[midPoint] Error using httpHeader

Ethan Kromhout kromhout at unc.edu
Mon Sep 27 19:41:33 CEST 2021


Hi Xiaoshu,

I do see the same exception in our Incommon midPoint testbed, though the 
login appears to proceed fine, I see the same exception logged at each 
login event. We are also using the httpHeader module to process a 
headers set by a Shibboleth SP.

Ethan

2021-09-27 17:37:06,552 [MODEL] [ajp-nio-127.0.0.1-9090-exec-9] INFO 
(org.springframework.security.web.DefaultSecurityFilterChain): Creating 
filter chain: Ant [pattern='/auth/shib/httpHeader/**'], 
[org.springframework.security.web.header.HeaderWriterFilter at 87b6f7, 
org.springframework.security.web.csrf.CsrfFilter at aece9cc, 
com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter at 2e822fcb, 
com.evolveum.midpoint.web.security.filter.MidpointRequestHeaderAuthenticationFilter at 5756d0c0, 
org.springframework.security.web.authentication.logout.LogoutFilter at 138f1343, 
com.evolveum.midpoint.web.security.filter.MidpointUsernamePasswordAuthenticationFilter at 7011378c, 
org.springframework.security.web.savedrequest.RequestCacheAwareFilter at 245a878c, 
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter at 1093c981, 
com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter at 28d763a3, 
com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter at 55dbf759, 
org.springframework.security.web.access.intercept.FilterSecurityInterceptor at 765d8718]
2021-09-27 17:37:06,703 [MODEL] [ajp-nio-127.0.0.1-9090-exec-9] ERROR 
(com.evolveum.midpoint.web.security.filter.TranslateExeptionFilter): 
Unable to handle the Spring Security Exception because the response is 
already committed.
javax.servlet.ServletException: Unable to handle the Spring Security 
Exception because the response is already committed.
     at 
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:138)
     at 
com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:353)
     at 
com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter.doFilter(MidpointAnonymousAuthenticationFilter.java:96)
     at 
com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:353)
     at 
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)
     at 
com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:353)
     at 
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
     at 
com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:353)
     at 
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
     at 
com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:353)
     at 
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
     at 
com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:353)
     at 
com.evolveum.midpoint.web.security.filter.MidpointRequestHeaderAuthenticationFilter.doFilter(MidpointRequestHeaderAuthenticationFilter.java:65)
     at 
com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:353)
     at 
com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter.doFilterInternal(RedirectForLoginPagesWithAuthenticationFilter.java:39)
     at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
     at 
com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:353)
     at 
org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117)
     at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
     at 
com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:353)
     at 
org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
     at 
org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
     at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
     at 
com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:353)
     at 
com.evolveum.midpoint.web.security.filter.MidpointAuthFilter.doFilterInternal(MidpointAuthFilter.java:192)
     at 
com.evolveum.midpoint.web.security.filter.MidpointAuthFilter.doFilter(MidpointAuthFilter.java:100)
     at 
com.evolveum.midpoint.web.security.filter.MidpointFilterChainProxy$VirtualFilterChain.doFilter(MidpointFilterChainProxy.java:169)
     at 
com.evolveum.midpoint.web.security.filter.TranslateExeptionFilter.doFilterInternal(TranslateExeptionFilter.java:30)
     at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
     at 
com.evolveum.midpoint.web.security.filter.MidpointFilterChainProxy$VirtualFilterChain.doFilter(MidpointFilterChainProxy.java:171)
     at 
org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:152)
     at 
com.evolveum.midpoint.web.security.filter.MidpointFilterChainProxy$VirtualFilterChain.doFilter(MidpointFilterChainProxy.java:171)
     at 
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
     at 
com.evolveum.midpoint.web.security.filter.MidpointFilterChainProxy$VirtualFilterChain.doFilter(MidpointFilterChainProxy.java:171)
     at 
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
     at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
     at 
com.evolveum.midpoint.web.security.filter.MidpointFilterChainProxy$VirtualFilterChain.doFilter(MidpointFilterChainProxy.java:171)
     at 
com.evolveum.midpoint.web.security.filter.MidpointFilterChainProxy.doFilterInternal(MidpointFilterChainProxy.java:95)
     at 
com.evolveum.midpoint.web.security.filter.MidpointFilterChainProxy.doFilter(MidpointFilterChainProxy.java:60)
     at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
     at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
     at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
     at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
     at 
org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
     at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
     at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
     at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
     at 
org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
     at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
     at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
     at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
     at 
org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:93)
     at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
     at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
     at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
     at 
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
     at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
     at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
     at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
     at 
com.evolveum.midpoint.web.boot.TrailingSlashRedirectingFilter.doFilterInternal(TrailingSlashRedirectingFilter.java:60)
     at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
     at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
     at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
     at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
     at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
     at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
     at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
     at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
     at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
     at 
com.evolveum.midpoint.web.boot.NodeIdHeaderValve.invoke(NodeIdHeaderValve.java:46)
     at 
com.evolveum.midpoint.web.boot.TomcatRootValve.invoke(TomcatRootValve.java:62)
     at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
     at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:431)
     at 
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
     at 
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
     at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589)
     at 
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
     at 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
     at 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
     at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
     at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.springframework.security.access.AccessDeniedException: 
Not authorized
     at 
com.evolveum.midpoint.web.security.MidPointGuiAuthorizationEvaluator.decide(MidPointGuiAuthorizationEvaluator.java:203)
     at 
org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
     at 
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123)
     at 
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)
     at 
com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:353)
     at 
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)
     ... 80 common frames omitted

On 9/8/21 9:39 AM, Wang, Xiaoshu via midPoint wrote:
>
> Hi,
>
> I am playing with flexible authentication. I have a blank midpoint 
> 4.3.1 setup on my local machine and put the the security policy (in 
> the attached file) in the post-initial-objects directory. Then I can 
> mimic the user by setting up the uid Request Header on my browser. It 
> works but it generated the following exceptions on the server log. I 
> do not see the error prevents the app from functioning but still it 
> generates a lot of noise.
>
> My intension was to see how to front midpoint with a SP provider, 
> hence the httpHeader module. This leads to my next question.
>
> What are the paths that I need to set to let shibboleth SP to require 
> active session?
>
> I don’t think all paths would work as it will block the emergency 
> login. In addition, I guess it would prevent the server from using 
> HTTP Basic that is required by a rest client.
>
> Xiaoshu Wang
>
> 2021-09-08 08:59:23,340 [MODEL] [http-nio-8080-exec-3] ERROR 
> (com.evolveum.midpoint.web.util.MidPointProfilingServletFilter): 
> Encountered exception: java.lang.IllegalStateException: Cannot call 
> sendRedirect() after the response has been committed
>
> java.lang.IllegalStateException: Cannot call sendRedirect() after the 
> response has been committed
>
> at 
> org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:488)
>
> at 
> javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:138)
>
> at 
> org.springframework.security.web.firewall.FirewalledResponse.sendRedirect(FirewalledResponse.java:48)
>
> at 
> javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:138)
>
> at 
> org.springframework.security.web.util.OnCommittedResponseWrapper.sendRedirect(OnCommittedResponseWrapper.java:136)
>
> at 
> javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:138)
>
> at 
> org.springframework.security.web.util.OnCommittedResponseWrapper.sendRedirect(OnCommittedResponseWrapper.java:136)
>
> at 
> org.apache.wicket.protocol.http.servlet.ServletWebResponse.sendRedirect(ServletWebResponse.java:288)
>
> at 
> org.apache.wicket.protocol.http.BufferedWebResponse$SendRedirectAction.invoke(BufferedWebResponse.java:409)
>
> at 
> org.apache.wicket.protocol.http.BufferedWebResponse.writeTo(BufferedWebResponse.java:602)
>
> at 
> org.apache.wicket.protocol.http.HeaderBufferingWebResponse.stopBuffering(HeaderBufferingWebResponse.java:60)
>
> at 
> org.apache.wicket.protocol.http.HeaderBufferingWebResponse.flush(HeaderBufferingWebResponse.java:97)
>
> at 
> org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:277)
>
> at 
> org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:206)
>
> at 
> org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:299)
>
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
>
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
>
> at 
> com.evolveum.midpoint.web.util.MidPointProfilingServletFilter.doFilter(MidPointProfilingServletFilter.java:79)
>
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
>
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
>
> at 
> com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:406)
>
> at 
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
>
> at 
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:81)
>
> at 
> com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:418)
>
> at 
> org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210927/cd9f6afa/attachment-0001.htm>


More information about the midPoint mailing list