Spring SAML Access is denied after one minute

Question

I've implemented SAML2 authentication in webapplication. Everything works fine at the beginning. User logins and can use application but after one minute he gets 401 and whole page reloads.

It

What can be the reason ? It's connected to SAML ticket NotOnOrAfter atribute ? How can i fix this issue and disable this reload and reauthentication ?

In logs I can see:

7:13:55.271 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /sw.js; Attributes: [authenticated] 2017-02-11 17:13:55.271 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: 3A25B5C297F7BCF47C70ACA09D03EEC6; Granted Authorities: ROLE_ANONYMOUS 2017-02-11 17:13:55.271 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.s.access.vote.AffirmativeBased
: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@4e54fa5d, returned: -1 2017-02-11 17:13:55.271 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point

org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:115) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.saml.SAMLLogoutProcessingFilter.processLogout(SAMLLogoutProcessingFilter.java:206) at org.springframework.security.saml.SAMLLogoutProcessingFilter.doFilter(SAMLLogoutProcessingFilter.java:104)

2017-02-11 17:13:55.291 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.s.w.s.HttpSessionRequestCache
: DefaultSavedRequest added to Session: DefaultSavedRequest[https://somesite/saml/SSO/sw.js] 2017-02-11 17:13:55.291 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.s.w.a.ExceptionTranslationFilter : Calling Authentication entry point. 2017-02-11 17:13:55.306 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.s.s.context.SAMLContextProviderImpl : No IDP specified, using default MINEIDP 2017-02-11 17:13:55.307 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.security.saml.util.SAMLUtil
: Index for AssertionConsumerService not specified, returning default 2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.security.saml.SAMLEntryPoint
: Processing SSO using WebSSO profile 2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.s.saml.websso.WebSSOProfileImpl : Using default consumer service with binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.security.saml.util.SLF4JLogChute : ResourceManager : found /templates/saml2-post-binding.vm with loader org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader 2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.security.saml.util.SLF4JLogChute : ResourceManager : found /templates/add-html-head-content.vm with loader org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader 2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.security.saml.util.SLF4JLogChute : ResourceManager : found /templates/add-html-body-content.vm with loader org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader 2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@66d6b7bc 2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.s.saml.storage.HttpSessionStorage : Storing message a2h65aag15ccg2d837386cch748e34h to session 3A25B5C297F7BCF47C70ACA09D03EEC6 2017-02-11 17:13:55.308 INFO 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.security.saml.log.SAMLDefaultLogger : AuthNRequest;SUCCESS;127.0.0.1;https://somesite.. 2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed 2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.b.w.f.OrderedRequestContextFilter : Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade@7bfe8944 2017-02-11 17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] o.s.b.w.f.OrderedRequestContextFilter : Bound request context to thread: org.apache.catalina.connector.RequestFacade@7bfe8944 2017-02-11 17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] o.s.security.web.FilterChainProxy : /saml/SSO at position 1 of 16 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 2017-02-11 17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] o.s.security.web.FilterChainProxy : /saml/SSO at position 2 of 16 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 2017-02-11 17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT 2017-02-11 17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@491a27d7. A new one will be created. 2017-02-11 17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] o.s.security.web.FilterChainProxy
: /saml/SSO at position 3 of 16 in additional filter chain; firing Filter: 'HeaderWriterFilter' 2017-02-11 17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] o.s.security.web.FilterChainProxy
: /saml/SSO at position 4 of 16 in additional filter chain; firing Filter: 'SAMLLogoutFilter' 2017-02-11 17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] o.s.security.web.FilterChainProxy
: /saml/SSO at position 5 of 16 in additional filter chain; firing Filter: 'MetadataGeneratorFilter' 2017-02-11 17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] o.s.security.web.FilterChainProxy : /saml/SSO at position 6 of 16 in additional filter chain; firing Filter: 'MetadataDisplayFilter' 2017-02-11 17:13:56.542 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] o.s.security.web.FilterChainProxy : /saml/SSO at position 7 of 16 in additional filter chain; firing Filter: 'XhrSamlEntryPoint' 2017-02-11 17:13:56.542 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] o.s.security.web.FilterChainProxy
: /saml/SSO at position 8 of 16 in additional filter chain; firing Filter: 'SAMLProcessingFilter' 2017-02-11 17:13:56.542 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] o.s.security.saml.SAMLProcessingFilter : Request is to process authentication 2017-02-11 17:13:56.542 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] o.s.security.saml.SAMLProcessingFilter : Attempting SAML2 authentication using profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser 2017-02-11 17:13:56.542 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] o.s.s.saml.processor.SAMLProcessorImpl : Retrieving message using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 2017-02-11 17:13:56.558 INFO 29368 --- [http-nio-127.0.0.1-5814-exec-3] colMessageXMLSignatureSecurityPolicyRule : SAML protocol message was not signed, skipping XML signature processing 2017-02-11 17:13:56.558 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] o.s.security.saml.util.SAMLUtil : Found endpoint org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@5e73661d for request URL https://somesite/saml/SSO based on location attribute in metadata 2017-02-11 17:13:56.558 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.saml.SAMLAuthenticationProvider 2017-02-11 17:13:56.558 INFO 29368 --- [http-nio-127.0.0.1-5814-exec-3] c.p.k.s.CustomWebSSOProfileConsumerImpl : Signature vaildation omitted. 2017-02-11 17:13:56.558 INFO 29368 --- [http-nio-127.0.0.1-5814-exec-3] o.s.security.saml.log.SAMLDefaultLogger : AuthNResponse;SUCCESS;127.0.0.1;https://somesite;;

Answer 1

this Showed me the way. The reason was that in saml token there was 'NotOnOrAfter' attribute. In 'SAMLAuthenticationProvider' method 'authenticate' was creating 'ExpiringUsernameAuthenticationToken' which validity is based upon 'NotOnOrAfter'. What i did was to override 'getExpirationDate' method and extended token validity to expected time.