使用独立 Tomcat 的 Spring Boot 容器身份验证

Question

I have a standalone Tomcat server which should run my Spring Boot application (deployed as a .war file). This application needs to be secured with container authentication from Tomcat. First it should use the tomcat-users.xml in the development environment. In the production environment this realm will be replaced by another authentication method.

My configuration:

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.httpBasic().disable()
            .authorizeRequests()
                .antMatchers("/test/test2").permitAll()
                .anyRequest().authenticated()
            .and()
                .formLogin().permitAll()
            .and()
                .logout().permitAll()
            .and()
                .jee().mappableRoles("USER");
    }

}

Tomcat users:

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0">
    <user username="testuser" password="pw" roles="user" />
</tomcat-users>

On secured pages the form login appears like expected, but the authentication does not work (Your login attempt was not successful, try again.).

Is something else missing in the configuration?

Log:

09:53:40 DEBUG o.s.security.web.FilterChainProxy        : /login at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
09:53:40 DEBUG o.s.security.web.FilterChainProxy        : /login at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
09:53:40 DEBUG w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
09:53:40 DEBUG w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@22ea93f6. A new one will be created.
09:53:40 DEBUG o.s.security.web.FilterChainProxy        : /login at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
09:53:40 DEBUG o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@738151d2
09:53:40 DEBUG o.s.security.web.FilterChainProxy        : /login at position 4 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
09:53:40 DEBUG o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/logout', GET]
09:53:40 DEBUG o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'POST /login' doesn't match 'GET /logout
09:53:40 DEBUG o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/logout', POST]
09:53:40 DEBUG o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/logout'
09:53:40 DEBUG o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/logout', PUT]
09:53:40 DEBUG o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'POST /login' doesn't match 'PUT /logout
09:53:40 DEBUG o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/logout', DELETE]
09:53:40 DEBUG o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'POST /login' doesn't match 'DELETE /logout
09:53:40 DEBUG o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
09:53:40 DEBUG o.s.security.web.FilterChainProxy        : /login at position 5 of 13 in additional filter chain; firing Filter: 'J2eePreAuthenticatedProcessingFilter'
09:53:40 DEBUG p.j.J2eePreAuthenticatedProcessingFilter : Checking secure context token: null
09:53:40 DEBUG p.j.J2eePreAuthenticatedProcessingFilter : PreAuthenticated J2EE principal: null
09:53:40 DEBUG p.j.J2eePreAuthenticatedProcessingFilter : No pre-authenticated principal found in request
09:53:40 DEBUG o.s.security.web.FilterChainProxy        : /login at position 6 of 13 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
09:53:40 DEBUG o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/login'
09:53:40 DEBUG w.a.UsernamePasswordAuthenticationFilter : Request is to process authentication
09:53:40 DEBUG o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
09:53:40 DEBUG o.s.s.a.dao.DaoAuthenticationProvider    : User 'testuser' not found
09:53:40 DEBUG o.s.b.f.s.DefaultListableBeanFactory     : Returning cached instance of singleton bean 'delegatingApplicationListener'
09:53:40 DEBUG w.a.UsernamePasswordAuthenticationFilter : Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials

Answer 1

I couldn't find any ultimate solution for this, but this hint helped me to make it work at all. It seems that a minimum of a web.xml is needed to "activate" the container authentication. Then Spring Security can handle this as pre authentication.

Unfortunately in this solution the authorities (roles) from the container authentication are not present. Therefore I had to remove Spring Security entirely and work only with the web.xml (and context.xml ).