我使用Spring安全saml将我的web-Application集成到Okta。 登录Okta并调用我的应用程序后,我得到了一个无限循环调用../ saml / discovery?..... URL。 在.... / saml / SSO之前的请求后返回正确的SAMLResponse。
将应用程序部署到在具有负载均衡器的环境中运行的apache Tomcat后,会发生此错误。在我的neatbeans环境中运行应用程序时,一切都很好。
使用以下securityContext.xml:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<!-- Enable auto-wiring -->
<context:annotation-config/>
<!-- Scan for auto-wiring classes in spring saml packages -->
<context:component-scan base-package="org.springframework.security.saml"/>
<!-- Unsecured pages -->
<security:http security="none" pattern="/favicon.ico"/>
<security:http security="none" pattern="/images/**"/>
<security:http security="none" pattern="/css/**"/>
<security:http security="none" pattern="/media/**"/>
<security:http security="none" pattern="/logoutOkta"/>
<!-- Security for the administration UI -->
<security:http pattern="/saml/web/**" use-expressions="false">
<security:access-denied-handler error-page="/saml/web/metadata/login"/>
<security:form-login login-processing-url="/saml/web/login" login-page="/saml/web/metadata/login" default-target-url="/saml/web/metadata"/>
<security:intercept-url pattern="/saml/web/metadata/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/saml/web/**" access="ROLE_ADMIN"/>
<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
</security:http>
<!-- Secured pages with SAML as entry point -->
<security:http entry-point-ref="samlEntryPoint" use-expressions="false">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</security:http>
<!-- Filters for processing of SAML messages -->
<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map request-matcher="ant">
<security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
<security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
<security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
<security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
<security:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter"/>
<security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
<security:filter-chain pattern="/saml/discovery/**" filters="samlIDPDiscovery"/>
</security:filter-chain-map>
</bean>
<!-- Handler deciding where to redirect user after successful login -->
<bean id="successRedirectHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/"/>
</bean>
<!-- Handler deciding where to redirect user after failed login -->
<bean id="failureRedirectHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="useForward" value="true"/>
<property name="defaultFailureUrl" value="/errorOkta"/>
</bean>
<!-- Handler for successful logout -->
<bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
<property name="defaultTargetUrl" value="/logoutOkta"/>
</bean>
<security:authentication-manager alias="authenticationManager">
<!-- Register authentication manager for SAML provider -->
<security:authentication-provider ref="samlAuthenticationProvider"/>
<!-- Register authentication manager for administration UI -->
<security:authentication-provider>
<security:user-service id="adminInterfaceService">
<security:user name="admin" password="admin" authorities="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<!-- Logger for SAML messages and events -->
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger">
</bean>
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/BFRWebEOW.jks"/>
<constructor-arg type="java.lang.String" value="Key45pass#!"/>
<constructor-arg>
<map>
<entry key="apollo" value="nalle"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="apollo"/>
</bean>
<!-- Entry point to initialize authentication, default values taken from properties file -->
<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
<property name="defaultProfileOptions">
<bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="includeScoping" value="false"/>
</bean>
</property>
</bean>
<!-- IDP Discovery Service -->
<bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
<property name="idpSelectionPath" value="/WEB-INF/security/idpSelection.jsp"/>
</bean>
<!-- Filter automatically generates default SP metadata -->
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityBaseURL" value="https://yyyy.com/xxxx"/>
<property name="extendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="idpDiscoveryEnabled" value="true"/>
</bean>
</property>
</bean>
</constructor-arg>
</bean>
<!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there -->
<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here -->
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<!-- Example of classpath metadata with Extended Metadata -->
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/metadata.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
</bean>
<!-- Example of HTTP metadata without Extended Metadata -->
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<!-- URL containing the metadata -->
<constructor-arg>
<value type="java.lang.String">https://yxyx/sso/saml/metadata</value>
</constructor-arg>
<!-- Timeout for metadata loading in ms -->
<constructor-arg>
<value type="int">15000</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</list>
</constructor-arg>
</bean>
<!-- SAML Authentication Provider responsible for validating of received SAML messages -->
<bean id="samlAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider">
</bean>
<!-- Provider of defaulmetadataGeneratorFiltert SAML Context -->
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
<property name="scheme" value="https"/>
<property name="serverName" value="yyyy.com"/>
<property name="serverPort" value="443"/>
<property name="includeServerPortInRequestURL" value="false"/>
<property name="contextPath" value="/xxxx"/>
</bean>
<!-- Processing filter for WebSSO profile messages -->
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
</bean>
<!-- Processing filter for WebSSO Holder-of-Key profile -->
<bean id="samlWebSSOHoKProcessingFilter" class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
</bean>
<!-- Logout handler terminating local session -->
<bean id="logoutHandler"
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="invalidateHttpSession" value="false"/>
</bean>
<!-- Override default logout processing filter with the one processing SAML messages -->
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
<constructor-arg index="0" ref="successLogoutHandler"/>
<constructor-arg index="1" ref="logoutHandler"/>
<constructor-arg index="2" ref="logoutHandler"/>
</bean>
<!-- Filter processing incoming logout messages -->
<!-- First argument determines URL user will be redirected to after successful global logout -->
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
<constructor-arg index="0" ref="successLogoutHandler"/>
<constructor-arg index="1" ref="logoutHandler"/>
</bean>
<!-- Class loading incoming SAML messages from httpRequest stream -->
<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg>
<list>
<ref bean="redirectBinding"/>
<ref bean="postBinding"/>
<ref bean="artifactBinding"/>
<ref bean="soapBinding"/>
<ref bean="paosBinding"/>
</list>
</constructor-arg>
</bean>
<!-- SAML 2.0 WebSSO Assertion Consumer -->
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>
<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 Web SSO profile -->
<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
<!-- SAML 2.0 Holder-of-Key Web SSO profile -->
<bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 ECP profile -->
<bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/>
<!-- SAML 2.0 Logout Profile -->
<bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
<!-- Bindings, encoders and decoders used for creating and parsing messages -->
<bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
</bean>
<bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
<constructor-arg>
<bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
<constructor-arg>
<bean class="org.apache.commons.httpclient.HttpClient">
<constructor-arg>
<bean class="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/>
</constructor-arg>
</bean>
</constructor-arg>
<property name="processor">
<bean class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg ref="soapBinding"/>
</bean>
</property>
</bean>
</constructor-arg>
</bean>
<bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<!-- Initialization of OpenSAML library-->
<bean class="org.springframework.security.saml.SAMLBootstrap"/>
<!-- Initialization of the velocity engine -->
<bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/>
<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
</beans>
日志文件中出现以下错误: HttpSession为SPRING_SECURITY_CONTEXT
返回了null对象2018-04-10 10:10:18,605 [http-nio-8080-exec-5] DEBUG OpenSessionInViewFilter:lookupSessionFactory.239 - Using SessionFactory 'sessionFactory' for OpenSessionInViewFilter
2018-04-10 10:10:18,605 [http-nio-8080-exec-5] DEBUG DefaultListableBeanFactory:doGetBean.245 - Returning cached instance of singleton bean 'sessionFactory'
2018-04-10 10:10:18,605 [http-nio-8080-exec-5] DEBUG OpenSessionInViewFilter:doFilterInternal.181 - Opening single Hibernate Session in OpenSessionInViewFilter
2018-04-10 10:10:18,605 [http-nio-8080-exec-5] DEBUG SessionFactoryUtils:doGetSession.322 - Opening Hibernate Session
2018-04-10 10:10:18,606 [http-nio-8080-exec-5] DEBUG AntPathRequestMatcher:matches.103 - Checking match of request : '/bfrwebeow/saml/sso'; against '/favicon.ico'
2018-04-10 10:10:18,606 [http-nio-8080-exec-5] DEBUG AntPathRequestMatcher:matches.103 - Checking match of request : '/bfrwebeow/saml/sso'; against '/images/**'
2018-04-10 10:10:18,606 [http-nio-8080-exec-5] DEBUG AntPathRequestMatcher:matches.103 - Checking match of request : '/bfrwebeow/saml/sso'; against '/css/**'
2018-04-10 10:10:18,606 [http-nio-8080-exec-5] DEBUG AntPathRequestMatcher:matches.103 - Checking match of request : '/bfrwebeow/saml/sso'; against '/media/**'
2018-04-10 10:10:18,606 [http-nio-8080-exec-5] DEBUG AntPathRequestMatcher:matches.103 - Checking match of request : '/bfrwebeow/saml/sso'; against '/logoutokta'
2018-04-10 10:10:18,606 [http-nio-8080-exec-5] DEBUG AntPathRequestMatcher:matches.103 - Checking match of request : '/bfrwebeow/saml/sso'; against '/saml/web/**'
2018-04-10 10:10:18,607 [http-nio-8080-exec-5] DEBUG FilterChainProxy:doFilter.337 - /BFRWebEOW/saml/SSO at position 1 of 9 in additional filter chain; firing Filter: 'MetadataGeneratorFilter'
2018-04-10 10:10:18,607 [http-nio-8080-exec-5] DEBUG FilterChainProxy:doFilter.337 - /BFRWebEOW/saml/SSO at position 2 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-04-10 10:10:18,607 [http-nio-8080-exec-5] DEBUG HttpSessionSecurityContextRepository:readSecurityContextFromSession.139 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2018-04-10 10:10:18,607 [http-nio-8080-exec-5] DEBUG HttpSessionSecurityContextRepository:loadContext.85 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@54407435. A new one will be created.
2018-04-10 10:10:18,607 [http-nio-8080-exec-5] DEBUG FilterChainProxy:doFilter.337 - /BFRWebEOW/saml/SSO at position 3 of 9 in additional filter chain; firing Filter: 'FilterChainProxy'
2018-04-10 10:10:18,607 [http-nio-8080-exec-5] DEBUG AntPathRequestMatcher:matches.103 - Checking match of request : '/bfrwebeow/saml/sso'; against '/saml/login/**'
2018-04-10 10:10:18,607 [http-nio-8080-exec-5] DEBUG AntPathRequestMatcher:matches.103 - Checking match of request : '/bfrwebeow/saml/sso'; against '/saml/logout/**'
2018-04-10 10:10:18,607 [http-nio-8080-exec-5] DEBUG AntPathRequestMatcher:matches.103 - Checking match of request : '/bfrwebeow/saml/sso'; against '/saml/metadata/**'
2018-04-10 10:10:18,607 [http-nio-8080-exec-5] DEBUG AntPathRequestMatcher:matches.103 - Checking match of request : '/bfrwebeow/saml/sso'; against '/saml/sso/**'
2018-04-10 10:10:18,607 [http-nio-8080-exec-5] DEBUG AntPathRequestMatcher:matches.103 - Checking match of request : '/bfrwebeow/saml/sso'; against '/saml/ssohok/**'
2018-04-10 10:10:18,608 [http-nio-8080-exec-5] DEBUG AntPathRequestMatcher:matches.103 - Checking match of request : '/bfrwebeow/saml/sso'; against '/saml/singlelogout/**'
2018-04-10 10:10:18,608 [http-nio-8080-exec-5] DEBUG AntPathRequestMatcher:matches.103 - Checking match of request : '/bfrwebeow/saml/sso'; against '/saml/discovery/**'
2018-04-10 10:10:18,608 [http-nio-8080-exec-5] DEBUG FilterChainProxy:doFilterInternal.180 - /BFRWebEOW/saml/SSO has no matching filters
2018-04-10 10:10:18,608 [http-nio-8080-exec-5] DEBUG FilterChainProxy:doFilter.337 - /BFRWebEOW/saml/SSO at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2018-04-10 10:10:18,608 [http-nio-8080-exec-5] DEBUG DefaultSavedRequest:propertyEquals.309 - pathInfo: both null (property equals)
2018-04-10 10:10:18,608 [http-nio-8080-exec-5] DEBUG DefaultSavedRequest:propertyEquals.309 - queryString: both null (property equals)
2018-04-10 10:10:18,608 [http-nio-8080-exec-5] DEBUG DefaultSavedRequest:propertyEquals.325 - requestURI: arg1=/BFRWebEOW/saml/SSO; arg2=/BFRWebEOW/saml/SSO (property equals)
2018-04-10 10:10:18,608 [http-nio-8080-exec-5] DEBUG DefaultSavedRequest:propertyEquals.325 - serverPort: arg1=443; arg2=443 (property equals)
2018-04-10 10:10:18,608 [http-nio-8080-exec-5] DEBUG DefaultSavedRequest:propertyEquals.325 - requestURL: arg1=https://eow-rrx.tst.railigent.com/BFRWebEOW/saml/SSO; arg2=https://eow-rrx.tst.railigent.com/BFRWebEOW/saml/SSO (property equals)
2018-04-10 10:10:18,608 [http-nio-8080-exec-5] DEBUG DefaultSavedRequest:propertyEquals.325 - scheme: arg1=https; arg2=https (property equals)
2018-04-10 10:10:18,608 [http-nio-8080-exec-5] DEBUG DefaultSavedRequest:propertyEquals.325 - serverName: arg1=eow-rrx.tst.railigent.com; arg2=eow-rrx.tst.railigent.com (property equals)
2018-04-10 10:10:18,609 [http-nio-8080-exec-5] DEBUG DefaultSavedRequest:propertyEquals.325 - contextPath: arg1=; arg2= (property equals)
2018-04-10 10:10:18,609 [http-nio-8080-exec-5] DEBUG DefaultSavedRequest:propertyEquals.325 - servletPath: arg1=/BFRWebEOW/saml/SSO; arg2=/BFRWebEOW/saml/SSO (property equals)
2018-04-10 10:10:18,609 [http-nio-8080-exec-5] DEBUG HttpSessionRequestCache:removeRequest.62 - Removing DefaultSavedRequest from session if present
2018-04-10 10:10:18,609 [http-nio-8080-exec-5] DEBUG FilterChainProxy:doFilter.337 - /BFRWebEOW/saml/SSO at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2018-04-10 10:10:18,609 [http-nio-8080-exec-5] DEBUG FilterChainProxy:doFilter.337 - /BFRWebEOW/saml/SSO at position 6 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2018-04-10 10:10:18,609 [http-nio-8080-exec-5] DEBUG AnonymousAuthenticationFilter:doFilter.102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90541710: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 80.146.228.89; SessionId: 37CBBCFA2AA537EF36B64F9C33332A26; Granted Authorities: ROLE_ANONYMOUS'
2018-04-10 10:10:18,609 [http-nio-8080-exec-5] DEBUG FilterChainProxy:doFilter.337 - /BFRWebEOW/saml/SSO at position 7 of 9 in additional filter chain; firing Filter: 'SessionManagementFilter'
2018-04-10 10:10:18,609 [http-nio-8080-exec-5] DEBUG FilterChainProxy:doFilter.337 - /BFRWebEOW/saml/SSO at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2018-04-10 10:10:18,610 [http-nio-8080-exec-5] DEBUG FilterChainProxy:doFilter.337 - /BFRWebEOW/saml/SSO at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2018-04-10 10:10:18,610 [http-nio-8080-exec-5] DEBUG FilterSecurityInterceptor:beforeInvocation.194 - Secure object: FilterInvocation: URL: /BFRWebEOW/saml/SSO; Attributes: [IS_AUTHENTICATED_FULLY]
2018-04-10 10:10:18,610 [http-nio-8080-exec-5] DEBUG FilterSecurityInterceptor:authenticateIfRequired.310 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@90541710: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 80.146.228.89; SessionId: 37CBBCFA2AA537EF36B64F9C33332A26; Granted Authorities: ROLE_ANONYMOUS
2018-04-10 10:10:18,610 [http-nio-8080-exec-5] DEBUG AffirmativeBased:decide.65 - Voter: org.springframework.security.access.vote.RoleVoter@1e69f47a, returned: 0
2018-04-10 10:10:18,610 [http-nio-8080-exec-5] DEBUG AffirmativeBased:decide.65 - Voter: org.springframework.security.access.vote.AuthenticatedVoter@49bbcd88, returned: -1
2018-04-10 10:10:18,610 [http-nio-8080-exec-5] DEBUG ExceptionTranslationFilter:handleSpringSecurityException.165 - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at