [IS_AUTHENTICATED_FULLY]
2014-07-02 14:48:07,014 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#6fa8dbd0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: 606210049192D854D1A0CB2BBB41861D; Granted Authorities: ROLE_ANONYMOUS
2014-07-02 14:48:07,014 [http-bio-8080-exec-3] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter#1ab2e368, returned: 0
2014-07-02 14:48:07,014 [http-bio-8080-exec-3] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter#566fce89, returned: -1
2014-07-02 14:48:07,018 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:186)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:409)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1044)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:701)
2014-07-02 14:48:07,021 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://application.us:8080/app/]
2014-07-02 14:48:07,022 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Calling Authentication entry point.
2014-07-02 14:48:07,023 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2014-07-02 14:48:07,023 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
In Horizon log I see one error, not sure if this is related or not:
2014-07-01 21:02:20,610 ERROR (tomcat-http--38) [GATEWAY-VA;5f81ce6f-66c5-48d0-b7fd-1b8876bb8960;50.174.63.9] com.tricipher.saas.assertion.Saml20Saas - No encryption certificates provided, encrypted attribute password not included in SAML
We already installed horizon certificate in tomcat java keystone hosting our SP, but no effect. Any help is appreciated.

There's a feature in Spring SAML which enables you to change the URL as seen by the extension. You can find details in the manual (chapter 9.1). The configuration is done by changing the context provider bean to e.g.:
<bean id="contextProvider"
class="org.springframework.security.saml.context.SAMLContextProviderLB">
<property name="scheme" value="http"/>
<property name="serverName" value="app.application.us"/>
<property name="serverPort" value="80"/>
<property name="includeServerPortInRequestURL" value="false"/>
<property name="contextPath" value="/app"/>
</bean>
Of course you can also just change the metadata to include the correct URLs.