AD SSO some requests are not authenticated

Hey there,

I have a problem - we have a Azure AD login and Bloomreach managed login site by site. We are now trying to only provide the AD login for users and would like to customize the login page. We implemented following Redirect Filter but some requests to cms-ressources seem not to be authenticated.

Like “/cms/wicket/resource”, “/cms/angular/” etc.

Why is this the case should the authentication via SSO or bloomreach not have the same security domain as we are just mapping users?

package de.security.sso;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class ADAutomaticRedirectFilter implements Filter {

    private static final Logger log = LoggerFactory.getLogger(ADAutomaticRedirectFilter.class);

    @Override
    public void init(FilterConfig filterConfig) {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        log.debug("doFilter ADAutomaticRedirectFilter");
        final HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        final HttpServletResponse httpServletResponse = (HttpServletResponse) response;
        final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

        if (!(authentication instanceof AnonymousAuthenticationToken) && authentication.isAuthenticated()) {
            log.warn("xxx request is authenticated {}?{}",httpServletRequest.getRequestURI(), httpServletRequest.getQueryString());
            chain.doFilter(request, response);
            return;
        }
        
        if (httpServletRequest.getRequestURI().contains("/cms/skin/screen.css")
                || httpServletRequest.getRequestURI().contains("/cms/wicket/resource")
                || httpServletRequest.getRequestURI().contains("/cms/skin/hippo-cms")
                || httpServletRequest.getRequestURI().contains("/cms/navapp-assets")
                || httpServletRequest.getRequestURI().contains("/cms/angular/")
                || httpServletRequest.getRequestURI().contains("/cms/ws/navigationitems")
                || request.getParameter("1-1.0-root-pinger") != null
                || request.getParameter("iframe") != null
                || httpServletRequest.getRequestURI().contains("/cms/skin/screen_legacy.css")) {
            // why are all these not authenticated ???
            log.warn("xxx ????not authenticated ???  {}?{}",httpServletRequest.getRequestURI(), httpServletRequest.getQueryString());
            chain.doFilter(request, response);
        } else {
            log.warn("xxx will redirect now !!!!  {}?{}",httpServletRequest.getRequestURI(), httpServletRequest.getQueryString());
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + "/sso-login/?iframe=true&loginRedirect=true");
            //chain.doFilter(request, response);
        }
    }

    @Override
    public void destroy() {
    }
}

Best wishes,

If you’re using Spring then you probably have a SecurityConfig in your project which is setting up which paths are authorized or not.

You may refer to the below documents for further reference:
Doc 1
Doc 2

Thank you very much,

I will have a look into it and let you know.

Best wishes,

As far as I understand this is for site/webapp → but we are trying to use it for the cms.

Hey @Doenut ,

indeed the links my colleague has provided to you are referring to the site webapp.
However, the same principles apply for the CMS application.

The idea as @david.bailey mentioned is to exclude certain endpoints from the SSO authentication (like ping, static resources etc.

Kind regards