java - 打开新窗口时 Spring Security 使 JSESSIONID 无效

标签 java spring websphere websphere-8

我有一个来自供应商的具有一些新功能的 Web 应用程序,您按下网页上的按钮,它会打开一个新的弹出窗口以使用新功能。但是,当登录应用程序的用户按下该按钮时,该用户将自动注销。我们已经对很多用户进行了测试,他们都遇到了同样的问题。

我们正在使用 IE 8,因为供应商为此编写了应用程序。该应用程序托管在WebSphere Application Server 8.5.5.1(刚刚从WebSphere 7.0.17 升级)上。无论我们是通过 Web 服务器还是通过端口号直接进入应用程序,都会出现此问题。

但是,如果我使用 Google Chrome,用户第一次登录并单击该按钮时,他们会被注销,但下次登录时该按钮工作正常。但我们无法使用 Google Chrome,因为供应商不支持它。

我已经向 IBM 打开了 PMR,他们可以看到 session 正在失效。

[12/12/14 11:27:49:368 EST] 0000012b HttpRequestMe 1   setRequestURL input   [/blue2web/images/cbf/bg.grad.blue.jpg]
.......
[12/12/14 11:27:49:439 EST] 0000012b filter        1   com.ibm.ws.webcontainer.filter.WebAppFilterChain doFilter entry
[12/12/14 11:27:49:439 EST] 0000012b filter        1   com.ibm.ws.webcontainer.filter.WebAppFilterChain doFilter executing filter -->springSecurityFilterChain
[12/12/14 11:27:49:440 EST] 0000012b util          1   com.ibm.ws.webcontainer.util.EventListeners fireEvent Use visitor com.ibm.ws.webcontainer.webapp.FireOnFilterStartDoFilter@c7cef1a9 to fire event to com.ibm.websphere.servlet.event.FilterListenerImpl@2a6d1c41, class:class com.ibm.websphere.servlet.event.FilterListenerImpl
.......
[12/12/14 11:27:49:440 EST] 0000012b event         1   com.ibm.websphere.servlet.event.FilterListenerImpl onFilterStartDoFilter onFilterStartDoFilter -->springSecurityFilterChain request -->com.ibm.ws.webcontainer.srt.SRTServletRequest@3925fa48
.......
[12/12/14 11:27:49:444 EST] 0000012b WASSessionCor >   MemorySession invalidate ENTRY  AppName=default_hostblue2web; Id=XgGNO6yhlsbiQKcNk9eOeZF
.......
[12/12/14 11:27:49:445 EST] 0000012b WASSessionCor 1   MemorySession setIsValid New Value=false; Old Value=true AppName=default_hostblue2web; Id=XgGNO6yhlsbiQKcNk9eOeZF
.......
[12/12/14 11:27:49:445 EST] 0000012b WASSessionCor <   MemorySession invalidate RETURN
.......
[12/12/14 11:27:49:464 EST] 0000012b filter        1   com.ibm.ws.webcontainer.filter.WebAppFilterChain doFilter entry 
[12/12/14 11:27:49:464 EST] 0000012b filter        1   com.ibm.ws.webcontainer.filter.WebAppFilterChain doFilter executing filter -->struts2
.......
[12/12/14 11:27:49:481 EST] 0000012b HttpResponseM 1   Marshalling first line: HTTP/1.1 304 Not Modified

we see a request for /blue2web/images/cbf/bg.grad.blue.jpg. The request enters the filter springSecurityFilterChain, and the session is invalidated.
The request continues through several more filters (starting with the struts2 filter) and eventually returns a 304 response.

供应商表示没有其他人(包括他们)见过这个问题。

我现在完全困惑了,因为我不知道这是 IE 8 问题、Spring 问题还是 WebSphere 8.5.5.1 问题。我们在应用程序中还有其他按钮,可以打开不同的窗口以实现不同的功能,并且它们工作得很好。

更新 (12/22/14) -

这是来自 Spring Security 的跟踪。不确定这会有帮助。

[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/javascript/cbfcommonutil.js'; to: '/javascript/cbfcommonutil.js'
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: 

'/javascript/cbfcommonutil.js'; pattern is /j_security_check; matched=false
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/javascript/cbfcommonutil.js'; to: '/javascript/cbfcommonutil.js'
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/javascript/cbfcommonutil.js'; pattern is /favicon.ico; matched=false
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/javascript/cbfcommonutil.js'; to: '/javascript/cbfcommonutil.js'
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/javascript/cbfcommonutil.js'; pattern is /index*; matched=false
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/javascript/cbfcommonutil.js'; to: '/javascript/cbfcommonutil.js'
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/javascript/cbfcommonutil.js'; pattern is /javascript/*; matched=true
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy doFilter /javascript/cbfCommonUtil.js has an empty filter list
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/javascript/mootools-1.2.5.js'; to: '/javascript/mootools-1.2.5.js'
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/javascript/mootools-1.2.5.js'; pattern is /j_security_check; matched=false
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/javascript/mootools-1.2.5.js'; to: '/javascript/mootools-1.2.5.js'
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/javascript/mootools-1.2.5.js'; pattern is /favicon.ico; matched=false
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/javascript/mootools-1.2.5.js'; to: '/javascript/mootools-1.2.5.js'
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/javascript/mootools-1.2.5.js'; pattern is /index*; matched=false
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/javascript/mootools-1.2.5.js'; to: '/javascript/mootools-1.2.5.js'
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/javascript/mootools-1.2.5.js'; pattern is /javascript/*; matched=true
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy doFilter /javascript/mootools-1.2.5.js has an empty filter list
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /j_security_check; matched=false
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /favicon.ico; matched=false
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /index*; matched=false
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /javascript/*; matched=false
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /css/*; matched=false
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /images/*; matched=false
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /iframe_black*; matched=false
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /webhelp_pro/**; matched=false
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /**; matched=true
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[12/22/14 14:17:19:922 CST] 000000a5 HttpSessionSe 1 org.springframework.security.web.context.HttpSessionSecurityContextRepository readSecurityContextFromSession Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@ba2bcf8a: Authentication: com.bcbsa.blue2.configuration.security.jee.DelegateToUserDetailsPreAuthenticatedAuthenticationToken@ba2bcf8a: Principal: com.bcbsa.blue2.configuration.security.model.springsecurity.AuthoritiesByBoidUser@6820f6c1: Username: MyId; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: AdjustmentMsgUser,BasicMsgUser,CBFUpdateUser,CBFViewOnlyUser,CSRNMsgUser,Claim276StatusWithoutSccf,ClaimDispositionDetailsViewer,ClaimMisrouteMsgUser,ClaimStatusRequester,ClaimSubmissionDetailsViewer,DataRole1,DataRole11,DataRole13,DataRole17,DataRole2,DataRole3,DataRole30,DataRole35,DataRole37,DataRole39,DataRole4,DataRole41,DataRole49,DataRole5,DataRole51,DataRole53,DataRole55,DataRole57,DataRole58,DataRole59,DataRole61,DataRole63,DataRole65,DataRole70,DataRole9,DataRole99,EscalationLevel1MsgUser,EscalationLevel2MsgUser,EvaluateAdjustmentMessageStateAdmin,GlobalFeeMsgUser,LocalEditAdmin,MedicalRecordViewer,MessageCommentConfigAdmin,MessageListingViewer,MessageReprocessUser,MessageSummaryViewer,PQIMsgSummaryViewer,PQIMsgUser,PostProcessConfigAdmin,PreExMsgUser,PurgeDF,PurgeMessage,PurgeNF,PurgeRF,PurgeRestoreAdmin,PurgeSF,ReassignUserAdmin,RemoteOperationViewer,RestoreViewer,SecurityConfigAdmin,SubscriberIDWildcardSearchAdmin,ValidUser,ValidUserCBF; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails@fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 3VjGU8WisdQb0Zvjzk7jYyc; Authorities: [DataRole55, DataRole57, DataRole58, DataRole59, DataRole61, DataRole63, PurgeSF, PostProcessConfigAdmin, DataRole65, RestoreViewer, MessageReprocessUser, DataRole70, EvaluateAdjustmentMessageStateAdmin, EscalationLevel1MsgUser, PurgeDF, LocalEditAdmin, ClaimMisrouteMsgUser, DataRole99, AdjustmentMsgUser, CSRNMsgUser, ValidUserCBF, GlobalFeeMsgUser, MessageSummaryViewer, ClaimDispositionDetailsViewer, CBFViewOnlyUser, DataRole1, DataRole2, DataRole3, DataRole4, MedicalRecordViewer, DataRole5, DataRole9, PurgeMessage, BasicMsgUser, MessageListingViewer, RemoteOperationViewer, EscalationLevel2MsgUser, ClaimSubmissionDetailsViewer, CBFUpdateUser, ReassignUserAdmin, PQIMsgUser, PreExMsgUser, DataRole11, DataRole13, PurgeNF, DataRole17, PurgeRestoreAdmin, MessageCommentConfigAdmin, SubscriberIDWildcardSearchAdmin, SecurityConfigAdmin, DataRole30, DataRole35, DataRole37, DataRole39, ValidUser, Claim276StatusWithoutSccf, DataRole41, PQIMsgSummaryViewer, DataRole49, ClaimStatusRequester, DataRole51, DataRole53, PurgeRF]; Granted Authorities: AdjustmentMsgUser, BasicMsgUser, CBFUpdateUser, CBFViewOnlyUser, CSRNMsgUser, Claim276StatusWithoutSccf, ClaimDispositionDetailsViewer, ClaimMisrouteMsgUser, ClaimStatusRequester, ClaimSubmissionDetailsViewer, DataRole1, DataRole11, DataRole13, DataRole17, DataRole2, DataRole3, DataRole30, DataRole35, DataRole37, DataRole39, DataRole4, DataRole41, DataRole49, DataRole5, DataRole51, DataRole53, DataRole55, DataRole57, DataRole58, DataRole59, DataRole61, DataRole63, DataRole65, DataRole70, DataRole9, DataRole99, EscalationLevel1MsgUser, EscalationLevel2MsgUser, EvaluateAdjustmentMessageStateAdmin, GlobalFeeMsgUser, LocalEditAdmin, MedicalRecordViewer, MessageCommentConfigAdmin, MessageListingViewer, MessageReprocessUser, MessageSummaryViewer, PQIMsgSummaryViewer, PQIMsgUser, PostProcessConfigAdmin, PreExMsgUser, PurgeDF, PurgeMessage, PurgeNF, PurgeRF, PurgeRestoreAdmin, PurgeSF, ReassignUserAdmin, RemoteOperationViewer, RestoreViewer, SecurityConfigAdmin, SubscriberIDWildcardSearchAdmin, ValidUser, ValidUserCBF'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 2 of 9 in additional filter chain; firing Filter: 'LtpaSSOLogoutFilter'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 3 of 9 in additional filter chain; firing Filter: 'J2eePreAuthenticatedProcessingFilter'
[12/22/14 14:17:19:922 CST] 000000a5 J2eePreAuthen 1 org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter doFilter Checking secure context token: com.bcbsa.blue2.configuration.security.jee.DelegateToUserDetailsPreAuthenticatedAuthenticationToken@ba2bcf8a: Principal: com.bcbsa.blue2.configuration.security.model.springsecurity.AuthoritiesByBoidUser@6820f6c1: Username: MyId; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: AdjustmentMsgUser,BasicMsgUser,CBFUpdateUser,CBFViewOnlyUser,CSRNMsgUser,Claim276StatusWithoutSccf,ClaimDispositionDetailsViewer,ClaimMisrouteMsgUser,ClaimStatusRequester,ClaimSubmissionDetailsViewer,DataRole1,DataRole11,DataRole13,DataRole17,DataRole2,DataRole3,DataRole30,DataRole35,DataRole37,DataRole39,DataRole4,DataRole41,DataRole49,DataRole5,DataRole51,DataRole53,DataRole55,DataRole57,DataRole58,DataRole59,DataRole61,DataRole63,DataRole65,DataRole70,DataRole9,DataRole99,EscalationLevel1MsgUser,EscalationLevel2MsgUser,EvaluateAdjustmentMessageStateAdmin,GlobalFeeMsgUser,LocalEditAdmin,MedicalRecordViewer,MessageCommentConfigAdmin,MessageListingViewer,MessageReprocessUser,MessageSummaryViewer,PQIMsgSummaryViewer,PQIMsgUser,PostProcessConfigAdmin,PreExMsgUser,PurgeDF,PurgeMessage,PurgeNF,PurgeRF,PurgeRestoreAdmin,PurgeSF,ReassignUserAdmin,RemoteOperationViewer,RestoreViewer,SecurityConfigAdmin,SubscriberIDWildcardSearchAdmin,ValidUser,ValidUserCBF; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails@fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 3VjGU8WisdQb0Zvjzk7jYyc; Authorities: [DataRole55, DataRole57, DataRole58, DataRole59, DataRole61, DataRole63, PurgeSF, PostProcessConfigAdmin, DataRole65, RestoreViewer, MessageReprocessUser, DataRole70, EvaluateAdjustmentMessageStateAdmin, EscalationLevel1MsgUser, PurgeDF, LocalEditAdmin, ClaimMisrouteMsgUser, DataRole99, AdjustmentMsgUser, CSRNMsgUser, ValidUserCBF, GlobalFeeMsgUser, MessageSummaryViewer, ClaimDispositionDetailsViewer, CBFViewOnlyUser, DataRole1, DataRole2, DataRole3, DataRole4, MedicalRecordViewer, DataRole5, DataRole9, PurgeMessage, BasicMsgUser, MessageListingViewer, RemoteOperationViewer, EscalationLevel2MsgUser, ClaimSubmissionDetailsViewer, CBFUpdateUser, ReassignUserAdmin, PQIMsgUser, PreExMsgUser, DataRole11, DataRole13, PurgeNF, DataRole17, PurgeRestoreAdmin, MessageCommentConfigAdmin, SubscriberIDWildcardSearchAdmin, SecurityConfigAdmin, DataRole30, DataRole35, DataRole37, DataRole39, ValidUser, Claim276StatusWithoutSccf, DataRole41, PQIMsgSummaryViewer, DataRole49, ClaimStatusRequester, DataRole51, DataRole53, PurgeRF]; Granted Authorities: AdjustmentMsgUser, BasicMsgUser, CBFUpdateUser, CBFViewOnlyUser, CSRNMsgUser, Claim276StatusWithoutSccf, ClaimDispositionDetailsViewer, ClaimMisrouteMsgUser, ClaimStatusRequester, ClaimSubmissionDetailsViewer, DataRole1, DataRole11, DataRole13, DataRole17, DataRole2, DataRole3, DataRole30, DataRole35, DataRole37, DataRole39, DataRole4, DataRole41, DataRole49, DataRole5, DataRole51, DataRole53, DataRole55, DataRole57, DataRole58, DataRole59, DataRole61, DataRole63, DataRole65, DataRole70, DataRole9, DataRole99, EscalationLevel1MsgUser, EscalationLevel2MsgUser, EvaluateAdjustmentMessageStateAdmin, GlobalFeeMsgUser, LocalEditAdmin, MedicalRecordViewer, MessageCommentConfigAdmin, MessageListingViewer, MessageReprocessUser, MessageSummaryViewer, PQIMsgSummaryViewer, PQIMsgUser, PostProcessConfigAdmin, PreExMsgUser, PurgeDF, PurgeMessage, PurgeNF, PurgeRF, PurgeRestoreAdmin, PurgeSF, ReassignUserAdmin, RemoteOperationViewer, RestoreViewer, SecurityConfigAdmin, SubscriberIDWildcardSearchAdmin, ValidUser, ValidUserCBF
[12/22/14 14:17:19:922 CST] 000000a5 J2eePreAuthen 1 org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter getPreAuthenticatedPrincipal PreAuthenticated J2EE principal: null
[12/22/14 14:17:19:922 CST] 000000a5 J2eePreAuthen 1 org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter requiresAuthentication Pre-authenticated principal has changed to null and will be reauthenticated
[12/22/14 14:17:19:922 CST] 000000a5 J2eePreAuthen 1 org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter requiresAuthentication Invalidating existing session
[12/22/14 14:17:19:922 CST] 000000a5 J2eePreAuthen 1 org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter getPreAuthenticatedPrincipal PreAuthenticated J2EE principal: null
[12/22/14 14:17:19:938 CST] 000000a5 J2eePreAuthen 1 org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter doAuthenticate No pre-authenticated principal found in request
[12/22/14 14:17:19:938 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[12/22/14 14:17:19:938 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[12/22/14 14:17:19:938 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 6 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[12/22/14 14:17:19:938 CST] 000000a5 AnonymousAuth 1 org.springframework.security.web.authentication.AnonymousAuthenticationFilter doFilter SecurityContextHolder not populated with anonymous token, as it already contained: 'com.bcbsa.blue2.configuration.security.jee.DelegateToUserDetailsPreAuthenticatedAuthenticationToken@ba2bcf8a: Principal: com.bcbsa.blue2.configuration.security.model.springsecurity.AuthoritiesByBoidUser@6820f6c1: Username: MyId; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: AdjustmentMsgUser,BasicMsgUser,CBFUpdateUser,CBFViewOnlyUser,CSRNMsgUser,Claim276StatusWithoutSccf,ClaimDispositionDetailsViewer,ClaimMisrouteMsgUser,ClaimStatusRequester,ClaimSubmissionDetailsViewer,DataRole1,DataRole11,DataRole13,DataRole17,DataRole2,DataRole3,DataRole30,DataRole35,DataRole37,DataRole39,DataRole4,DataRole41,DataRole49,DataRole5,DataRole51,DataRole53,DataRole55,DataRole57,DataRole58,DataRole59,DataRole61,DataRole63,DataRole65,DataRole70,DataRole9,DataRole99,EscalationLevel1MsgUser,EscalationLevel2MsgUser,EvaluateAdjustmentMessageStateAdmin,GlobalFeeMsgUser,LocalEditAdmin,MedicalRecordViewer,MessageCommentConfigAdmin,MessageListingViewer,MessageReprocessUser,MessageSummaryViewer,PQIMsgSummaryViewer,PQIMsgUser,PostProcessConfigAdmin,PreExMsgUser,PurgeDF,PurgeMessage,PurgeNF,PurgeRF,PurgeRestoreAdmin,PurgeSF,ReassignUserAdmin,RemoteOperationViewer,RestoreViewer,SecurityConfigAdmin,SubscriberIDWildcardSearchAdmin,ValidUser,ValidUserCBF; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails@fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 3VjGU8WisdQb0Zvjzk7jYyc; Authorities: [DataRole55, DataRole57, DataRole58, DataRole59, DataRole61, DataRole63, PurgeSF, PostProcessConfigAdmin, DataRole65, RestoreViewer, MessageReprocessUser, DataRole70, EvaluateAdjustmentMessageStateAdmin, EscalationLevel1MsgUser, PurgeDF, LocalEditAdmin, ClaimMisrouteMsgUser, DataRole99, AdjustmentMsgUser, CSRNMsgUser, ValidUserCBF, GlobalFeeMsgUser, MessageSummaryViewer, ClaimDispositionDetailsViewer, CBFViewOnlyUser, DataRole1, DataRole2, DataRole3, DataRole4, MedicalRecordViewer, DataRole5, DataRole9, PurgeMessage, BasicMsgUser, MessageListingViewer, RemoteOperationViewer, EscalationLevel2MsgUser, ClaimSubmissionDetailsViewer, CBFUpdateUser, ReassignUserAdmin, PQIMsgUser, PreExMsgUser, DataRole11, DataRole13, PurgeNF, DataRole17, PurgeRestoreAdmin, MessageCommentConfigAdmin, SubscriberIDWildcardSearchAdmin, SecurityConfigAdmin, DataRole30, DataRole35, DataRole37, DataRole39, ValidUser, Claim276StatusWithoutSccf, DataRole41, PQIMsgSummaryViewer, DataRole49, ClaimStatusRequester, DataRole51, DataRole53, PurgeRF]; Granted Authorities: AdjustmentMsgUser, BasicMsgUser, CBFUpdateUser, CBFViewOnlyUser, CSRNMsgUser, Claim276StatusWithoutSccf, ClaimDispositionDetailsViewer, ClaimMisrouteMsgUser, ClaimStatusRequester, ClaimSubmissionDetailsViewer, DataRole1, DataRole11, DataRole13, DataRole17, DataRole2, DataRole3, DataRole30, DataRole35, DataRole37, DataRole39, DataRole4, DataRole41, DataRole49, DataRole5, DataRole51, DataRole53, DataRole55, DataRole57, DataRole58, DataRole59, DataRole61, DataRole63, DataRole65, DataRole70, DataRole9, DataRole99, EscalationLevel1MsgUser, EscalationLevel2MsgUser, EvaluateAdjustmentMessageStateAdmin, GlobalFeeMsgUser, LocalEditAdmin, MedicalRecordViewer, MessageCommentConfigAdmin, MessageListingViewer, MessageReprocessUser, MessageSummaryViewer, PQIMsgSummaryViewer, PQIMsgUser, PostProcessConfigAdmin, PreExMsgUser, PurgeDF, PurgeMessage, PurgeNF, PurgeRF, PurgeRestoreAdmin, PurgeSF, ReassignUserAdmin, RemoteOperationViewer, RestoreViewer, SecurityConfigAdmin, SubscriberIDWildcardSearchAdmin, ValidUser, ValidUserCBF'
[12/22/14 14:17:19:938 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 7 of 9 in additional filter chain; firing Filter: 'SessionManagementFilter'
[12/22/14 14:17:19:938 CST] 000000a5 HttpSessionSe 1 org.springframework.security.web.context.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper createNewSessionIfAllowed HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session
[12/22/14 14:17:19:938 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[12/22/14 14:17:19:938 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[12/22/14 14:17:19:938 CST] 000000a5 DefaultFilter 1 org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource lookupAttributes Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'

更新 (12/24/14) -

好吧,我相信这个问题是在 Spring Security 上发生的。当应用程序尝试从/images/cbf 获取图像时,它不是选择模式/images/*,而是选择模式/。通过选择/ ,它会在不应该通过的时候通过 Spring Security 过滤器。那么为什么它选择模式/** 而不是/images/*。这可能是 WebSphere 8.5.5.1 中的问题吗?

以下是它可以选择的模式。

<sec:http entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" access-decision-manager-ref="httpRequestAccessDecisionManager">
    <sec:intercept-url pattern="/general/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <sec:intercept-url pattern="/j_security_check" access="IS_AUTHENTICATED_ANONYMOUSLY"  filters="none"/>
    <sec:intercept-url pattern="/favicon.ico" access="IS_AUTHENTICATED_ANONYMOUSLY"  filters="none"/>
    <sec:intercept-url pattern="/index*" access="IS_AUTHENTICATED_ANONYMOUSLY"  filters="none"/>
    <sec:intercept-url pattern="/javascript/*" access="IS_AUTHENTICATED_ANONYMOUSLY"  filters="none"/>
    <sec:intercept-url pattern="/css/*" access="IS_AUTHENTICATED_ANONYMOUSLY"  filters="none"/>
    <sec:intercept-url pattern="/images/*" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none"/>
    <sec:intercept-url pattern="/iframe_black*" access="IS_AUTHENTICATED_ANONYMOUSLY"  filters="none"/>
    <sec:intercept-url pattern="/WebHelp_Pro/**" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none"/>     
    <sec:intercept-url pattern="/j_spring_security_logout" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <sec:intercept-url pattern="/**" access="ValidUser"/>
    <sec:intercept-url pattern="/cbf/*" access="ValidUserCBF"/>
    <sec:custom-filter ref="j2eePreAuthFilter" position="PRE_AUTH_FILTER" />
    <sec:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />       
</sec:http>

最佳答案

我能够通过将拦截 URL 模式从/images/* 更改为/images/** 来解决该问题。这使得存储在/images/cbf 或/images/cbf/button 下的图像不会通过 Spring Security 过滤器。

关于java - 打开新窗口时 Spring Security 使 JSESSIONID 无效,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/27581240/

相关文章:

java - JPA2 : create-or-extend-tables is not extending existing table with new column

javascript - Android Studio 连接到移动设备中的本地主机

java - 在 websphere 应用程序服务器 8.5.5 上运行 liferay portlet

java - Websphere 中具有自定义 ssl 套接字工厂的 JAX-WS 客户端

java - 使用泛型问题调用 Arrays.sort(array, comparator)

java - hibernate + jsf + spring 的缓存提供程序

security - 基于Spring Security组的授权

java - 为什么这个 @ComponentScan 在我的 spring boot 应用程序中不起作用?

java - Websphere 数据库配置文件保存在哪里?

java - Eclipse-Maven : Updating project excludes src/main/resources folder from build path