我正在尝试按照此处的教程在 Spring Security 中实现 OpenId ,但我似乎无法让它工作。当我测试我的实现时,它似乎发现了 OpenId 提供程序的 URL,但它从未将我重定向到该提供程序的登录页面。相反,我返回到我的登录页面,并显示“您输入了无效的用户名或密码!” 错误。
这是我的记录器在我尝试使用 coraythan@aol.com 登录时所说的内容:
[qtp760167714-19] INFO org.openid4java.discovery.Discovery - Starting discovery on URL identifier: http://aol.com/
[qtp760167714-19] WARN org.apache.http.client.protocol.ResponseProcessCookies - Cookie rejected: "[version: 0][name: JSESSIONID][value: C326ACEE663C4C976739D4E51A500DA7][domain: www.aol.com][path: /aol][expiry: null]". Illegal path attribute "/aol". Path of origin: "/"
[qtp760167714-19] WARN org.apache.http.client.protocol.ResponseProcessCookies - Cookie rejected: "[version: 0][name: JSESSIONID][value: D07CE2D83B0A58663C6EAA557FCFAD14][domain: www.aol.com][path: /aol][expiry: null]". Illegal path attribute "/aol". Path of origin: "/"
我第二次尝试将不同的内容记录到控制台:
[qtp760167714-21] INFO org.openid4java.discovery.Discovery - Starting discovery on URL identifier: http://aol.com/
[qtp760167714-21] INFO org.openid4java.util.HttpCache - Returning cached HEAD response for http://aol.com/
[qtp760167714-21] INFO org.openid4java.util.HttpCache - Returning cached GET response for http://aol.com/
[qtp760167714-21] INFO org.openid4java.util.HttpCache - Returning cached GET response for https://api.screenname.aol.com/auth/openid/xrds
使用 myOpenid 帐户尝试会得到略有不同的消息:
[qtp760167714-16] INFO org.openid4java.discovery.Discovery - Starting discovery on URL identifier: http://coraythan.myopenid.com/
第二次:
[qtp1540619773-25] INFO org.openid4java.discovery.Discovery - Starting discovery on URL identifier: http://coraythan.myopenid.com/
[qtp1540619773-25] INFO org.openid4java.util.HttpCache - Returning cached HEAD response for http://coraythan.myopenid.com/
[qtp1540619773-25] INFO org.openid4java.util.HttpCache - Returning cached GET response for http://coraythan.myopenid.com/?xrds=1
使用“google login”选项会出现同样的问题。它看起来与我从 OpenId 看到的相同,但使用的是 google 的东西。
奇怪的是,尝试使用 yahoo 电子邮件登录更糟糕,因为会引发堆栈跟踪!堆栈跟踪似乎是从 OpenId4Java(Spring Security Openid 使用的支持 openid 实现)抛出的。
对于雅虎电子邮件,堆栈跟踪的一些内容如下:
[qtp665820578-23] INFO org.openid4java.discovery.Discovery - Starting discovery on URL identifier: http://yahoo.com/
2013-03-02 18:58:27.060:WARN:oejs.ServletHandler:Error for /j_spring_openid_security_check
java.lang.NoClassDefFoundError: org/cyberneko/html/HTMLTagBalancingListener
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:791)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:421)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:383)
at org.openid4java.discovery.yadis.CyberNekoDOMYadisHtmlParser.parseDocument(CyberNekoDOMYadisHtmlParser.java:99)
at org.openid4java.discovery.yadis.CyberNekoDOMYadisHtmlParser.getHtmlMeta(CyberNekoDOMYadisHtmlParser.java:42)
at org.openid4java.discovery.yadis.YadisResolver.getHtmlMeta(YadisResolver.java:325)
at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:453)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:252)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:232)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:166)
at org.openid4java.discovery.Discovery.discover(Discovery.java:147)
at org.openid4java.discovery.Discovery.discover(Discovery.java:129)
at org.openid4java.consumer.ConsumerManager.discover(ConsumerManager.java:542)
at org.springframework.security.openid.OpenID4JavaConsumer.beginConsumption(OpenID4JavaConsumer.java:103)
at org.springframework.security.openid.OpenIDAuthenticationFilter.attemptAuthentication(OpenIDAuthenticationFilter.java:123)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
[...]
Caused by:
java.lang.ClassNotFoundException: org.cyberneko.html.HTMLTagBalancingListener
at org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy.loadClass(SelfFirstStrategy.java:50)
at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:244)
at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:230)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:430)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:383)
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:791)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:421)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:383)
at org.openid4java.discovery.yadis.CyberNekoDOMYadisHtmlParser.parseDocument(CyberNekoDOMYadisHtmlParser.java:99)
at org.openid4java.discovery.yadis.CyberNekoDOMYadisHtmlParser.getHtmlMeta(CyberNekoDOMYadisHtmlParser.java:42)
at org.openid4java.discovery.yadis.YadisResolver.getHtmlMeta(YadisResolver.java:325)
at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:453)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:252)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:232)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:166)
at org.openid4java.discovery.Discovery.discover(Discovery.java:147)
at org.openid4java.discovery.Discovery.discover(Discovery.java:129)
at org.openid4java.consumer.ConsumerManager.discover(ConsumerManager.java:542)
at org.springframework.security.openid.OpenID4JavaConsumer.beginConsumption(OpenID4JavaConsumer.java:103)
at org.springframework.security.openid.OpenIDAuthenticationFilter.attemptAuthentication(OpenIDAuthenticationFilter.java:123)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
这是我的弹簧安全 xml:
<!-- This is where we configure Spring-Security -->
<security:http auto-config="true" access-denied-page="/accessDenied">
<!-- TODO fix all these URLs open to anyone -->
<security:intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/logout" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/accessDenied" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/VAADIN/*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<!-- Admin only URLs -->
<security:intercept-url pattern="/admin/*" access="ROLE_ADMIN" />
<!-- Logged in User only URLs -->
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/endpoint/*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/game/*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:openid-login
login-page="/"
authentication-failure-url="/?error=true"
default-target-url="/game" />
<security:logout
invalidate-session="true"
logout-success-url="/"
logout-url="/logout" />
</security:http>
<!-- Declare an authentication-manager to use a custom userDetailsService -->
<security:authentication-manager>
<security:authentication-provider
user-service-ref="userDetailsService">
<security:password-encoder ref="passwordEncoder" />
</security:authentication-provider>
</security:authentication-manager>
<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the
database -->
<bean
class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
id="passwordEncoder" />
<!-- An in-memory list of users. No need to access an external database
layer. See Spring Security 3.1 Reference 5.2.1 In-Memory Authentication -->
<!-- john's password is admin, while jane;s password is user -->
<security:user-service id="userDetailsService">
<!-- user name is based on the returned OpenID identifier from Google -->
<security:user
name="https://www.google.com/accounts/o8/id?id=AItxxioJSDLFJLjxcksdfjOpAASDFosSSoJ0E"
password="" authorities="ROLE_USER, ROLE_ADMIN" />
</security:user-service>
我的 web.xml 中有以下 servlet 映射和 spring 安全过滤器:
<!-- spring gets everything else -->
<servlet-mapping>
<servlet-name>springServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
如果我能提供任何其他信息,我会很高兴!我真的很想让这个工作,但我不确定我做错了什么。
谢谢!