我让 Spring 过滤器链中的 session 管理过滤器在此类 HttpSessionSecurityContextRepository 中抛出此异常。 这是我的 security-app.xml 的片段
<beans:bean id="springSecurityFilterChain1" class="org.springframework.security.web.FilterChainProxy">
<beans:constructor-arg>
<beans:list>
<security:filter-chain pattern="/resources/**" filters="none"/>
<security:filter-chain pattern="/**"
filters="securityContextPersistenceFilterWithASCTrue,
customBadgeAuthFilter,
logoutFilter,
requestCacheFilter,
securityContextHolderAwareRequestFilter,
sessionMgmtFilter,
formLoginExceptionTranslationFilter,
filterSecurityInterceptor" />
</beans:list>
</beans:constructor-arg></beans:bean><beans:bean id="securityContextHolderAwareRequestFilter"
class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter"/>
<beans:bean id="requestCacheFilter" class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter" />
<beans:bean id="securityContextPersistenceFilterWithASCTrue"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<beans:property name="securityContextRepository" ref="securityContextRepository"/>
</beans:bean>
<beans:bean id="securityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/><beans:bean id="sessionMgmtFilter" class="org.springframework.security.web.session.SessionManagementFilter">
<beans:constructor-arg ref="securityContextRepository"/>
</beans:bean>
当它尝试转换为 SavedContextOnUpdateOrErrorResponseWrapper 时,它是一个类转换。该值由 ContextPersistentFilter 设置,它在我的安全链中作为第一个元素被调用
public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response) {
SaveContextOnUpdateOrErrorResponseWrapper responseWrapper = (SaveContextOnUpdateOrErrorResponseWrapper)response;
// saveContext() might already be called by the response wrapper
// if something in the chain called sendError() or sendRedirect(). This ensures we only call it
// once per request.
if (!responseWrapper.isContextSaved() ) {
responseWrapper.saveContext(context);
}
}
这是我的堆栈跟踪
java.lang.ClassCastException: org.springframework.security.web.firewall.FirewalledResponse cannot be cast to org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper
at org.springframework.security.web.context.HttpSessionSecurityContextRepository.saveContext(HttpSessionSecurityContextRepository.java:99)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:93)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
at edu.mayo.fss.security.filter.SecureLoginFilter.doFilter(SecureLoginFilter.java:83)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
at edu.mayo.fss.spring.util.LoggingFilter.doFilter(LoggingFilter.java:41)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
at
有人可以帮我看看我需要做什么来解决这个防火墙请求类广播异常吗?当 sessionMgmtFilter 尝试强制转换时,错误开始。
谢谢 DJ
最佳答案
在 spring-filter 链代理之前我有一个辅助 servlet 过滤器。 当我摆脱那个过滤器的那一刻,一切都开始工作了。 因此,如果 spring-filter 链不是直接从 jsp 调用,而是通过另一个过滤器路由,然后调用过滤器链,则防火墙请求将抛出 Class Cast Exception。 spring-security之前的customFilter是FirewalledClass Cast Exception的原因。
<filter><filter-name>customFilter</filter-name><filter-class>sas.SecureLoginFilter</filter-class></filter><filter-mapping><filter-name>customFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping><filter><filter-name>springSecurityFilterChain</filter-name><filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class></filter>
关于java - 在 Spring 过滤器链中的 session 管理过滤器中获取 Firewalledrequest ClasscastException,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35879984/