Issue with Single Sign-On Using Spring Security Plugins

batterycopperInternet and Web Development

Nov 12, 2013 (3 years and 5 months ago)

3,356 views

Issue with Single Sign
-
On Using Spring Security Plugins


Overview


We are trying to implement single sign
-
on capabilities in a Grails application. In order to make things easier for
the application teams in our company we created our own Mutual Security P
lugin that incorporate the Spring
Security Core v1.1.2, Spring Security LDAP v1.0.2, and Spring Security Kerberos v0.1. Our desire is to use
these plugins to provide single sign
-
on using Kerberos and the LDAP plugin to retrieve information about the
user
from LDAP.


We were able to configure the Spring Security Core v1.1.2, Spring Security LDAP v1.0.2, and Spring Security
Kerberos v0.1 to successfully function and automatically sign in a user. We are using Grails v 1.3.7.


We have implemented the follow
ing in our Mutual Security Plugin descriptor file to override the behavior of the
userDetailsService in the kerberosServiceAuthenticationProvider bean to lookup the user information from
LDAP.


def

doWithApplicationContext = { applicationContext
-
>





//
registering a custom kerberos authentication service detail


// that will search LDAP for a user to get user information


def

conf = SpringSecurityUtils.securityConfig


if

(conf && conf.active && conf.kerberos.active) {



println

"invoke kerberos authentic
ation provider"



def

ldapUserSearch = applicationContext.getBean(
"ldapUserSearch"
)



def

ldapAuthoritiesPopulator =
applicationContext.getBean(
"ldapAuthoritiesPopulator"
)



def

kerberosServiceAuthenticationProvider =
applicationContext.getBean(
"kerberosSe
rviceAuthenticationProvider"
)



kerberosServiceAuthenticationProvider.userDetailsService =
new

LdapUserDetailsService(ldapUserSearch, ldapAuthoritiesPopulator) {




UserDetails loadUserByUsername(String name)
throws

UsernameNotFoundException {





int

i

= name.indexOf(
'@'
)





if

(i > 0) {





name = name.substring(0, i)





}





return

super
.loadUserByUsername(name)




}



}


}
else

{



println

"skip kerberos authentication provider"


}

}



We then tried updating the Spring Security plugins in our M
utual Security Plugin to the most current releases.
However, we started getting errors and were unable to successfully execute single sign
-
on. We then went back
to the original configuration and started incrementally changing the versions of the plugins
and were able to
narrow it down to where we were able to successfully work with the combination of Spring Security Core v1.1.3,
Spring Security LDAP v1.0.5, and Spring Security Kerberos v0.1. However, when we change to Spring Security
Core v1.2 from v1.1.
3 along with Spring Security LDAP v1.0.5, and Spring Security Kerberos v0.1 it failed.
Details of the error can be found in the Error Message section below.


Our configuration file settings are as follows and works for the combination of Spring Security C
ore v1.1.3,
Spring Security LDAP v1.0.5, and Spring Security Kerberos v0.1.


grails
.
plugins
.
springsecurity
.
userLookup
.
userDomainClassName

= 'com.test.User'

grails
.
plugins
.
springsecurity
.
userLookup
.
authorityJoinClassName

= 'com.test.UserRole'

grails
.
plugins
.
springsecurity
.
authority
.
className

= 'com.test.Role'

grails.plugins.springsecurity.ldap.context.managerDn='
uid
=xxxxxxx,
ou
=accounts,
dc
=mutualOfOm
aha,o=
ent
'

grails.plugins.springsecurity.ldap.context.managerPassword='xxxxxxx'

grails
.
plugins
.
springsecurity
.
l
dap
.
context
.
server
='ldaps://xxxxxxx:633'

grails
.
plugins
.
springsecurity
.
ldap
.
search
.
base
='ou=internalUsers,ou=people,dc=mutualOfOmaha
,o=ent'

grails
.
plugins
.
springsecurity
.
ldap
.
search
.
searchSubtree
=
true

grails
.
plugins
.
springsecurity
.
ldap
.
search
.
filter
='(uid=
{0})'

grails
.
plugins
.
springsecurity
.
ldap
.
search
.
timeLimit
=600

grails
.
plugins
.
springsecurity
.
ldap
.
search
.
attributesToReturn
=
null

grails
.
plugins
.
springsecurity
.
ldap
.
authorities
.
searchSubtree
=
true

grails
.
plugins
.
springsecurity
.
ldap
.
authorities
.
groupSearchBase
='ou=groups,dc=mutualOfOmaha,
o=ent'

grails
.
plugins
.
springsecurity
.
ldap
.
authorities
.
groupSearchFilter
='uniqueMember={0}'

grails
.
plugins
.
springsecurity
.
ldap
.
authorities
.
retrieveGroupRoles

=
true

grails
.
plugins
.
springsecurity
.
ldap
.
authorities
.
retrieveDatabase
Roles

=
false

grails
.
plugins
.
springsecurity
.
ldap
.
authenticator
.
useBind
=
true

grails
.
plugins
.
springsecurity
.
ldap
.
authenticator
.
dnPatterns
=["uid={0},ou=internalU
sers,ou=people,dc=mutualOfOmaha,o=ent"]

grails
.
plugins
.
springsecurity
.
ldap
.
mapper
.
convertToUpperCa
se
=
true

grails
.
plugins
.
springsecurity
.
kerberos
.
ticketValidator
.
servicePrincipal

=
'HTTP/xxxxxxx.corp.mutualofomaha.com@CORP.MUTUALOFOMAHA.COM'

grails
.
plugins
.
springsecurity
.
kerberos
.
ticketValidator
.
keyTabLocation

=
'file:///c:/spnego/spnego_grTest.keytab'

grails
.
plugins
.
springsecurity
.
kerberos
.
configLocation
='c:/spnego/krb5.conf'

grails
.
plugins
.
springsecurity
.
kerberos
.
ticketValidator
.
debug

=
true






Error Message


web.FilterChainProxy Converted URL to lowercase, from: '/purchaseorder/index'; to:
'/purchas
eorder/index'

web.FilterChainProxy Candidate is: '/purchaseorder/index'; pattern is /**; matched=true

web.FilterChainProxy /purchaseOrder/index at position 1 of 9 in additional filter chain; firing Filter:
'SecurityContextPersistenceFilter'

context.HttpSes
sionSecurityContextRepository No HttpSession currently exists

context.HttpSessionSecurityContextRepository No SecurityContext was available from the HttpSession:
null. A new one will be created.

web.FilterChainProxy /purchaseOrder/index at position 2 of 9
in additional filter chain; firing Filter:
'MutableLogoutFilter'

web.FilterChainProxy /purchaseOrder/index at position 3 of 9 in additional filter chain; firing Filter:
'RequestHolderAuthenticationFilter'

web.FilterChainProxy /purchaseOrder/index at positi
on 4 of 9 in additional filter chain; firing Filter:
'SpnegoAuthenticationProcessingFilter'

web.FilterChainProxy /purchaseOrder/index at position 5 of 9 in additional filter chain; firing Filter:
'SecurityContextHolderAwareRequestFilter'

web.FilterChainPro
xy /purchaseOrder/index at position 6 of 9 in additional filter chain; firing Filter:
'RememberMeAuthenticationFilter'

web.FilterChainProxy /purchaseOrder/index at position 7 of 9 in additional filter chain; firing Filter:
'AnonymousAuthenticationFilter'

a
uthentication.AnonymousAuthenticationFilter Populated SecurityContextHolder with anonymous token:
'org.springframework.security.authentication.AnonymousAuthenticationToken@6faaf9b0: Principal:
anonymousUser; Credentials: [PROTECTED]; Authenticated: true; D
etails:
org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress:
10.9.65.113; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'

web.FilterChainProxy /purchaseOrder/index at position 8 of 9 in additional filter

chain; firing Filter:
'ExceptionTranslationFilter'

web.FilterChainProxy /purchaseOrder/index at position 9 of 9 in additional filter chain; firing Filter:
'FilterSecurityInterceptor'

intercept.FilterSecurityInterceptor Secure object: FilterInvocation: URL
: /purchaseOrder/index;
Attributes: [ROLE_GRAILSSECTESTGROUP]

intercept.FilterSecurityInterceptor Previously Authenticated:
org.springframework.security.authentication.AnonymousAuthenticationToken@6faaf9b0: Principal:
anonymousUser; Credentials: [PROTECTED
]; Authenticated: true; Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress:
10.9.65.113; SessionId: null; Granted Authorities: ROLE_ANONYMOUS

hierarchicalroles.RoleHierarchyImpl getReachableGrantedAu
thorities()
-

From the roles [ROLE_ANONYMOUS]
one can reach [ROLE_ANONYMOUS] in zero or more steps.

access.ExceptionTranslationFilter Access is denied (user is anonymous); redirecting to authentication
entry point

org.springframework.security.access.Access
DeniedException
: Access is denied


at
org.codehaus.groovy.grails.plugins.springsecurity.AuthenticatedVetoableDecisionManager.deny(
Authenticat
edVetoableDecisionManager.java:111
)


at
org.codehaus.groovy.grails.plugins.springsecurity.AuthenticatedVetoableDeci
sionManager.checkOtherVoters
(
AuthenticatedVetoableDecisionManager.java:103
)


at
org.codehaus.groovy.grails.plugins.springsecurity.AuthenticatedVetoableDecisionManager.decide(
Authentic
atedVetoableDecisionManager.java:44
)


at
org.springframework.security.acc
ess.intercept.AbstractSecurityInterceptor.beforeInvocation(
AbstractSecu
rityInterceptor.java:203
)


at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(
FilterSecurityInterc
eptor.java:106
)


at
org.springframework.security.web
.access.intercept.FilterSecurityInterceptor.doFilter(
FilterSecurityInte
rceptor.java:83
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:380
)


at
org.springframework.security.web.access.ExceptionTransl
ationFilter.doFilter(
ExceptionTranslationFilter.
java:97
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:380
)


at
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter
(
AnonymousAuthent
icationFilter.java:78
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:380
)


at
org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(
Reme
mberMeAuthenticationFilter.java:112
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:380
)


at
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(
SecurityCo
nte
xtHolderAwareRequestFilter.java:54
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:380
)


at
org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(
Spne
goAu
thenticationProcessingFilter.java:152
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:380
)


at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(
Abstrac
t
AuthenticationProcessingFilter.java:187
)


at
org.codehaus.groovy.grails.plugins.springsecurity.RequestHolderAuthenticationFilter.doFilter(
RequestHol
derAuthenticationFilter.java:40
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.do
Filter(
FilterChainProxy.java:380
)


at
org.codehaus.groovy.grails.plugins.springsecurity.MutableLogoutFilter.doFilter(
MutableLogoutFilter.java
:79
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:380
)


at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(
SecurityContextPersi
stenceFilter.java:79
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:380
)


at org.springframe
work.security.web.FilterChainProxy.doFilter(
FilterChainProxy.java:169
)


at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(
DelegatingFilterProxy.java:237
)


at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(
DelegatingFilte
rProxy.java:167
)


at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:235
)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:206
)


at
org.codehaus.groovy.grails.web.servlet.
mvc.GrailsWebRequestFilter.doFilterInternal(
GrailsWebRequestFilt
er.java:69
)


at org.springframework.web.filter.OncePerRequestFilter.doFilter(
OncePerRequestFilter.java:76
)


at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilte
rChain.java:235
)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:206
)


at
org.codehaus.groovy.grails.web.filters.HiddenHttpMethodFilter.doFilterInternal(
HiddenHttpMethodFilter.j
ava:69
)


at org.springframework.web.fi
lter.OncePerRequestFilter.doFilter(
OncePerRequestFilter.java:76
)


at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:235
)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:
206
)


at
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(
CharacterEncodingFilter.java:88
)


at org.springframework.web.filter.OncePerRequestFilter.doFilter(
OncePerRequestFilter.java:76
)


at
org.springframework.web.filter.DelegatingFi
lterProxy.invokeDelegate(
DelegatingFilterProxy.java:237
)


at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(
DelegatingFilterProxy.java:167
)


at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:235
)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:206
)


at org.apache.catalina.core.StandardWrapperValve.invoke(
StandardWrapperValve.java:233
)


at org.apache.catalina.core.StandardContextValve.invoke(
StandardContextV
alve.java:191
)


at org.apache.catalina.core.StandardHostValve.invoke(
StandardHostValve.java:128
)


at org.apache.catalina.valves.ErrorReportValve.invoke(
ErrorReportValve.java:102
)


at org.apache.catalina.core.StandardEngineValve.invoke(
StandardEngineValve.j
ava:109
)


at org.apache.catalina.connector.CoyoteAdapter.service(
CoyoteAdapter.java:293
)


at org.apache.coyote.http11.Http11Processor.process(
Http11Processor.java:849
)


at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protoc
ol.java:583
)


at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
JIoEndpoint.java:454
)


at java.lang.Thread.run(
Thread.java:619
)

savedrequest.HttpSessionRequestCache DefaultSavedRequest added to Session:
DefaultSavedRequest[http://c3djck1.corp.mutualofom
aha.com:8080/SecurityPrototype/purchaseOrder/index]

access.ExceptionTranslationFilter Calling Authentication entry point.

web.SpnegoEntryPoint Sending back Negotiate Header for request:
http://c3djck1.corp.mutualofomaha.com:8080/SecurityPrototype/purchaseO
rder/index

context.HttpSessionSecurityContextRepository SecurityContext is empty or anonymous
-

context will not
be stored in HttpSession.

context.SecurityContextPersistenceFilter SecurityContextHolder now cleared, as request processing
completed

web.Filt
erChainProxy Converted URL to lowercase, from: '/purchaseorder/index'; to:
'/purchaseorder/index'

web.FilterChainProxy Candidate is: '/purchaseorder/index'; pattern is /**; matched=true

web.FilterChainProxy /purchaseOrder/index at position 1 of 9 in additi
onal filter chain; firing Filter:
'SecurityContextPersistenceFilter'

context.HttpSessionSecurityContextRepository HttpSession returned null object for
SPRING_SECURITY_CONTEXT

context.HttpSessionSecurityContextRepository No SecurityContext was available fro
m the HttpSession:
org.apache.catalina.session.StandardSessionFacade@9e4aa4. A new one will be created.

web.FilterChainProxy /purchaseOrder/index at position 2 of 9 in additional filter chain; firing Filter:
'MutableLogoutFilter'

web.FilterChainProxy /purc
haseOrder/index at position 3 of 9 in additional filter chain; firing Filter:
'RequestHolderAuthenticationFilter'

web.FilterChainProxy /purchaseOrder/index at position 4 of 9 in additional filter chain; firing Filter:
'SpnegoAuthenticationProcessingFilter'

web.SpnegoAuthenticationProcessingFilter Received Negotiate Header for request
http://c3djck1.corp.mutualofomaha.com:8080/SecurityPrototype/purchaseOrder/index: Negotiate
YIILqwYGKwYBBQUCoIILnzCCC5ugJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCC3EE
ggttYIILaQYJKoZIhvc
SAQICAQBuggtYMIILVKADAgEFoQMCAQ6iBwMFACAAAACjggpzYYIKbzCCCmugAwIBBaEYGxZDT1JQLk1VVFVBTE9GT01BSEEuQ09Noj
EwL6ADAgECoSgwJhsESFRUUBseYzNkamNrMS5jb3JwLm11dHVhbG9mb21haGEuY29to4IKFTCCChGgAwIBF6EDAgEFooIKAwSCCf+9q
aZKAkWxEd/qdNpo+AferNbz6RjU0ItG
lsG1i06WR8ZIkg9lul4JVLg0jIgOMdtt/p84889JNBHafFjH6bd1TFC+eg3lp/EbzBHaNIs5
88pYJ9Xca1LfpjeVtYrGQWFwJXpxoWdofnhmWtDFlXdnqbxQ4JnEY22tGryF7+nRmLTHds7NkD5Bfe4cJ4FEpZ7xsF1aClAUvYskqV/
+4sQxp85ir9idNA3n6hmuNjNR1WXy4KGdaq0oGvbKYqsfMKO2Synt/zV+0fJSTtzBzjYI+VBJ3Jr6nMTg
B9fWwwg2Ohc//pXhSPmkWI
/DC0lE9XwaqppWgqYA3pu1mCLZYO2ePL8LU30HkrNm6OW2jv0NMafJqDmD92zYGX4V+AAEukJ+Tq5/nF0eBwQGiKOqoQ4+MjHliy4Q7
1er4ULp9GFtBXUoSyveNQ1kNtc6v1xB67p+GqTcpwQSo3X1U/8Mt9tCrfWomtwQP14r//PiL9uDOxkkDH1C52oUAmFk/z6baCQivjBC
/0MoaC+8nzoSBxLslFlIctjJHfx6
igp8lxvv62smMLybGm+9Hbs6xh2TgXMB4i8GCltNZxVtDN9et6t4rx/Q4ZYMBsb0U83hzrJME3v
sqRIcPmZybQX3EdGp4lmNCvFK5EAP5J7jX8xxr1nH4RmM7aZ06JWdKeJDseV/iQstTlvjiE76ZcwdLqKShMWoz7SOBmZ0fH2y0gq52c
LIvaaUFQA/Qrrn3vs6AI3qP4Qs23fs7l/45MUE4kOEcCjXjyitta24U+oq7V0fuB/1nL+2v/bs2QwE
qLxiYvLqLt1IHAjo11tOBNxqS
3BOKfwYzD+v2AE2FrExoajzbMPlWyePwCw0YiQY3uSiHCpyxbvI36lC+SbmWpwcD6awJ4ZXupg2s+TAhbgvXL5E2kL3QMRfOTSsu60z
W+Av7EJYlJs8YrhkEa0/ymyzGLkoiFfUKzYw3koKvtfLhHGT31itrD1/GVHm1JQV7UkB3TbNiDtqZ8MnbBm1TMeutXpEOq++UVOOkIl
IRjpLa3zTZoUTbo6fkVtUPcFB
cGuHgaSL5oG+prhnV5bepeew5E1UUpCXZxjJK9fC3/OvIEUbqFPZuxLw9XJN8/Q8zb9gmt7n1KjveA
7WA2rXYaegmjxJ84WRtbvJnfpkmH1+Gw7MDgHOLiWrHh3amVyC/7CGq9CGi/LTQXnqYLvecv+kXhjVYZddG3CAucIF6P9QdbbNn+qxm
2l3IfnP5YIOMSbaV4rPw2TRryBxUOfvUeJdwV/PhKslF+6+N7lGeWosqtDcostTHfrgTG27uD2w
Fu18TloyujvAc719tJT/GttI70EB
MvioghlFJo0KG6OyXabm6M8LP7Sk9kPEelLp7AXS7ULkTkI4QT8RDgJjz9lFmoAup8F3pxeZ17TPeYD74loCFWI4R4Tc81Dj97HRZhF
EXHBvbirTKJKTMW7xZnrfJ4J8qgyLX5vuDsMCj1A1VLdHlXddN9HVEG3T18p0wUtp4RLg9TJdqVPmZbb+7CfOji2VAlyLftIzXBL7q3
0YLvNyDVB2knEu2ZMPIMg8
kH8ny46Nrt+tUnqNqD2JrsemL8Y/9U7lr9VtXAwCypdhxp91VMYxeN8AES211UisM1hjPH1AhsMl8DXPC
XZ7nXbAcQkj7vkH2ozeYioeoKZcjv4ag2luWtpRMqyuYIPYghhsMUpYvmWA4EIEl5cmH5g0izoH0SAUw5cg93uLucJ0bJR2iHaRqWbn
m7+DKLrcXM7rmkFDy+xFL1iGkPadW3mhhLTGEidBNBlia+4Yc0k699F9cja9eaKDZmG3Frhe
mAiiv3U51AJK/k0+1SV9FbZzpiOY2ra
txr3xhqTg7iRLHPucgMm5LWGWr+LNa+Zs//ITYM36Ihm2t2x2k1s8SnCuklznKunKPsZEYvnEsoPQ46EAnS2kCNHIipP0YDsBgTEfy8
EUilLLtMQFMM/BBm29mI6Ss7wZCOFv9glwh3DE1WmCH2uQLEHIZh9HJdFBJ1/o89wXv30e1/WFALgBl6tSA7qxyrdr43PK/nKYQtIfa
2obtnv5QDe7U/MPKc8j
eccbKUf/vxkQAGb3+Wo4kc/tkggR0eOVk+p0yN9GWOiNxoJg6IXuRkEFZFb7jXYInKLGbzxJjkEzVoFMtFDw
3qSVkp2WS6QH8pTRcsyOln84cNthbYqGS1nVhsSIcfTgUcaLBem/kVd2URM6d6ENVO0YcIO8e16rMQGIGa0u1oLbGIGFGqk/GWNsMox
SgJ6fEoGUN15kH07iuWQnc+BDYPoInNDF+1vg+XuyX3j4Eoy9+icpWgiokSBiU1mGTDfd
wyJ+Rlnq4ORwnxSgSvvNWtUEeQW4QDeR06
VRBB71A5PyNpFWbjTwG4W5OYFwXTgPuo8IXMsbAeh1r0wYDsknQ37ZfwVEIZpg21uTQDZISPsJR15Wiq1YMWl7z/fbnrFWvAFrXZT5p
7JBF/BFKw14TyCHEuI1eri96r6MhVm23SwAZcMBmov/wqypICc+Ku7QivU8Id4XL7b47YRCs03V4C4HBuQafbrdoT/ikNRJkxnfW9mG
mdKhzibTzAAUaTUE
XaZR6LzJJivnwDNBNzrD5kG8nGhrjkzjRro5dv4LAMkCgZDvzMEi5FnyBXZWFuiw+xqJpFhVepsoTvMqfAEK025
5BRxBqzef50lHtKA4skYwcrgkVqrudxJrXCYIcE1zFTHA1AnHC2/CQthHiNHJ1mcqSzRPBLKUiQOnmrmvsTB3ZQYbWCgs6HxO8A5fO2
4gTgpO2yY71b66pthdqYxOWv10tutRMhLhCQgI2W6rNEegLFtianlFiubuJs4HowAd
UxcsGzA1k6dtXi29w+StvApLTn9aJDtWzgFLu
iDWKfgJN+CT/+Ag/1jRBxVjbDH+iAFgfU4KSuFSFW5iUF+6bAQB3bpas75sKa96uMbhMySyZR8pTPDub67ZHV8pkZKDuLKHM5DCu/JK
aMGlBxywAw6747oH0NsH8LFuts0aaTMktFKID6fOQzyf+n3hSoMl102g6jXLRM8IOMW1lJQY/4rUL6cHYW4Q3peINsNqMrkuxwR0yWs
Sl4GaYnBPhlPB
hLuHjNwOosea7tL0h1eYfIK33U4TEpP68G/SRpvUvjo/bIs99ZfsgXyukxj3yI3mkfB9oyAVk6DcmNTgJLRRZM5XPc
mH7dCrlDsgoLMqpuZ3ihm0wTUdfCXq65YBc+maXJBTZWMlhpX5YPnJ8X7X3rFsiNYm/YTR4g5dLyp3aXfHh8h+lJNzM70NiFM3uESEU
JMHMWaGq2qwQIHtED4B34hrmKfzRjifQ9Y4X9YwXL3VmoHHHFTUb8sIAMHMEzzc
VhCg0rXM6xVVY8hqLUBAgKh92h0iR03c926kvUQk
x/bOfiGc3R6kgccwgcSgAwIBF6KBvASBuSgg6XuWhvfe1RwlGKgcpeapwZA0Z2N/lEoal1h42woS5Tx6bqB2HMHbIk67NX1QBYeoJkR
1W649vQMNeQC+J2n1cJBC3LKYuFpYWRD8WlQH2CiiB8UOBTVQ5Yb6QHvOxDiLTomjgeguKXS4D6TDE2kkFEZkHLBAvFcl2WKTmGkZFJ
5ElcBu7+96
kjlkCnHBZROt4ck9S4hflxDY1nKEYYsTTv8sv92PzTZdOB8Ouy8638uFw/Y/2JrU

authentication.ProviderManager Authentication attempt using
org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider

kerberos.KerberosServiceAuthenticationProvid
er Try to validate Kerberos Token

kerberos.KerberosServiceAuthenticationProvider Succesfully validated req67458@CORP.MUTUALOFOMAHA.COM

search.FilterBasedLdapUserSearch Searching for user 'req67458', with user search [ searchFilter:
'(uid={0})', searchBase:

'ou=internalUsers,ou=people,dc=mutualOfOmaha,o=ent', scope: subtree,
searchTimeLimit: 600, derefLinkFlag: false ]

ldap.SpringSecurityLdapTemplate Searching for entry in under DN '', base =
'ou=internalUsers,ou=people,dc=mutualOfOmaha,o=ent', filter = '(ui
d={0})'

ldap.SpringSecurityLdapTemplate Found DN:
uid=req67458,ou=internalUsers,ou=people,dc=mutualOfOmaha,o=ent

userdetails.DefaultLdapAuthoritiesPopulator Getting authorities for user
uid=req67458,ou=internalUsers,ou=people,dc=mutualOfOmaha,o=ent

userdet
ails.DefaultLdapAuthoritiesPopulator Searching for roles for user 'req67458', DN =
'uid=req67458,ou=internalUsers,ou=people,dc=mutualOfOmaha,o=ent', with filter uniqueMember={0} in
search base 'ou=groups,dc=mutualOfOmaha,o=ent'

ldap.SpringSecurityLdapTempl
ate Using filter:
uniqueMember=uid=req67458,ou=internalUsers,ou=people,dc=mutualOfOmaha,o=ent

userdetails.DefaultLdapAuthoritiesPopulator Roles from search: [GrailsSecTestGroup,
bre_ReuseRegistryAdmin]

userdetails.LdapUserDetailsMapper Mapping user details

from context with DN:
uid=req67458,ou=internalUsers,ou=people,dc=mutualOfOmaha,o=ent

web.FilterChainProxy /purchaseOrder/index at position 5 of 9 in additional filter chain; firing Filter:
'SecurityContextHolderAwareRequestFilter'

web.FilterChainProxy /pu
rchaseOrder/index at position 6 of 9 in additional filter chain; firing Filter:
'RememberMeAuthenticationFilter'

rememberme.RememberMeAuthenticationFilter SecurityContextHolder not populated with remember
-
me token,
as it already contained:
'org.springframe
work.security.extensions.kerberos.KerberosServiceRequestToken@39c510c0: Principal:
org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@3a722e9b: Dn:
uid=req67458,ou=internalUsers,ou=people,dc=mutualOfOmaha,o=ent; Username: req67458; Password:

[PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked:
true; Granted Authorities: ROLE_GRAILSSECTESTGROUP, ROLE_BRE_REUSEREGISTRYADMIN; Credentials:
[PROTECTED]; Authenticated: true; Details: null; Granted Auth
orities: ROLE_GRAILSSECTESTGROUP,
ROLE_BRE_REUSEREGISTRYADMIN'

web.FilterChainProxy /purchaseOrder/index at position 7 of 9 in additional filter chain; firing Filter:
'AnonymousAuthenticationFilter'

authentication.AnonymousAuthenticationFilter SecurityCont
extHolder not populated with anonymous token,
as it already contained:
'org.springframework.security.extensions.kerberos.KerberosServiceRequestToken@39c510c0: Principal:
org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@3a722e9b: Dn:
uid=re
q67458,ou=internalUsers,ou=people,dc=mutualOfOmaha,o=ent; Username: req67458; Password:
[PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked:
true; Granted Authorities: ROLE_GRAILSSECTESTGROUP, ROLE_BRE_REUSERE
GISTRYADMIN; Credentials:
[PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_GRAILSSECTESTGROUP,
ROLE_BRE_REUSEREGISTRYADMIN'

web.FilterChainProxy /purchaseOrder/index at position 8 of 9 in additional filter chain; firing Filter:
'E
xceptionTranslationFilter'

web.FilterChainProxy /purchaseOrder/index at position 9 of 9 in additional filter chain; firing Filter:
'FilterSecurityInterceptor'

intercept.FilterSecurityInterceptor Secure object: FilterInvocation: URL: /purchaseOrder/index;
A
ttributes: [ROLE_GRAILSSECTESTGROUP]

intercept.FilterSecurityInterceptor Previously Authenticated:
org.springframework.security.extensions.kerberos.KerberosServiceRequestToken@39c510c0: Principal:
org.springframework.security.ldap.userdetails.LdapUserDetai
lsImpl@3a722e9b: Dn:
uid=req67458,ou=internalUsers,ou=people,dc=mutualOfOmaha,o=ent; Username: req67458; Password:
[PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked:
true; Granted Authorities: ROLE_GRAILSSEC
TESTGROUP, ROLE_BRE_REUSEREGISTRYADMIN; Credentials:
[PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_GRAILSSECTESTGROUP,
ROLE_BRE_REUSEREGISTRYADMIN

hierarchicalroles.RoleHierarchyImpl getReachableGrantedAuthorities()
-

From the
roles
[ROLE_GRAILSSECTESTGROUP, ROLE_BRE_REUSEREGISTRYADMIN] one can reach [ROLE_GRAILSSECTESTGROUP,
ROLE_BRE_REUSEREGISTRYADMIN] in zero or more steps.

intercept.FilterSecurityInterceptor Authorization successful

intercept.FilterSecurityInterceptor RunAsM
anager did not change Authentication object

web.FilterChainProxy /purchaseOrder/index reached end of additional filter chain; proceeding with
original chain

web.FilterChainProxy Converted URL to lowercase, from: '/grails/purchaseorder/index.dispatch'; to:
'/grails/purchaseorder/index.dispatch'

web.FilterChainProxy Candidate is: '/grails/purchaseorder/index.dispatch'; pattern is /**; matched=true

web.FilterChainProxy /grails/purchaseOrder/index.dispatch at position 1 of 9 in additional filter
chain; firing F
ilter: 'SecurityContextPersistenceFilter'

web.FilterChainProxy /grails/purchaseOrder/index.dispatch at position 2 of 9 in additional filter
chain; firing Filter: 'MutableLogoutFilter'

web.FilterChainProxy /grails/purchaseOrder/index.dispatch at position 3
of 9 in additional filter
chain; firing Filter: 'RequestHolderAuthenticationFilter'

web.FilterChainProxy /grails/purchaseOrder/index.dispatch at position 4 of 9 in additional filter
chain; firing Filter: 'SpnegoAuthenticationProcessingFilter'

web.SpnegoAut
henticationProcessingFilter Received Negotiate Header for request
http://c3djck1.corp.mutualofomaha.com:8080/SecurityPrototype/grails/purchaseOrder/index.dispatch:
Negotiate
YIILqwYGKwYBBQUCoIILnzCCC5ugJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCC3
EEggttYIILaQYJKoZIhvc
SAQICAQBuggtYMIILVKADAgEFoQMCAQ6iBwMFACAAAACjggpzYYIKbzCCCmugAwIBBaEYGxZDT1JQLk1VVFVBTE9GT01BSEEuQ09Noj
EwL6ADAgECoSgwJhsESFRUUBseYzNkamNrMS5jb3JwLm11dHVhbG9mb21haGEuY29to4IKFTCCChGgAwIBF6EDAgEFooIKAwSCCf+9q
aZKAkWxEd/qdNpo+AferNbz6RjU0I
tGlsG1i06WR8ZIkg9lul4JVLg0jIgOMdtt/p84889JNBHafFjH6bd1TFC+eg3lp/EbzBHaNIs5
88pYJ9Xca1LfpjeVtYrGQWFwJXpxoWdofnhmWtDFlXdnqbxQ4JnEY22tGryF7+nRmLTHds7NkD5Bfe4cJ4FEpZ7xsF1aClAUvYskqV/
+4sQxp85ir9idNA3n6hmuNjNR1WXy4KGdaq0oGvbKYqsfMKO2Synt/zV+0fJSTtzBzjYI+VBJ3Jr6nM
TgB9fWwwg2Ohc//pXhSPmkWI
/DC0lE9XwaqppWgqYA3pu1mCLZYO2ePL8LU30HkrNm6OW2jv0NMafJqDmD92zYGX4V+AAEukJ+Tq5/nF0eBwQGiKOqoQ4+MjHliy4Q7
1er4ULp9GFtBXUoSyveNQ1kNtc6v1xB67p+GqTcpwQSo3X1U/8Mt9tCrfWomtwQP14r//PiL9uDOxkkDH1C52oUAmFk/z6baCQivjBC
/0MoaC+8nzoSBxLslFlIctjJHf
x6igp8lxvv62smMLybGm+9Hbs6xh2TgXMB4i8GCltNZxVtDN9et6t4rx/Q4ZYMBsb0U83hzrJME3v
sqRIcPmZybQX3EdGp4lmNCvFK5EAP5J7jX8xxr1nH4RmM7aZ06JWdKeJDseV/iQstTlvjiE76ZcwdLqKShMWoz7SOBmZ0fH2y0gq52c
LIvaaUFQA/Qrrn3vs6AI3qP4Qs23fs7l/45MUE4kOEcCjXjyitta24U+oq7V0fuB/1nL+2v/bs2Q
wEqLxiYvLqLt1IHAjo11tOBNxqS
3BOKfwYzD+v2AE2FrExoajzbMPlWyePwCw0YiQY3uSiHCpyxbvI36lC+SbmWpwcD6awJ4ZXupg2s+TAhbgvXL5E2kL3QMRfOTSsu60z
W+Av7EJYlJs8YrhkEa0/ymyzGLkoiFfUKzYw3koKvtfLhHGT31itrD1/GVHm1JQV7UkB3TbNiDtqZ8MnbBm1TMeutXpEOq++UVOOkIl
IRjpLa3zTZoUTbo6fkVtUPc
FBcGuHgaSL5oG+prhnV5bepeew5E1UUpCXZxjJK9fC3/OvIEUbqFPZuxLw9XJN8/Q8zb9gmt7n1KjveA
7WA2rXYaegmjxJ84WRtbvJnfpkmH1+Gw7MDgHOLiWrHh3amVyC/7CGq9CGi/LTQXnqYLvecv+kXhjVYZddG3CAucIF6P9QdbbNn+qxm
2l3IfnP5YIOMSbaV4rPw2TRryBxUOfvUeJdwV/PhKslF+6+N7lGeWosqtDcostTHfrgTG27uD
2wFu18TloyujvAc719tJT/GttI70EB
MvioghlFJo0KG6OyXabm6M8LP7Sk9kPEelLp7AXS7ULkTkI4QT8RDgJjz9lFmoAup8F3pxeZ17TPeYD74loCFWI4R4Tc81Dj97HRZhF
EXHBvbirTKJKTMW7xZnrfJ4J8qgyLX5vuDsMCj1A1VLdHlXddN9HVEG3T18p0wUtp4RLg9TJdqVPmZbb+7CfOji2VAlyLftIzXBL7q3
0YLvNyDVB2knEu2ZMPIM
g8kH8ny46Nrt+tUnqNqD2JrsemL8Y/9U7lr9VtXAwCypdhxp91VMYxeN8AES211UisM1hjPH1AhsMl8DXPC
XZ7nXbAcQkj7vkH2ozeYioeoKZcjv4ag2luWtpRMqyuYIPYghhsMUpYvmWA4EIEl5cmH5g0izoH0SAUw5cg93uLucJ0bJR2iHaRqWbn
m7+DKLrcXM7rmkFDy+xFL1iGkPadW3mhhLTGEidBNBlia+4Yc0k699F9cja9eaKDZmG3Fr
hemAiiv3U51AJK/k0+1SV9FbZzpiOY2ra
txr3xhqTg7iRLHPucgMm5LWGWr+LNa+Zs//ITYM36Ihm2t2x2k1s8SnCuklznKunKPsZEYvnEsoPQ46EAnS2kCNHIipP0YDsBgTEfy8
EUilLLtMQFMM/BBm29mI6Ss7wZCOFv9glwh3DE1WmCH2uQLEHIZh9HJdFBJ1/o89wXv30e1/WFALgBl6tSA7qxyrdr43PK/nKYQtIfa
2obtnv5QDe7U/MPKc
8jeccbKUf/vxkQAGb3+Wo4kc/tkggR0eOVk+p0yN9GWOiNxoJg6IXuRkEFZFb7jXYInKLGbzxJjkEzVoFMtFDw
3qSVkp2WS6QH8pTRcsyOln84cNthbYqGS1nVhsSIcfTgUcaLBem/kVd2URM6d6ENVO0YcIO8e16rMQGIGa0u1oLbGIGFGqk/GWNsMox
SgJ6fEoGUN15kH07iuWQnc+BDYPoInNDF+1vg+XuyX3j4Eoy9+icpWgiokSBiU1mGTD
fdwyJ+Rlnq4ORwnxSgSvvNWtUEeQW4QDeR06
VRBB71A5PyNpFWbjTwG4W5OYFwXTgPuo8IXMsbAeh1r0wYDsknQ37ZfwVEIZpg21uTQDZISPsJR15Wiq1YMWl7z/fbnrFWvAFrXZT5p
7JBF/BFKw14TyCHEuI1eri96r6MhVm23SwAZcMBmov/wqypICc+Ku7QivU8Id4XL7b47YRCs03V4C4HBuQafbrdoT/ikNRJkxnfW9mG
mdKhzibTzAAUaT
UEXaZR6LzJJivnwDNBNzrD5kG8nGhrjkzjRro5dv4LAMkCgZDvzMEi5FnyBXZWFuiw+xqJpFhVepsoTvMqfAEK025
5BRxBqzef50lHtKA4skYwcrgkVqrudxJrXCYIcE1zFTHA1AnHC2/CQthHiNHJ1mcqSzRPBLKUiQOnmrmvsTB3ZQYbWCgs6HxO8A5fO2
4gTgpO2yY71b66pthdqYxOWv10tutRMhLhCQgI2W6rNEegLFtianlFiubuJs4How
AdUxcsGzA1k6dtXi29w+StvApLTn9aJDtWzgFLu
iDWKfgJN+CT/+Ag/1jRBxVjbDH+iAFgfU4KSuFSFW5iUF+6bAQB3bpas75sKa96uMbhMySyZR8pTPDub67ZHV8pkZKDuLKHM5DCu/JK
aMGlBxywAw6747oH0NsH8LFuts0aaTMktFKID6fOQzyf+n3hSoMl102g6jXLRM8IOMW1lJQY/4rUL6cHYW4Q3peINsNqMrkuxwR0yWs
Sl4GaYnBPhl
PBhLuHjNwOosea7tL0h1eYfIK33U4TEpP68G/SRpvUvjo/bIs99ZfsgXyukxj3yI3mkfB9oyAVk6DcmNTgJLRRZM5XPc
mH7dCrlDsgoLMqpuZ3ihm0wTUdfCXq65YBc+maXJBTZWMlhpX5YPnJ8X7X3rFsiNYm/YTR4g5dLyp3aXfHh8h+lJNzM70NiFM3uESEU
JMHMWaGq2qwQIHtED4B34hrmKfzRjifQ9Y4X9YwXL3VmoHHHFTUb8sIAMHMEz
zcVhCg0rXM6xVVY8hqLUBAgKh92h0iR03c926kvUQk
x/bOfiGc3R6kgccwgcSgAwIBF6KBvASBuSgg6XuWhvfe1RwlGKgcpeapwZA0Z2N/lEoal1h42woS5Tx6bqB2HMHbIk67NX1QBYeoJkR
1W649vQMNeQC+J2n1cJBC3LKYuFpYWRD8WlQH2CiiB8UOBTVQ5Yb6QHvOxDiLTomjgeguKXS4D6TDE2kkFEZkHLBAvFcl2WKTmGkZFJ
5ElcBu7+
96kjlkCnHBZROt4ck9S4hflxDY1nKEYYsTTv8sv92PzTZdOB8Ouy8638uFw/Y/2JrU

authentication.ProviderManager Authentication attempt using
org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider

kerberos.KerberosServiceAuthenticationProv
ider Try to validate Kerberos Token

web.SpnegoAuthenticationProcessingFilter Negotiate Header was invalid: Negotiate
YIILqwYGKwYBBQUCoIILnzCCC5ugJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCC3EEggttYIILaQYJKoZIhvc
SAQICAQBuggtYMIILVKADAgEFoQMCAQ6iBwM
FACAAAACjggpzYYIKbzCCCmugAwIBBaEYGxZDT1JQLk1VVFVBTE9GT01BSEEuQ09Noj
EwL6ADAgECoSgwJhsESFRUUBseYzNkamNrMS5jb3JwLm11dHVhbG9mb21haGEuY29to4IKFTCCChGgAwIBF6EDAgEFooIKAwSCCf+9q
aZKAkWxEd/qdNpo+AferNbz6RjU0ItGlsG1i06WR8ZIkg9lul4JVLg0jIgOMdtt/p84889JNBHafFjH6bd1TFC
+eg3lp/EbzBHaNIs5
88pYJ9Xca1LfpjeVtYrGQWFwJXpxoWdofnhmWtDFlXdnqbxQ4JnEY22tGryF7+nRmLTHds7NkD5Bfe4cJ4FEpZ7xsF1aClAUvYskqV/
+4sQxp85ir9idNA3n6hmuNjNR1WXy4KGdaq0oGvbKYqsfMKO2Synt/zV+0fJSTtzBzjYI+VBJ3Jr6nMTgB9fWwwg2Ohc//pXhSPmkWI
/DC0lE9XwaqppWgqYA3pu1mCLZYO2ePL8
LU30HkrNm6OW2jv0NMafJqDmD92zYGX4V+AAEukJ+Tq5/nF0eBwQGiKOqoQ4+MjHliy4Q7
1er4ULp9GFtBXUoSyveNQ1kNtc6v1xB67p+GqTcpwQSo3X1U/8Mt9tCrfWomtwQP14r//PiL9uDOxkkDH1C52oUAmFk/z6baCQivjBC
/0MoaC+8nzoSBxLslFlIctjJHfx6igp8lxvv62smMLybGm+9Hbs6xh2TgXMB4i8GCltNZxVtDN9et6t4rx/
Q4ZYMBsb0U83hzrJME3v
sqRIcPmZybQX3EdGp4lmNCvFK5EAP5J7jX8xxr1nH4RmM7aZ06JWdKeJDseV/iQstTlvjiE76ZcwdLqKShMWoz7SOBmZ0fH2y0gq52c
LIvaaUFQA/Qrrn3vs6AI3qP4Qs23fs7l/45MUE4kOEcCjXjyitta24U+oq7V0fuB/1nL+2v/bs2QwEqLxiYvLqLt1IHAjo11tOBNxqS
3BOKfwYzD+v2AE2FrExoajzbMPlWye
PwCw0YiQY3uSiHCpyxbvI36lC+SbmWpwcD6awJ4ZXupg2s+TAhbgvXL5E2kL3QMRfOTSsu60z
W+Av7EJYlJs8YrhkEa0/ymyzGLkoiFfUKzYw3koKvtfLhHGT31itrD1/GVHm1JQV7UkB3TbNiDtqZ8MnbBm1TMeutXpEOq++UVOOkIl
IRjpLa3zTZoUTbo6fkVtUPcFBcGuHgaSL5oG+prhnV5bepeew5E1UUpCXZxjJK9fC3/OvIEUbqFPZuxL
w9XJN8/Q8zb9gmt7n1KjveA
7WA2rXYaegmjxJ84WRtbvJnfpkmH1+Gw7MDgHOLiWrHh3amVyC/7CGq9CGi/LTQXnqYLvecv+kXhjVYZddG3CAucIF6P9QdbbNn+qxm
2l3IfnP5YIOMSbaV4rPw2TRryBxUOfvUeJdwV/PhKslF+6+N7lGeWosqtDcostTHfrgTG27uD2wFu18TloyujvAc719tJT/GttI70EB
MvioghlFJo0KG6OyXabm6M8LP7S
k9kPEelLp7AXS7ULkTkI4QT8RDgJjz9lFmoAup8F3pxeZ17TPeYD74loCFWI4R4Tc81Dj97HRZhF
EXHBvbirTKJKTMW7xZnrfJ4J8qgyLX5vuDsMCj1A1VLdHlXddN9HVEG3T18p0wUtp4RLg9TJdqVPmZbb+7CfOji2VAlyLftIzXBL7q3
0YLvNyDVB2knEu2ZMPIMg8kH8ny46Nrt+tUnqNqD2JrsemL8Y/9U7lr9VtXAwCypdhxp91VMYxeN8
AES211UisM1hjPH1AhsMl8DXPC
XZ7nXbAcQkj7vkH2ozeYioeoKZcjv4ag2luWtpRMqyuYIPYghhsMUpYvmWA4EIEl5cmH5g0izoH0SAUw5cg93uLucJ0bJR2iHaRqWbn
m7+DKLrcXM7rmkFDy+xFL1iGkPadW3mhhLTGEidBNBlia+4Yc0k699F9cja9eaKDZmG3FrhemAiiv3U51AJK/k0+1SV9FbZzpiOY2ra
txr3xhqTg7iRLHPucgMm5LWG
Wr+LNa+Zs//ITYM36Ihm2t2x2k1s8SnCuklznKunKPsZEYvnEsoPQ46EAnS2kCNHIipP0YDsBgTEfy8
EUilLLtMQFMM/BBm29mI6Ss7wZCOFv9glwh3DE1WmCH2uQLEHIZh9HJdFBJ1/o89wXv30e1/WFALgBl6tSA7qxyrdr43PK/nKYQtIfa
2obtnv5QDe7U/MPKc8jeccbKUf/vxkQAGb3+Wo4kc/tkggR0eOVk+p0yN9GWOiNxoJg6IXuRkE
FZFb7jXYInKLGbzxJjkEzVoFMtFDw
3qSVkp2WS6QH8pTRcsyOln84cNthbYqGS1nVhsSIcfTgUcaLBem/kVd2URM6d6ENVO0YcIO8e16rMQGIGa0u1oLbGIGFGqk/GWNsMox
SgJ6fEoGUN15kH07iuWQnc+BDYPoInNDF+1vg+XuyX3j4Eoy9+icpWgiokSBiU1mGTDfdwyJ+Rlnq4ORwnxSgSvvNWtUEeQW4QDeR06
VRBB71A5PyNpFWbjTwG4W
5OYFwXTgPuo8IXMsbAeh1r0wYDsknQ37ZfwVEIZpg21uTQDZISPsJR15Wiq1YMWl7z/fbnrFWvAFrXZT5p
7JBF/BFKw14TyCHEuI1eri96r6MhVm23SwAZcMBmov/wqypICc+Ku7QivU8Id4XL7b47YRCs03V4C4HBuQafbrdoT/ikNRJkxnfW9mG
mdKhzibTzAAUaTUEXaZR6LzJJivnwDNBNzrD5kG8nGhrjkzjRro5dv4LAMkCgZDvzMEi5Fn
yBXZWFuiw+xqJpFhVepsoTvMqfAEK025
5BRxBqzef50lHtKA4skYwcrgkVqrudxJrXCYIcE1zFTHA1AnHC2/CQthHiNHJ1mcqSzRPBLKUiQOnmrmvsTB3ZQYbWCgs6HxO8A5fO2
4gTgpO2yY71b66pthdqYxOWv10tutRMhLhCQgI2W6rNEegLFtianlFiubuJs4HowAdUxcsGzA1k6dtXi29w+StvApLTn9aJDtWzgFLu
iDWKfgJN+CT/+Ag/1j
RBxVjbDH+iAFgfU4KSuFSFW5iUF+6bAQB3bpas75sKa96uMbhMySyZR8pTPDub67ZHV8pkZKDuLKHM5DCu/JK
aMGlBxywAw6747oH0NsH8LFuts0aaTMktFKID6fOQzyf+n3hSoMl102g6jXLRM8IOMW1lJQY/4rUL6cHYW4Q3peINsNqMrkuxwR0yWs
Sl4GaYnBPhlPBhLuHjNwOosea7tL0h1eYfIK33U4TEpP68G/SRpvUvjo/bIs99ZfsgXy
ukxj3yI3mkfB9oyAVk6DcmNTgJLRRZM5XPc
mH7dCrlDsgoLMqpuZ3ihm0wTUdfCXq65YBc+maXJBTZWMlhpX5YPnJ8X7X3rFsiNYm/YTR4g5dLyp3aXfHh8h+lJNzM70NiFM3uESEU
JMHMWaGq2qwQIHtED4B34hrmKfzRjifQ9Y4X9YwXL3VmoHHHFTUb8sIAMHMEzzcVhCg0rXM6xVVY8hqLUBAgKh92h0iR03c926kvUQk
x/bOfiGc3R6kgcc
wgcSgAwIBF6KBvASBuSgg6XuWhvfe1RwlGKgcpeapwZA0Z2N/lEoal1h42woS5Tx6bqB2HMHbIk67NX1QBYeoJkR
1W649vQMNeQC+J2n1cJBC3LKYuFpYWRD8WlQH2CiiB8UOBTVQ5Yb6QHvOxDiLTomjgeguKXS4D6TDE2kkFEZkHLBAvFcl2WKTmGkZFJ
5ElcBu7+96kjlkCnHBZROt4ck9S4hflxDY1nKEYYsTTv8sv92PzTZdOB8Ouy8638u
Fw/Y/2JrU

org.springframework.security.authentication.BadCredentialsException
: Kerberos validation not succesfull


at
org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(
SunJaasK
erberosTicketValidator.java:69
)


at

org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(
Ker
berosServiceAuthenticationProvider.java:86
)


at
org.springframework.security.authentication.ProviderManager.doAuthentication(
ProviderManager.java:130
)


at
org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(
AbstractAuthenti
cationManager.java:48
)


at
org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(
Spne
goAuthenticationProc
essingFilter.java:131
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:380
)


at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(
Abstrac
tAuthenticationPr
ocessingFilter.java:187
)


at
org.codehaus.groovy.grails.plugins.springsecurity.RequestHolderAuthenticationFilter.doFilter(
RequestHol
derAuthenticationFilter.java:40
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterCha
inProxy.java:380
)


at
org.codehaus.groovy.grails.plugins.springsecurity.MutableLogoutFilter.doFilter(
MutableLogoutFilter.java
:79
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:380
)


at
org.springfra
mework.security.web.context.SecurityContextPersistenceFilter.doFilter(
SecurityContextPersi
stenceFilter.java:57
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:380
)


at org.springframework.security.we
b.FilterChainProxy.doFilter(
FilterChainProxy.java:169
)


at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(
DelegatingFilterProxy.java:237
)


at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(
DelegatingFilterProxy.java:167
)


at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:235
)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:206
)


at org.springframework.web.filter.OncePerRequestFilter.doF
ilter(
OncePerRequestFilter.java:70
)


at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:235
)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:206
)


at org.springframework.
web.filter.OncePerRequestFilter.doFilter(
OncePerRequestFilter.java:70
)


at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:235
)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain
.java:206
)


at org.apache.catalina.core.ApplicationDispatcher.invoke(
ApplicationDispatcher.java:646
)


at
org.apache.catalina.core.ApplicationDispatcher.processRequest(
ApplicationDispatcher.java:436
)


at org.apache.catalina.core.ApplicationDispatcher.doForw
ard(
ApplicationDispatcher.java:374
)


at org.apache.catalina.core.ApplicationDispatcher.forward(
ApplicationDispatcher.java:302
)


at
org.codehaus.groovy.grails.web.util.WebUtils.forwardRequestForUrlMappingInfo(
WebUtils.java:298
)


at
org.codehaus.groovy.grail
s.web.util.WebUtils.forwardRequestForUrlMappingInfo(
WebUtils.java:264
)


at
org.codehaus.groovy.grails.web.util.WebUtils.forwardRequestForUrlMappingInfo(
WebUtils.java:255
)


at
org.codehaus.groovy.grails.web.mapping.filter.UrlMappingsFilter.doFilterInternal(
UrlMappingsFilter.java
:183
)


at org.springframework.web.filter.OncePerRequestFilter.doFilter(
OncePerRequestFilter.java:76
)


at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:235
)


at org.apache.catalina.core.Ap
plicationFilterChain.doFilter(
ApplicationFilterChain.java:206
)


at
org.codehaus.groovy.grails.web.sitemesh.GrailsPageFilter.obtainContent(
GrailsPageFilter.java:245
)


at org.codehaus.groovy.grails.web.sitemesh.GrailsPageFilter.doFilter(
GrailsPageFilter.java
:134
)


at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:235
)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:206
)


at
org.codehaus.groovy.grails.web.servlet.filter.Grai
lsReloadServletFilter.doFilterInternal(
GrailsReloadSe
rvletFilter.java:104
)


at org.springframework.web.filter.OncePerRequestFilter.doFilter(
OncePerRequestFilter.java:76
)


at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilter
Chain.java:235
)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:206
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:368
)


at
org.springframework.security.web.
access.intercept.FilterSecurityInterceptor.invoke(
FilterSecurityInterc
eptor.java:109
)


at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(
FilterSecurityInte
rceptor.java:83
)


at
org.springframework.security.web.FilterCha
inProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:380
)


at
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(
ExceptionTranslationFilter.
java:97
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFi
lter(
FilterChainProxy.java:380
)


at
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(
AnonymousAuthent
icationFilter.java:78
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainP
roxy.java:380
)


at
org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(
Reme
mberMeAuthenticationFilter.java:119
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProx
y.java:380
)


at
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(
SecurityCo
ntextHolderAwareRequestFilter.java:54
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy
.java:380
)


at
org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(
Spne
goAuthenticationProcessingFilter.java:152
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainPr
oxy.java:380
)


at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(
Abstrac
tAuthenticationProcessingFilter.java:187
)


at
org.codehaus.groovy.grails.plugins.springsecurity.RequestHolderAuthenticationFilter.doFil
ter(
RequestHol
derAuthenticationFilter.java:40
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:380
)


at
org.codehaus.groovy.grails.plugins.springsecurity.MutableLogoutFilter.doFilter(
MutableLogoutFilt
er.java
:79
)


at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:380
)


at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(
SecurityContextPersi
stenceFilter.java:79
)


at
or
g.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:380
)


at org.springframework.security.web.FilterChainProxy.doFilter(
FilterChainProxy.java:169
)


at
org.springframework.web.filter.DelegatingFilterProxy.invoke
Delegate(
DelegatingFilterProxy.java:237
)


at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(
DelegatingFilterProxy.java:167
)


at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:235
)


at org.apache.
catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:206
)


at
org.codehaus.groovy.grails.web.servlet.mvc.GrailsWebRequestFilter.doFilterInternal(
GrailsWebRequestFilt
er.java:69
)


at org.springframework.web.filter.OncePerRequestFilter.do
Filter(
OncePerRequestFilter.java:76
)


at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:235
)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:206
)


at
org.codehaus.groovy
.grails.web.filters.HiddenHttpMethodFilter.doFilterInternal(
HiddenHttpMethodFilter.j
ava:69
)


at org.springframework.web.filter.OncePerRequestFilter.doFilter(
OncePerRequestFilter.java:76
)


at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:235
)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:206
)


at
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(
CharacterEncodingFilter.java:88
)


at org.springframew
ork.web.filter.OncePerRequestFilter.doFilter(
OncePerRequestFilter.java:76
)


at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(
DelegatingFilterProxy.java:237
)


at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(
DelegatingF
ilterProxy.java:167
)


at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:235
)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:206
)


at org.apache.catalina.core.StandardWr
apperValve.invoke(
StandardWrapperValve.java:233
)


at org.apache.catalina.core.StandardContextValve.invoke(
StandardContextValve.java:191
)


at org.apache.catalina.core.StandardHostValve.invoke(
StandardHostValve.java:128
)


at org.apache.catalina.valves.ErrorR
eportValve.invoke(
ErrorReportValve.java:102
)


at org.apache.catalina.core.StandardEngineValve.invoke(
StandardEngineValve.java:109
)


at org.apache.catalina.connector.CoyoteAdapter.service(
CoyoteAdapter.java:293
)


at org.apache.coyote.http11.Http11Processor.
process(
Http11Processor.java:849
)


at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:583
)


at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
JIoEndpoint.java:454
)


at java.lang.Thread.run(
Thread.java:619
)

Cau
sed by:
java.security.PrivilegedActionException
:
GSSException
: Failure unspecified at GSS
-
API level
(Mechanism level: Request is a replay (34))


at java.security.AccessController.doPrivileged(
Native Method
)


at javax.security.auth.Subject.doAs(
Subject.java
:396
)


at
org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(
SunJaasK
erberosTicketValidator.java:67
)


... 92 more

Caused by:
GSSException
: Failure unspecified at GSS
-
API level (Mechanism level: Request is a repla
y
(34))


at sun.security.jgss.krb5.Krb5Context.acceptSecContext(
Krb5Context.java:741
)


at sun.security.jgss.GSSContextImpl.acceptSecContext(
GSSContextImpl.java:323
)


at sun.security.jgss.GSSContextImpl.acceptSecContext(
GSSContextImpl.java:267
)


at sun.secu
rity.jgss.spnego.SpNegoContext.GSS_acceptSecContext(
SpNegoContext.java:874
)


at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(
SpNegoContext.java:541
)


at sun.security.jgss.GSSContextImpl.acceptSecContext(
GSSContextImpl.java:323
)


at sun.security.
jgss.GSSContextImpl.acceptSecContext(
GSSContextImpl.java:267
)


at
org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.
run(
SunJaasKerberosTicketValidator.java:146
)


at
org.springframework.security.extension
s.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.
run(
SunJaasKerberosTicketValidator.java:136
)


... 95 more

Caused by:
KrbException
: Request is a replay (34)


at sun.security.krb5.KrbApReq.authenticate(
KrbApReq.java:299
)


at sun.security.krb
5.KrbApReq.<init>(
KrbApReq.java:134
)


at sun.security.jgss.krb5.InitSecContextToken.<init>(
InitSecContextToken.java:79
)


at sun.security.jgss.krb5.Krb5Context.acceptSecContext(
Krb5Context.java:724
)


... 103 more

access.ExceptionTranslationFilter Chain proc
essed normally

context.HttpSessionSecurityContextRepository SecurityContext is empty or anonymous
-

context will not
be stored in HttpSession.

context.SecurityContextPersistenceFilter SecurityContextHolder now cleared, as request processing
completed