我们公司的 FLEX/Spring/BlazeDS 应用程序出现问题。基本上,在 FireFox 和 IE(不是 Chrome)中,如果您对网站进行多次身份验证(登录/注销/登录/注销),您最终会处于一种状态,只需单击“登录”即可对服务器进行身份验证 密码字段中的任何内容,至少在您关闭并重新打开浏览器之前。这是怎么回事??
查看 Spring Security 日志时,可以看到 SecurityContext 没有被正确地失效,也没有被重新使用。我在下面添加了一些片段来了解解决方案。
这似乎仅在我使用应用程序的默认 glassfish servlet 上下文时才会发生 https://staging.website.net:8181/
如果我使用应用程序的直接上下文,则不会发生这种情况: https://staging.website.net:8181/myapp
这是我们的注销过滤器和 spring-security 详细信息
<security:http entry-point-ref="oamAuthenticationProcessingFilterEntryPoint"
auto-config="false">
<security:intercept-url pattern="/messagebroker/**/*"
access="ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN" />
<security:intercept-url pattern="/cms/login"
access="ROLE_ANONYMOUS" />
<security:intercept-url pattern="/cms*"
access="ROLE_CMS,ROLE_ADMIN" />
<security:intercept-url pattern="/gen*"
access="ROLE_CMS,ROLE_ADMIN" />
<security:intercept-url pattern="/test*"
access="ROLE_ANONYMOUS,ROLE_USER" />
<intercept-url pattern="*/index.jsp" filters="none" />
<intercept-url pattern="*/" filters="none" />
<!-- <security:form-login login-page="/index.jsp" /> -->
<security:logout logout-success-url="/index.jsp" />
<security:anonymous granted-authority="ROLE_ANONYMOUS" />
</security:http>
<bean id="splashPageLogoutFilter"
class="<redacted>.security.SplashPageLogoutFilter">
<security:custom-filter position="FIRST" />
<constructor-arg index="0">
<list>
<ref bean="securityContextLogoutHandler" />
</list>
</constructor-arg>
</bean>
<bean id="securityContextLogoutHandler" class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" />
<bean id="daoAuthenticationProvider"
class="<redacted>.security.UserAuthentication">
<security:custom-authentication-provider />
<property name="allowedFailAttempts" value="5" />
<property name="allowedAttemptsBeforeCaptcha" value="3" />
<property name="userDetailsService" ref="customUserDetailsService" />
<property name="passwordEncoder">
<bean name="passwordEncoder"
class="org.springframework.security.providers.encoding.ShaPasswordEncoder" />
</property>
<property name="saltSource">
<bean
class="org.springframework.security.providers.dao.salt.SystemWideSaltSource">
<property name="systemWideSalt" value="not1thing" />
</bean>
</property>
</bean>
我们的上下文处理程序:
@Override
protected void doFilterHttp(HttpServletRequest request,
HttpServletResponse response, FilterChain chain)
throws IOException, ServletException {
// SSO Login Request
boolean logout = false;
if ("POST".equals(request.getMethod())
&& request.getRequestURI().endsWith("/webSSO")) {
logout = true;
}
if ("GET".equals(request.getMethod())
&& (request.getRequestURI().contains("index.jsp"))) {
logout = true;
}
if (logout) {
Authentication auth = SecurityContextHolder.getContext()
.getAuthentication();
logger.info("doFilterHttp caused Logout.");
for (int i = 0; i < handlers.length; i++) {
handlers[i].logout(request, response, auth);
}
}
chain.doFilter(request, response);
}
我可以看到 doFilterHttp 正在将用户注销,并将它们发送到索引页面,但是在执行此操作几次后,用户可以使用任何密码登录。查看 Spring Security 调试显示以下内容:
秒.log
2011-11-25 09:06:30,689|ExceptionTranslationFilter|Chain processed normally
2011-11-25 09:06:30,690|HttpSessionContextIntegrationFilter|SecurityContextHolder now cleared, as request processing completed
2011-11-25 09:09:36,017|FilterChainProxy|Converted URL to lowercase, from: '/messagebroker/amfsecure'; to: '/messagebroker/amfsecure'
2011-11-25 09:09:36,018|FilterChainProxy|Candidate is: '/messagebroker/amfsecure'; pattern is /**; matched=true
2011-11-25 09:09:36,019|FilterChainProxy|/messagebroker/amfsecure at position 1 of 10 in additional filter chain; firing Filter: 'org.springframework.flex.config.SessionFixationProtectionConfigurer$PriorityOrderedRequestContextFilter@65b8b2
'
2011-11-25 09:09:36,019|FilterChainProxy|/messagebroker/amfsecure at position 2 of 10 in additional filter chain; firing Filter: '<redacted>.security.SplashPageLogoutFilter[ order=0; ]'
2011-11-25 09:09:36,021|FilterChainProxy|/messagebroker/amfsecure at position 3 of 10 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]'
2011-11-25 09:09:36,024|HttpSessionContextIntegrationFilter|Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT to associate with SecurityContextHolder: 'org.springframework.security.context.SecurityContextImpl@a9f1ed4c: Authentic
ation: org.springframework.security.providers.UsernamePasswordAuthenticationToken@a9f1ed4c: Principal: <redacted>.security.UserDetailsServiceImpl$1@5674e6; Password: [PROTECTED]; Authenticated: true; Details: <redacted>.security.UserAuthentication$1@14b9a6; Granted Authorities: ROLE_USER'
2011-11-25 09:09:36,025|FilterChainProxy|/messagebroker/amfsecure at position 4 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.logout.LogoutFilter[ order=300; ]'
2011-11-25 09:09:36,025|FilterChainProxy|/messagebroker/amfsecure at position 5 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]'
2011-11-25 09:09:36,026|FilterChainProxy|/messagebroker/amfsecure at position 6 of 10 in additional filter chain; firing Filter: 'org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1100; ]'
2011-11-25 09:09:36,026|SavedRequestAwareWrapper|Wrapper not replaced; SavedRequest was: null
2011-11-25 09:09:36,027|FilterChainProxy|/messagebroker/amfsecure at position 7 of 10 in additional filter chain; firing Filter: 'org.springframework.security.providers.anonymous.AnonymousProcessingFilter[ order=1300; ]'
2011-11-25 09:09:36,027|AnonymousProcessingFilter|SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.providers.UsernamePasswordAuthenticationToken@a9f1ed4c: Principal: <redacted>.security.UserDetailsServiceImpl$1@5674e6; Password: [PROTECTED]; Authenticated: true; Details: <redacted>.security.UserAuthentication$1@14b9a6; Granted Authorities: ROLE_USER'
2011-11-25 09:09:36,028|FilterChainProxy|/messagebroker/amfsecure at position 8 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.ExceptionTranslationFilter[ order=1400; ]'
2011-11-25 09:09:36,029|FilterChainProxy|/messagebroker/amfsecure at position 9 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.SessionFixationProtectionFilter[ order=1600; ]'
2011-11-25 09:09:36,030|FilterChainProxy|/messagebroker/amfsecure at position 10 of 10 in additional filter chain; firing Filter: 'org.springframework.security.intercept.web.FilterSecurityInterceptor@36e1ed'
2011-11-25 09:09:36,030|DefaultFilterInvocationDefinitionSource|Converted URL to lowercase, from: '/messagebroker/amfsecure'; to: '/messagebroker/amfsecure'
2011-11-25 09:09:36,031|DefaultFilterInvocationDefinitionSource|Candidate is: '/messagebroker/amfsecure'; pattern is /messagebroker/**/*; matched=true
2011-11-25 09:09:36,032|AbstractSecurityInterceptor|Secure object: FilterInvocation: URL: /messagebroker/amfsecure; ConfigAttributes: [ROLE_ANONYMOUS, ROLE_USER, ROLE_ADMIN]
2011-11-25 09:09:36,033|AbstractSecurityInterceptor|Previously Authenticated: org.springframework.security.providers.UsernamePasswordAuthenticationToken@a9f1ed4c: Principal: <redacted>.security.UserDetailsServiceImpl$1@56
74e6; Password: [PROTECTED]; Authenticated: true; Details: <redacted>.security.UserAuthentication$1@14b9a6; Granted Authorities: ROLE_USER
2011-11-25 09:09:36,034|AbstractSecurityInterceptor|Authorization successful
2011-11-25 09:09:36,035|AbstractSecurityInterceptor|RunAsManager did not change Authentication object
2011-11-25 09:09:36,037|FilterChainProxy|/messagebroker/amfsecure reached end of additional filter chain; proceeding with original chain
这个问题困扰我有一段时间了,谁能帮忙吗?
干杯, 克里斯
最佳答案
我自己不太确定答案,很难看出这些有限的信息可能会发生什么...但是您是否尝试过在注销 block 内执行 session 无效(request.getSession().invalidate())过滤器?看看强行销毁session后问题是否依然存在。也许这将为问题所在提供更多线索。
关于java - Spring Security + Flex + BlazeDS 登录问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/8270460/