Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Waffle SpringBoot error logging - Invalid Authorization header: Negotiate #1472

Open
Smaju78 opened this issue Feb 1, 2022 · 4 comments
Open

Waffle SpringBoot error logging - Invalid Authorization header: Negotiate #1472

Smaju78 opened this issue Feb 1, 2022 · 4 comments
Labels
bug?

Comments

@Smaju78
Copy link

Smaju78 commented Feb 1, 2022

Our application uses Waffle SpringBoot starter to identify the Active Directory user for user authentication of our application. However, everytime a user logs in, there is an error logged though it does not prevent authentication. This has resulted in ballooning of the log file very soon to 100s of MBs. The error I am getting is as follows

05-November 00:46:53 ERROR - Servlet.service() for servlet [dispatcherServlet] in context with path [/burganPMS] threw exception 
java.lang.RuntimeException: Invalid Authorization header: Negotiate
	at waffle.util.AuthorizationHeader.getSecurityPackage(AuthorizationHeader.java:94)
	at waffle.spring.NegotiateSecurityFilter.doFilter(NegotiateSecurityFilter.java:104)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:92)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)

Nov 05, 2021 10:13:13 PM org.apache.catalina.core.StandardHostValve custom
SEVERE: Exception Processing ErrorPage[errorCode=500, location=/custom_error_page.jsp]
java.lang.RuntimeException: Invalid Authorization header: Negotiate
	at waffle.util.AuthorizationHeader.getSecurityPackage(AuthorizationHeader.java:94)
	at waffle.spring.NegotiateSecurityFilter.doFilter(NegotiateSecurityFilter.java:104)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:103)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:103)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:103)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:103)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:103)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:713)
	at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:464)
	at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:387)
	at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:315)
	at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:394)
	at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:253)
	at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:348)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:173)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:615)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1627)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

I have tried to filter this error from being printed in Log4J2 by using RegexFilter on waffle.util.* but that has also not worked.

I need help to figure

If this error is indicative of any wrong configuration?
If not, how to turn off printing this error in log files using Log4J2?
@dblock
Copy link
Collaborator

dblock commented Feb 3, 2022

It looks like you have a Authorization: Negotiate header without a token value and Waffle never expects that. The protocol says it's supposed to be followed by a token, AFAIK. So either something is stripping the token, the filter may be invoked twice, or something else. I would start by looking at the client side and see what headers get sent from the client.

@dblock dblock added the bug? label Feb 3, 2022
@Smaju78
Copy link
Author

Smaju78 commented Feb 4, 2022

What we have discovered is that this was working perfectly fine till we upgraded the version of the Waffle dependency -> waffle-spring-boot-starter to 3.0.0 for our Spring Boot application. Prior to this, we were using version 2.2.1 when such runtime exceptions didn't appear ever before. Is there something in 3.0.0 for us to configure anything additionally?

@hazendaz
Copy link
Member

@Smaju78 Does 2.3.0 work? 2.2.1 is really old at this point, so I think working your way up to confirm what works or does not will help you isolate the issue. I agree with @dblock here on missing token. I saw something online referring to that occuring when crossing domains but not sure if that is related. The code in that specific spot hasn't changed since it was originally written to any degree. It expects the protocol + space + token. The space and token are missing here.

@nclemeur nclemeur mentioned this issue Dec 10, 2024
Open
@AdrianDiemerDev
Copy link

I had the same issue. I found out that the service responded with 401 even after the user had been successfully authenticated causing Chrome to send a Negotiate Authorization header without a token which, apparently, is incorrect behavior according to the protocol spec.

Anyway, the reason for the 401 response seemed to be that the NegotiateSecurityFilter was applied twice. So making sure that the filter was only applied once solved the issue for me.

The fix in the library would probably be to have the waffle.spring.NegotiateSecurityFilter extend org.springframework.web.filter.OncePerRequestFilter instead of org.springframework.web.filter.GenericFilterBean.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug?
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dblock @hazendaz @Smaju78 @AdrianDiemerDev