I'm working in order to integrate Spring Security SAML Extension with Spring Boot.
I developed a complete sample application, all the source code is published on GitHub:
By running the WebApp as Spring Boot application (through Spring Tool Set, by using an embedded Application Server), it works fine. Unfortunately, the auth process doesn't work on Undertow/WildFly (and I must use it as production AS).
By logging, I can see that the IdP performs the AuthN process and the instructions of my custom UserDetails implementation are correctly executed. Despite that Spring doesn't set up the privileges for the current user.
@Component public class SAMLUserDetailsServiceImpl implements SAMLUserDetailsService { // Logger private static final Logger LOG = LoggerFactory.getLogger(SAMLUserDetailsServiceImpl.class); @Override public Object loadUserBySAML(SAMLCredential credential) throws UsernameNotFoundException, SSOUserAccountNotExistsException { String userID = credential.getNameID().getValue(); if (userID.compareTo("jdoe@samplemail.com") != 0) { // We're simulating the data access. LOG.warn("SSO User Account not found into the system"); throw new SSOUserAccountNotExistsException("SSO User Account not found into the system", userID); } LOG.info(userID + " is logged in"); List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); GrantedAuthority authority = new SimpleGrantedAuthority("ROLE_USER"); authorities.add(authority); ExtUser userDetails = new ExtUser(userID, "password", true, true, true, true, authorities, "John", "Doe"); return userDetails; } } By debugging, I checked that the problem starts from the FilterChainProxy class. When I run the webapp on WildFly, I can see that the attribute FILTER_APPLIED of ServletRequest is null, thus Spring clears the SecurityContextHolder.
private final static String FILTER_APPLIED = FilterChainProxy.class.getName().concat(".APPLIED"); public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { boolean clearContext = request.getAttribute(FILTER_APPLIED) == null; if (clearContext) { try { request.setAttribute(FILTER_APPLIED, Boolean.TRUE); doFilterInternal(request, response, chain); } finally { SecurityContextHolder.clearContext(); request.removeAttribute(FILTER_APPLIED); } } else { doFilterInternal(request, response, chain); } } On VMware vFabric tc Sever and Tomcat that doesn't happen. Is there a way to resolve this issue?