I am trying to integrate a Spring boot based application with and IDp that is using componentSpace lib for SAML. The Spring application (service provider) working fine with other Idp like Octa. But while integrating with component Space it is facing issues and getting following error. Differences when I compared the logs with Octa request:
- Octa is sending Get request while from component space it is post request.
- From Octa I am able to get userid (the login id) but from component space it is comping as anonymousUser. So my question is can we hit Get request instead of Post. And any reason why it is not setting userId value?
Logs:
2020-12-16 07:00:55.800 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : No security for POST /saml/sso
2020-12-16 07:00:55.800 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (8/13)
2020-12-16 07:00:55.800 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.s.HttpSessionRequestCache : No saved request
2020-12-16 07:00:55.800 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (9/13)
2020-12-16 07:00:55.803 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (10/13)
2020-12-16 07:00:56.809 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.9.109.194, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
2020-12-16 07:00:56.810 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (11/13)
2020-12-16 07:00:56.810 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (12/13)
2020-12-16 07:00:56.810 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking FilterSecurityInterceptor (13/13)
2020-12-16 07:00:56.811 TRACE 9144 --- [nio-8443-exec-1] edFilterInvocationSecurityMetadataSource : Did not match request to Ant [pattern='/saml**', OPTIONS] - [hasAnyRole('ROLE_')] (1/2)
2020-12-16 07:00:57.501 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Did not re-authenticate AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.9.109.194, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] before authorizing
2020-12-16 07:00:57.502 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Authorizing filter invocation [POST /saml/sso] with attributes [authenticated]
2020-12-16 07:01:03.577 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.expression.WebExpressionVoter : Voted to deny authorization
2020-12-16 07:01:03.580 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Failed to authorize filter invocation [POST /saml/sso] with attributes [authenticated] using AffirmativeBased [DecisionVoters=[org.springframework.security.web.access.expression.WebExpressionVoter@24cfcf19], AllowIfAllAbstainDecisions=false]
2020-12-16 07:01:03.709 TRACE 9144 --- [nio-8443-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'delegatingApplicationListener'
2020-12-16 07:01:03.709 TRACE 9144 --- [nio-8443-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'liveReloadServerEventListener'
2020-12-16 07:01:03.736 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.9.109.194, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:73) ~[spring-security-core-5.4.1.jar:5.4.1]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.attemptAuthorization(AbstractSecurityInterceptor.java:238) ~[spring-security-core-5.4.1.jar:5.4.1]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:208) ~[spring-security-core-5.4.1.jar:5.4.1]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:113) ~[spring-security-web-5.4.1.jar:5.4.1]