我们有一个基于 appfuse 入门工具包版本 2.2.1 构建的示例 Web 应用程序,该应用程序使用 Spring security 3.1.3.RELEASE。我们将把它部署在 WAS 7 上,并在 IBM WebSphere 8.5.5.8(Liberty) 上测试它。 我们的问题是在成功/失败的登录请求之后,某些东西会破坏请求的 servletPath 值并将其设置为 null。
((HttpServletRequest) request).getServletPath()
这是 LocaleFilter 尝试使用 getServletPath() 的/j_security_check 值执行 chain.doFilter 的时间,我们遇到:
Exception thrown by application class 'org.springframework.security.web.util.AntPathRequestMatcher.getRequestPath:116' java.lang.NullPointerException: at org.springframework.security.web.util.AntPathRequestMatcher.getRequestPath(AntPathRequestMatcher.java:116) at org.springframework.security.web.util.AntPathRequestMatcher.matches(AntPathRequestMatcher.java:100) at org.springframework.security.web.DefaultSecurityFilterChain.matches(DefaultSecurityFilterChain.java:42) at org.springframework.security.web.FilterChainProxy.getFilters(FilterChainProxy.java:203) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:176) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) at [internal classes] at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:59) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) at [internal classes] at org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:213) at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:171) at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:394) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) at [internal classes] at ir.dpi.webapp.filter.LocaleFilter.doFilterInternal(LocaleFilter.java:67) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) at [internal classes] at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) at [internal classes] at com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:129) at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:77) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) at [internal classes]
这是我们的 security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/images/**" security="none"/>
<http pattern="/styles/**" security="none"/>
<http pattern="/scripts/**" security="none"/>
<http auto-config="false" create-session="always">
<intercept-url pattern="/app/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/app/passwordHint*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER"/>
<form-login login-page="/login" authentication-failure-url="/login?error=true" login-processing-url="/j_security_check"/>
<remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/>
</http>
<authentication-manager >
<authentication-provider user-service-ref="userDao" >
<password-encoder ref="passwordEncoder" >
<salt-source ref="saltSource" />
</password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource"
p:userPropertyToUse="username"/>
<global-method-security>
<protect-pointcut expression="execution(* *..service.UserManager.getUsers(..))" access="ROLE_ADMIN"/>
<protect-pointcut expression="execution(* *..service.UserManager.removeUser(..))" access="ROLE_ADMIN"/>
</global-method-security>
</beans:beans>
如有任何帮助,我们将不胜感激。
最佳答案
我使用 this code ranch topic 找到了解决方案。 AppFuse 使用不同的 Filter(javax.servlet),并且 IBM WebSphere 的 Wrapping 机制对 session 创建优先级敏感。因此,我在 web.xml 文件中向上移动了 Spring securityFilter 映射。
<filter-mapping>
<filter-name>securityFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>sitemesh</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
...
现在登录过程已经完成。
请注意,在 Liberty server.xml 中设置这些设置至关重要:
<httpSession cookieName="MY_LIBERTY_COOKIE" />
<basicRegistry />
IBM WebSphere Application Server(WAS Full) 中的等效设置设置为:
Session management -> General Properties -> Enable cookies
此外,在 WAS 版本 7 中(可能适用于其他版本),还需要使用:
<http auto-config="false" disable-url-rewriting="true" create-session="always">
在 spring security.xml 文件中。
关于java - IBM WebSphere 8.5.5.8(Liberty) + Spring Security 3.1.3.RELEASE,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35868621/