9

Before upgrading from Java 1.6 to Java 1.8, we were able to log into the web application. After the upgrade, we could not log into one of the web applications, but I could log into the other. They are using the same Spring-Security, OJDBC, and Hibernate versions.

However, if we removed the following jars from the classpath, login works again as long as you don't need to use a wallet to log in:

  • com.oracle:oraclepki (12.1.0.2.0)
  • com.oracle:osdt_cert (12.1.0.2.0)
  • com.oracle:osdt_core (12.1.0.2.0)

Removing these in the upper environments is not an option, since we use oracle wallets to log in.

Versions:

  • OJDBC6 12.1.0.2.0
  • SPRINGFRAMEWORK 3.0.7.RELEASE

Debug Logs

When I set the log level to DEBUG, I see that the login was rejected as an anonomys user, but earlier in the loggs it successfully authenticated the login/password.

Successful authentication:

DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter][http-bio-8080-exec-10] - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@85ca488a: Principal: org.springframework.security.core.userdetails.User@f75cc3bd: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,READ_ONLY; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 383A7E52904236DDEA18E00864C0B94C; Granted Authorities: ADMIN, READ_ONLY
DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository][http-bio-8080-exec-10] - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@85ca488a: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@85ca488a: Principal: org.springframework.security.core.userdetails.User@f75cc3bd: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,READ_ONLY; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 383A7E52904236DDEA18E00864C0B94C; Granted Authorities: ADMIN, READ_ONLY'

Then Access Denied:

DEBUG [org.springframework.security.access.vote.AffirmativeBased][http-bio-8080-exec-5] - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@259af14a, returned: -1
DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter][http-bio-8080-exec-5] - Access is denied (user is anonymous); redirecting to authentication entry point

Full Stack Trace:

DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter][http-bio-8080-exec-10] - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@85ca488a: Principal: org.springframework.security.core.userdetails.User@f75cc3bd: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,READ_ONLY; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 383A7E52904236DDEA18E00864C0B94C; Granted Authorities: ADMIN, READ_ONLY
DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository][http-bio-8080-exec-10] - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@85ca488a: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@85ca488a: Principal: org.springframework.security.core.userdetails.User@f75cc3bd: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,READ_ONLY; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 383A7E52904236DDEA18E00864C0B94C; Granted Authorities: ADMIN, READ_ONLY'
DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter][http-bio-8080-exec-10] - SecurityContextHolder now cleared, as request processing completed
DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository][http-bio-8080-exec-8] - No HttpSession currently exists
DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository][http-bio-8080-exec-8] - No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter][http-bio-8080-exec-8] - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor][http-bio-8080-exec-5] - Secure object: FilterInvocation: URL: /canary/dashboard.action; Attributes: [hasAnyRole('READ_ONLY','READ_ONLY2','STATISTICS','ADMIN')]
DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor][http-bio-8080-exec-5] - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
DEBUG [org.springframework.security.access.vote.AffirmativeBased][http-bio-8080-exec-5] - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@259af14a, returned: -1
DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter][http-bio-8080-exec-5] - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:204)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)

Security Context:

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider user-service-ref="userDetailsService"/>
    <security:authentication-provider ref="ldapProvider"/>
</security:authentication-manager>

<bean id="userDetailsService" class="*******.CustomUserDetailsService">
    <property name="userDetailsService" ref="userDetailsService"/>
    <property name="dataSource" ref="dataSource"/>
    <property name="annotatedSessionFactory" ref="sessionFactory"></property>
</bean>

<bean id="ldapProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <constructor-arg ref="authenticator"/>
    <constructor-arg ref="ldapAuthPopulator"/>
</bean>
ScrappyDev
  • 1,583
  • 8
  • 28
  • 46
  • 1
    any config files for Oracle wallets. I also think you have to add oracle PKI to list of security providers in your JRE/JDK. See entry `security.provider.X=oracle.security.pki.OraclePKIProvider` in `JAVA_HOME/jre/lib/security/java.security`. If you updated your Java, it's guaranteed you are missing these security config entries – diginoise Apr 09 '18 at 16:11
  • one more thing in the same vein: ensure your new Java has unlimited cryptography installed - searching for this will yield results straight away – diginoise Apr 09 '18 at 16:14
  • I will try your first suggestion, but I may not be able to do the second since it's IBM and not under my direct control. However, it should be noted that the problem is inconsistent. Sometimes it works fine. Other times it has this silent fail issue going on. – ScrappyDev Apr 09 '18 at 19:30
  • Adding OraclePKIProvider had no affect. – ScrappyDev Apr 09 '18 at 21:25
  • I have a guess, if it solves I'll add it as a solution: if the configuration is different you should check the policy files. For unlimited encryption (which is probably a solution for your problem) you can find the downloads and information here: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html please let me know if this helped. – Hash Apr 13 '18 at 09:50
  • 1
    @ScrappyDev how did you try adding OraclePKIProvider, if the server is not under your control? Position of this provider in the `java.security` file matters. See **page 9** of this doc: http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf – diginoise Apr 13 '18 at 10:51
  • I tried it in my development environment. Don't have control of test or prod environments. – ScrappyDev Apr 13 '18 at 16:04
  • 1
    @ScrappyDev understand. Try setting this property somewhere early on, when your application starts: `System.setProperty("javax.net.debug", "ssl");` and hopefully your logs will show what is failing in terms of PKI. – diginoise Apr 16 '18 at 08:37
  • @diginoise Unfortunately modifying the order didn't work for me. Enabling Debug Mode. – ScrappyDev Apr 16 '18 at 13:29
  • @diginoise Could you add your answer? I'd like to give you the bounty before time runs out – ScrappyDev Apr 16 '18 at 13:47

2 Answers2

1

Spring 3.x is not compatible with java 8 and it's best to upgrade to 4.x.

Given that you are facing issues on java upgrade (eg. no code change from your side) it's just confirms that there is version incompatibility.

Depends on how heavy you customised your interceptors it might be medium effort or no effort at all (I remember there was tiny backward compatibility break from spring 3.0.x to 3.1.x in declaring anonymous resources in xml config however all java interfaces stayed backward compatible)

Petro Semeniuk
  • 6,491
  • 6
  • 37
  • 62
1

In order of priority (easiness of implementation to debugging impact ratio):

  1. enable ssl debug: System.setProperty("javax.net.debug", "ssl"); as early on in the application execution as possible and see what exceptions are being thrown.
  2. Make sure your new JRE installation has unlimited cryptography installed; newer JDKs have it installed by default. Its presence can be tested at runtime by ensuring that Cipher.getMaxAllowedKeyLength("AES") == Integer.MAX_VALUE is true. If it's not present, it can be downloaded from Oracle (or other sources if you are using OpenJDK) - just search for: Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.
  3. Add OraclePKIProvider into JAVA_HOME/jre/lib/security/java.security file as per page 9 of this Oracle documentation keeping in mind that the order does matter.
diginoise
  • 6,666
  • 1
  • 25
  • 32