我在我的服务中使用 Spring Security 和 Waffle。当我在本地连接到该服务时(浏览器和 Tomcat 在同一台计算机上启动),一切都运行良好(浏览器不询问登录名和密码)。当我从另一台计算机连接到该服务时,浏览器总是询问登录名和密码。
这是我的 web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
<display-name>Struts 2 Spring Security 4</display-name>
<!--SPRING SECURITY-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-security/context.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--SPRING SECURITY-->
<filter>
<filter-name>SecurityFilter</filter-name>
<filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
<init-param>
<param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
<param-value>
Negotiate
NTLM
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Struts 2-->
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Struts 2-->
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<!-- Struts Tiles Listener -->
<listener>
<listener-class>
org.apache.struts2.tiles.StrutsTilesListener
</listener-class>
</listener>
<!-- Struts Tiles Listener -->
<listener>
<listener-class>
ru.dpd.vms.pss.scheduler.SchedulerListener
</listener-class>
</listener>
<context-param>
<param-name>org.apache.tiles.impl.BasicTilesContainer.DEFINITIONS_CONFIG</param-name>
<param-value>
/WEB-INF/tiles.xml
</param-value>
</context-param>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<session-config>
<session-timeout>120</session-timeout>
</session-config>
</web-app>
这是 Spring 上下文:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<sec:http auto-config="true"
use-expressions="true"
request-matcher="regex"
entry-point-ref="negotiateSecurityFilterEntryPoint" >
<sec:csrf disabled="true"/>
<sec:custom-filter ref="waffleNegotiateSecurityFilter" before="BASIC_AUTH_FILTER" />
<sec:custom-filter ref="customFilter" after="BASIC_AUTH_FILTER"/>
Here is some <sec:intercept-url/>
</sec:http>
<bean id="basicSecurityFilterProvider" class="waffle.servlet.spi.BasicSecurityFilterProvider">
<constructor-arg ref="waffleWindowsAuthProvider" />
</bean>
<bean id="waffleSecurityFilterProviderCollection" class="waffle.servlet.spi.SecurityFilterProviderCollection">
<constructor-arg>
<list>
<ref bean="negotiateSecurityFilterProvider" />
<ref bean="basicSecurityFilterProvider" />
</list>
</constructor-arg>
</bean>
<bean id="negotiateSecurityFilterProvider" class="waffle.servlet.spi.NegotiateSecurityFilterProvider">
<constructor-arg ref="waffleWindowsAuthProvider" />
</bean>
<bean id="negotiateSecurityFilterEntryPoint" class="waffle.spring.NegotiateSecurityFilterEntryPoint">
<property name="Provider" ref="waffleSecurityFilterProviderCollection" />
</bean>
<sec:authentication-manager alias="authenticationProvider">
<sec:authentication-provider ref="waffleSpringAuthenticationProvider" />
</sec:authentication-manager>
<bean id="waffleWindowsAuthProvider" class="waffle.windows.auth.impl.WindowsAuthProviderImpl" />
<bean id="waffleSpringAuthenticationProvider" class="waffle.spring.WindowsAuthenticationProvider">
<property name="allowGuestLogin" value="false" />
<property name="principalFormat" value="fqn" />
<property name="roleFormat" value="both" />
<property name="authProvider" ref="waffleWindowsAuthProvider" />
</bean>
<bean id="waffleNegotiateSecurityFilter" class="waffle.spring.NegotiateSecurityFilter">
<property name="Provider" ref="waffleSecurityFilterProviderCollection" />
<property name="AllowGuestLogin" value="false" />
<property name="PrincipalFormat" value="fqn" />
<property name="RoleFormat" value="both" />
</bean>
<bean id="customFilter" class="ru.yyy.vms.pss.ntlm.CustomFilter"></bean>
</beans>
我真的很高兴任何建议。 谢谢。
1) 当你取消登录框时会发生什么(截图) 2) 如果你输入一些(可能是假的)凭证会发生什么(截图) 在这种情况下会显示站点。我不想发表它。 3) 调试器的网络选项卡中显示的内容(屏幕截图 + 复制的纯文本)
Request URL: http://yyy/wyyy/welcome.do
Request Method: GET
Status Code: 200 OK
Remote Address: 10.239.254.213:8088
Referrer Policy: no-referrer-when-downgrade
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: text/html;charset=UTF-8
Date: Wed, 07 Nov 2018 07:07:08 GMT
Expires: 0
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E9CCCF0A98F62D56A43EBC383D759DE8; Path=/wyyy/; HttpOnly
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAvAjAAAADw==
Connection: keep-alive
Cookie: JSESSIONID=AA48EC52FF03298E8217D5A4DF9D3D73
Host: yyy
Upgrade-Insecure-Requests: 1
Request URL: http://yyy/wyyy/welcome.do
Request Method: GET
Status Code: 401 Unauthorized
Remote Address: 10.239.254.213:8088
Referrer Policy: no-referrer-when-downgrade
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Connection: close
Content-Language: en
Content-Length: 994
Content-Type: text/html;charset=utf-8
Date: Wed, 07 Nov 2018 07:15:14 GMT
Expires: 0
Pragma: no-cache
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="BasicSecurityFilterProvider"
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Cookie: JSESSIONID=657AC285B9FF43405FADD51026088F4D
Host: yyy
Upgrade-Insecure-Requests: 1
最佳答案
您好,您需要激活 Windows 集成身份验证或将您的网站添加到每台计算机上的本地 Intranet,
https://specopssoft.com/blog/configuring-chrome-and-firefox-for-windows-integrated-authentication/
https://itkb.csulb.edu/display/help/Adding+Sites+to+Local+Intranet+in+Browser+Settings
否则您可以执行以下步骤,
1) 安装 Apache Web Server 并使用 modntlm 配置使用 NTLM 身份验证
2) 将 mod_jk 配置到您的 Selvlet 容器(JBoss 或 Tomcat)http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html成功验证后,Apache 将 REMOTE_USER header 发送到 servlet 容器。 header (根据名称)包含经过身份验证的用户的用户名确保您配置 tomcatAuthentication="false"以允许 Apache 允许 apache 发送 REMOTE_USER header
3) 在 Spring Security 中实现和配置您自己的 PreAuthenticatedProcessingFilter:http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6167
它应该与 Request-Header Authentication 过滤器非常相似:http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6295
此外,您应该从用户名中省略域名。用户名在 NTLM 身份验证后在 REMOTE_USER header 中发送。
关于java - 当我连接到服务时,浏览器询问登录名和密码,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/53168244/