Login/Register
Unable to log in to web app after upgrading from Jav 6 to Java 8 when oraclepki, osdt_cert, and osdt_core are on the classpath
Asked Answered
javaspring-securityojdbc
C

2

9

Before upgrading from Java 1.6 to Java 1.8, we were able to log into the web application. After the upgrade, we could not log into one of the web applications, but I could log into the other. They are using the same Spring-Security, OJDBC, and Hibernate versions.

However, if we removed the following jars from the classpath, login works again as long as you don't need to use a wallet to log in:

  • com.oracle:oraclepki (12.1.0.2.0)
  • com.oracle:osdt_cert (12.1.0.2.0)
  • com.oracle:osdt_core (12.1.0.2.0)

Removing these in the upper environments is not an option, since we use oracle wallets to log in.

Versions:

  • OJDBC6 12.1.0.2.0
  • SPRINGFRAMEWORK 3.0.7.RELEASE

Debug Logs

When I set the log level to DEBUG, I see that the login was rejected as an anonomys user, but earlier in the loggs it successfully authenticated the login/password.

Successful authentication:

DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter][http-bio-8080-exec-10] - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@85ca488a: Principal: org.springframework.security.core.userdetails.User@f75cc3bd: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,READ_ONLY; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 383A7E52904236DDEA18E00864C0B94C; Granted Authorities: ADMIN, READ_ONLY
DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository][http-bio-8080-exec-10] - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@85ca488a: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@85ca488a: Principal: org.springframework.security.core.userdetails.User@f75cc3bd: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,READ_ONLY; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 383A7E52904236DDEA18E00864C0B94C; Granted Authorities: ADMIN, READ_ONLY'

Then Access Denied:

DEBUG [org.springframework.security.access.vote.AffirmativeBased][http-bio-8080-exec-5] - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@259af14a, returned: -1
DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter][http-bio-8080-exec-5] - Access is denied (user is anonymous); redirecting to authentication entry point

Full Stack Trace:

DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter][http-bio-8080-exec-10] - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@85ca488a: Principal: org.springframework.security.core.userdetails.User@f75cc3bd: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,READ_ONLY; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 383A7E52904236DDEA18E00864C0B94C; Granted Authorities: ADMIN, READ_ONLY
DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository][http-bio-8080-exec-10] - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@85ca488a: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@85ca488a: Principal: org.springframework.security.core.userdetails.User@f75cc3bd: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,READ_ONLY; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 383A7E52904236DDEA18E00864C0B94C; Granted Authorities: ADMIN, READ_ONLY'
DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter][http-bio-8080-exec-10] - SecurityContextHolder now cleared, as request processing completed
DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository][http-bio-8080-exec-8] - No HttpSession currently exists
DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository][http-bio-8080-exec-8] - No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter][http-bio-8080-exec-8] - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor][http-bio-8080-exec-5] - Secure object: FilterInvocation: URL: /canary/dashboard.action; Attributes: [hasAnyRole('READ_ONLY','READ_ONLY2','STATISTICS','ADMIN')]
DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor][http-bio-8080-exec-5] - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
DEBUG [org.springframework.security.access.vote.AffirmativeBased][http-bio-8080-exec-5] - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@259af14a, returned: -1
DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter][http-bio-8080-exec-5] - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:204)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)

Security Context:

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider user-service-ref="userDetailsService"/>
    <security:authentication-provider ref="ldapProvider"/>
</security:authentication-manager>

<bean id="userDetailsService" class="*******.CustomUserDetailsService">
    <property name="userDetailsService" ref="userDetailsService"/>
    <property name="dataSource" ref="dataSource"/>
    <property name="annotatedSessionFactory" ref="sessionFactory"></property>
</bean>

<bean id="ldapProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <constructor-arg ref="authenticator"/>
    <constructor-arg ref="ldapAuthPopulator"/>
</bean>
Collincolline answered 30/3, 2018 at 14:22 Comment(10)
any config files for Oracle wallets. I also think you have to add oracle PKI to list of security providers in your JRE/JDK. See entry security.provider.X=oracle.security.pki.OraclePKIProvider in JAVA_HOME/jre/lib/security/java.security. If you updated your Java, it's guaranteed you are missing these security config entriesRadiator
one more thing in the same vein: ensure your new Java has unlimited cryptography installed - searching for this will yield results straight awayRadiator
I will try your first suggestion, but I may not be able to do the second since it's IBM and not under my direct control. However, it should be noted that the problem is inconsistent. Sometimes it works fine. Other times it has this silent fail issue going on.Collincolline
Adding OraclePKIProvider had no affect.Collincolline
I have a guess, if it solves I'll add it as a solution: if the configuration is different you should check the policy files. For unlimited encryption (which is probably a solution for your problem) you can find the downloads and information here: oracle.com/technetwork/java/javase/downloads/… please let me know if this helped.Demobilize
@Collincolline how did you try adding OraclePKIProvider, if the server is not under your control? Position of this provider in the java.security file matters. See page 9 of this doc: oracle.com/technetwork/topics/…Radiator
I tried it in my development environment. Don't have control of test or prod environments.Collincolline
@Collincolline understand. Try setting this property somewhere early on, when your application starts: System.setProperty("javax.net.debug", "ssl"); and hopefully your logs will show what is failing in terms of PKI.Radiator
@Radiator Unfortunately modifying the order didn't work for me. Enabling Debug Mode.Collincolline
@Radiator Could you add your answer? I'd like to give you the bounty before time runs outCollincolline
S
1

Spring 3.x is not compatible with java 8 and it's best to upgrade to 4.x.

Given that you are facing issues on java upgrade (eg. no code change from your side) it's just confirms that there is version incompatibility.

Depends on how heavy you customised your interceptors it might be medium effort or no effort at all (I remember there was tiny backward compatibility break from spring 3.0.x to 3.1.x in declaring anonymous resources in xml config however all java interfaces stayed backward compatible)

Smalto answered 16/4, 2018 at 7:25 Comment(3)
Petro, It works in my other application which has almost the exact same setup (in terms of spring).Collincolline
Also, I am trying the upgrade it's just taking a while due to how annoyingly old this code is.Collincolline
Upgraded to 4.0.6.RELEASE and the issue is still there.Collincolline
R
1

In order of priority (easiness of implementation to debugging impact ratio):

  1. enable ssl debug: System.setProperty("javax.net.debug", "ssl"); as early on in the application execution as possible and see what exceptions are being thrown.
  2. Make sure your new JRE installation has unlimited cryptography installed; newer JDKs have it installed by default. Its presence can be tested at runtime by ensuring that Cipher.getMaxAllowedKeyLength("AES") == Integer.MAX_VALUE is true. If it's not present, it can be downloaded from Oracle (or other sources if you are using OpenJDK) - just search for: Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.
  3. Add OraclePKIProvider into JAVA_HOME/jre/lib/security/java.security file as per page 9 of this Oracle documentation keeping in mind that the order does matter.
Radiator answered 16/4, 2018 at 16:24 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.