Menu
Before upgrading from Java 1.6 to Java 1.8, we were able to log into the web application. After the upgrade, we could not log into one of the web applications, but I could log into the other. They are using the same Spring-Security, OJDBC, and Hibernate versions.
However, if we removed the following jars from the classpath, login works again as long as you don't need to use a wallet to log in:
Removing these in the upper environments is not an option, since we use oracle wallets to log in.
When I set the log level to DEBUG, I see that the login was rejected as an anonomys user, but earlier in the loggs it successfully authenticated the login/password.
Successful authentication:
DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter][http-bio-8080-exec-10] - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@85ca488a: Principal: org.springframework.security.core.userdetails.User@f75cc3bd: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,READ_ONLY; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 383A7E52904236DDEA18E00864C0B94C; Granted Authorities: ADMIN, READ_ONLY
DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository][http-bio-8080-exec-10] - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@85ca488a: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@85ca488a: Principal: org.springframework.security.core.userdetails.User@f75cc3bd: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,READ_ONLY; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 383A7E52904236DDEA18E00864C0B94C; Granted Authorities: ADMIN, READ_ONLY'
Then Access Denied:
DEBUG [org.springframework.security.access.vote.AffirmativeBased][http-bio-8080-exec-5] - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@259af14a, returned: -1
DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter][http-bio-8080-exec-5] - Access is denied (user is anonymous); redirecting to authentication entry point
Full Stack Trace:
DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter][http-bio-8080-exec-10] - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@85ca488a: Principal: org.springframework.security.core.userdetails.User@f75cc3bd: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,READ_ONLY; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 383A7E52904236DDEA18E00864C0B94C; Granted Authorities: ADMIN, READ_ONLY
DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository][http-bio-8080-exec-10] - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@85ca488a: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@85ca488a: Principal: org.springframework.security.core.userdetails.User@f75cc3bd: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,READ_ONLY; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 383A7E52904236DDEA18E00864C0B94C; Granted Authorities: ADMIN, READ_ONLY'
DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter][http-bio-8080-exec-10] - SecurityContextHolder now cleared, as request processing completed
DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository][http-bio-8080-exec-8] - No HttpSession currently exists
DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository][http-bio-8080-exec-8] - No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter][http-bio-8080-exec-8] - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor][http-bio-8080-exec-5] - Secure object: FilterInvocation: URL: /canary/dashboard.action; Attributes: [hasAnyRole('READ_ONLY','READ_ONLY2','STATISTICS','ADMIN')]
DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor][http-bio-8080-exec-5] - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
DEBUG [org.springframework.security.access.vote.AffirmativeBased][http-bio-8080-exec-5] - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@259af14a, returned: -1
DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter][http-bio-8080-exec-5] - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:204)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="userDetailsService"/>
<security:authentication-provider ref="ldapProvider"/>
</security:authentication-manager>
<bean id="userDetailsService" class="*******.CustomUserDetailsService">
<property name="userDetailsService" ref="userDetailsService"/>
<property name="dataSource" ref="dataSource"/>
<property name="annotatedSessionFactory" ref="sessionFactory"></property>
</bean>
<bean id="ldapProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg ref="authenticator"/>
<constructor-arg ref="ldapAuthPopulator"/>
</bean>
364
Spring 3.x is not compatible with java 8 and it's best to upgrade to 4.x.
Given that you are facing issues on java upgrade (eg. no code change from your side) it's just confirms that there is version incompatibility.
Depends on how heavy you customised your interceptors it might be medium effort or no effort at all (I remember there was tiny backward compatibility break from spring 3.0.x to 3.1.x in declaring anonymous resources in xml config however all java interfaces stayed backward compatible)
55
In order of priority (easiness of implementation to debugging impact ratio):
System.setProperty("javax.net.debug", "ssl"); as early on in the application execution as possible and see what exceptions are being thrown.Cipher.getMaxAllowedKeyLength("AES") == Integer.MAX_VALUE is true. If it's not present, it can be downloaded from Oracle (or other sources if you are using OpenJDK) - just search for: Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.JAVA_HOME/jre/lib/security/java.security file as per page 9 of this Oracle documentation keeping in mind that the order does matter.
37
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
