我正在使用 Spring Security Oauth1.0a 来验证请求。预计一旦用户通过身份验证,他/她将获得在网站中探索的权限。经过身份验证的用户的第一个登陆页面包含一些 js 和 img。奇怪的是,在加载这些小片段的过程中,一些文件通过正确的身份验证成功加载。但几毫秒后,由于空身份验证,其他小片段将无法加载。请注意,我打开了 servlet 上下文/会话/属性侦听器。没有检测到任何变化。
10/24'16 13:44:23> DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@3f8eaa51: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@3f8eaa51: Principal: com.my.connected.spring.User@148c0257; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: TEACHER' stored to HttpSession: 'org.apache.catalina.session.StandardSessionFacade@f3abb79 (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-11) [1256269]
到目前为止,安全上下文已按预期填充在会话中。此后,我的自定义上下文/会话/属性级别监听器没有检测到任何变化。所有调试级别日志都打印在下面。
10/24'16 13:44:23> DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] Chain processed normally (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-11) [1256269]
10/24'16 13:44:23> DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] SecurityContextHolder now cleared, as request processing completed (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-11) [1256269]
10/24'16 13:44:23> DEBUG [org.springframework.security.web.FilterChainProxy] /home.png at position 1 of 15 in additional filter chain; firing Filter: 'MetadataGeneratorFilter' (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-4) [1256274]
10/24'16 13:44:23> DEBUG [org.springframework.security.web.FilterChainProxy] /home.png at position 2 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-4) [1256274]
10/24'16 13:44:23> DEBUG [org.springframework.security.web.FilterChainProxy] /home.png at position 3 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-4) [1256274]
10/24'16 13:46:37> DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@ffffffff: Null authentication' (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-4) [1391041]
但是,调试和日志都显示会话属性 SPRING_SECURITY_CONTEXT 的新空身份验证。上下文本身不为空。
更多编码细节:
//the controller method
@RequestMapping(value = {"/ssoep.lti.do"}, method = {RequestMethod.GET, RequestMethod.POST})
public void ltiEndpoint(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, SSOValidationException{
request.getRequestDispatcher("/").forward(request, response);
}
//the configuration class
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
protected void configureOAuth(HttpSecurity http) throws Exception {
http
.csrf()
.disable();
http
.addFilterAfter(oauthFilter(), BasicAuthenticationFilter.class)
.authorizeRequests()
.antMatchers("/ssoep.lti.do*").authenticated();
}
@Bean
public ProtectedResourceProcessingFilter oauthFilter() {
ProtectedResourceProcessingFilter result = new MheOauthProcessingFilter();
result.setAuthHandler(mheUserOauthAuthenticationHandler);
result.setConsumerDetailsService(mheOauthConsumerDetailsService);
return result;
}
}
我正在使用以下 pom 版本。
<spring.version>4.3.2.RELEASE</spring.version>
<spring.boot.version>1.4.0.RELEASE</spring.boot.version>
<spring.security.version>4.1.1.RELEASE</spring.security.version>
<spring.security.oauth.version>2.0.11.RELEASE</spring.security.oauth.version>
<spring.security.saml2>1.0.2.RELEASE</spring.security.saml2>
可能是你没有添加spring security过滤器链来拦截所有请求
import org.springframework.security.web.context.*;
public class SecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
public SecurityWebApplicationInitializer() {
super(SecurityConfig.class);
}
}
当我调试 Spring Security Oauth 代码 OAuthProviderProcessingFilter 时,我发现上下文总是会被 previousAuthentication 重置。我不确定这样做的目的是什么,这是我失去身份验证的根本原因。
以下代码覆盖默认行为解决了问题。
public class MyOauthProcessingFilter extends ProtectedResourceProcessingFilter {
@Override
protected void resetPreviousAuthentication(Authentication previousAuthentication) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (null != auth && null != auth.getPrincipal() ) {
return;
}
super.resetPreviousAuthentication(previousAuthentication);
}
}
您可以更改过滤器调用的优先级。
protected void configureOAuth(HttpSecurity http) throws Exception {
http
.csrf()
.disable();
http
.addFilterAfter(oauthFilter(), BasicAuthenticationFilter.class)
.authorizeRequests()
.antMatchers("/ssoep.lti.do*").authenticated();
http.addFilterAfter(YOUR_FILTER, SecurityContextPersistenceFilter.class);
}
因为
SecurityContextPersistenceFilter
重置上下文并且经过身份验证的用户从上下文中清晰可见。