0

我已经构建了一个在我自己的本地环境中运行良好的应用程序。但是,当我部署到使用 Siteminder 进行身份验证的开发环境时,我会收到所有图像和 css 文件的“拒绝访问”。我注意到在身份验证后有一个 jsessionid 附加到 url,因此测试手动将 jsessionid 复制+粘贴到图像 url。图像现在显示!

有人知道可能出了什么问题吗?为什么 jsessionid 对于访问图像和 css 很重要?

如果有帮助,我很乐意发布任何代码示例...

**编辑

我打开了一些额外的日志记录,我知道问题出在哪里,但不是真的如何解决它。

19:40:27,236 INFO  [STDOUT] 2010-12-17 19:40:27,236 [http-0.0.0.0-30080-1] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter  - Authentication exception occurred; redirecting to authentication entry point
org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException: SM_USER header not found in request.
    at org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter.getPreAuthenticatedPrincipal(RequestHeaderAuthenticationFilter.java:43)
    at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doAuthenticate(AbstractPreAuthenticatedProcessingFilter.java:98)
    at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:86)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Thread.java:619)

我的 Spring 安全设置:

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

    <bean id="filterSecurityInterceptor"
        class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="accessDecisionManager" ref="accessDecisionManager" />
        <property name="securityMetadataSource">
            <security:filter-security-metadata-source>
                <security:intercept-url pattern="/"
                    access="ROLE_VIEW_WELCOME" />
                <security:intercept-url pattern="/cfs"
                    access="ROLE_VIEW_WELCOME" />
                <security:intercept-url pattern="/app"
                    access="ROLE_VIEW_WELCOME" />
                <security:intercept-url pattern="/welcome/**"
                    access="ROLE_VIEW_WELCOME" />
                <security:intercept-url pattern="/styles/**"
                    access="IS_AUTHENTICATED_ANONYMOUSLY" />
                <security:intercept-url pattern="/scripts/**"
                    access="IS_AUTHENTICATED_ANONYMOUSLY" />
                <security:intercept-url pattern="/images/**"
                    access="IS_AUTHENTICATED_ANONYMOUSLY" />
                <security:intercept-url pattern="/ruleManagement/**"
                    access="ROLE_VIEW_RULE_MANAGEMENT" />
                <security:intercept-url pattern="/vendorManagement/**"
                    access="ROLE_VENDOR_MANAGEMENT" />
                <security:intercept-url pattern="/userManagement/**"
                    access="ROLE_USER_MANAGEMENT" />
                <security:intercept-url pattern="/titleManagement/**"
                    access="ROLE_TITLE_MANAGEMENT" />
                <security:intercept-url pattern="/typeManagement/**"
                    access="ROLE_TYPE_MANAGEMENT" />
                <security:intercept-url pattern="/seriesManagement/**"
                    access="ROLE_SERIES_MANAGEMENT" />
                <security:intercept-url pattern="/sequenceManagement/**"
                    access="ROLE_SEQUENCE_MANAGEMENT" />
                <security:intercept-url pattern="/roleManagement/**"
                    access="ROLE_GROUP_MANAGEMENT" />                   
                <security:intercept-url pattern="/reports/**"
                    access="ROLE_REPORTS" />                                    
                <security:intercept-url pattern="/reportsNew/**"
                    access="ROLE_REPORTS" />                                        
                <security:intercept-url pattern="/fingerprint/**"
                    access="ROLE_FINGERPRINT" />
                <security:intercept-url pattern="/**"
                    access="ROLE_VIEW_OTHER" />
            </security:filter-security-metadata-source>
        </property>
    </bean>

    <bean id="exceptionTranslationFilter"
        class="org.springframework.security.web.access.ExceptionTranslationFilter">
        <property name="authenticationEntryPoint" ref="preauthenticationProcessingFilterEntryPoint" />
        <property name="accessDeniedHandler" ref="accessDeniedHandler" />
    </bean>

    <security:authentication-manager alias="authenticationManagerParent" />

    <bean id="authenticationManager"
        class="org.springframework.security.authentication.ProviderManager"
        parent="authenticationManagerParent">
        <property name="providers">
            <list>
                <ref local="preauthAuthProvider" />
            </list>
        </property>
    </bean>

    <bean id="accessDecisionManager"
        class="org.springframework.security.access.vote.AffirmativeBased">
        <property name="allowIfAllAbstainDecisions" value="false" />
        <property name="decisionVoters">
            <list>
                <bean class="org.springframework.security.access.vote.RoleVoter" />
                <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
            </list>
        </property>
    </bean>

    <bean id="sessionRegistry" class="org.acegisecurity.concurrent.SessionRegistryImpl" />

    <bean id="defaultConcurrentSessionController"
        class="org.acegisecurity.concurrent.ConcurrentSessionControllerImpl">
        <property name="sessionRegistry" ref="sessionRegistry" />
        <property name="exceptionIfMaximumExceeded" value="true" />
    </bean>

    <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
        <security:filter-chain-map path-type="ant">
            <security:filter-chain pattern="/**"
                filters="securityContextPersistenceFilter, exceptionTranslationFilter, siteminderFilter, filterSecurityInterceptor" />
        </security:filter-chain-map>
    </bean>

    <bean id="securityContextPersistenceFilter"
        class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
        <property name='securityContextRepository'>
            <bean
                class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'>
                <property name='allowSessionCreation' value='true' />
            </bean>
        </property>
    </bean>

    <bean id="siteminderFilter"
        class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
        <property name="principalRequestHeader" value="SM_USER" />
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="continueFilterChainOnUnsuccessfulAuthentication"
            value="false" />
    </bean>

    <bean id="mockSiteMinderFilter" class="com.disney.cfs.util.SiteMinderMockFilter"/>

    <bean id="preauthAuthProvider"
        class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
        <property name="preAuthenticatedUserDetailsService" ref="userDetailsService"/>
    </bean>

    <bean id="userDetailsService" class="com.disney.cfs.util.UserDetailsServiceUtil"/>

    <bean id="preauthenticationProcessingFilterEntryPoint"
        class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />

    <bean id="accessDeniedHandler"
        class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
        <property name="errorPage" value="/accessDenied.jsp" />
    </bean>
</beans>
4

1 回答 1

1

检查您的浏览器设置。可能您的 cookie 已禁用。在这种情况下,识别会话的唯一方法是通过 URL 参数传递它。

其他可能性是您的身份验证包 (Siteminder) 的配置。我个人不知道,但我猜它可能需要通过参数传递会话 ID,然后将其与从 cookie 中获取的值进行比较。这是一种制作非常安全的应用程序的方法,这些应用程序让黑客的生活变得非常艰难。因此,可能对您来说更好的解决方案是将 jsessionid 附加到每个 url。如果您使用自定义标签库,您可以轻松做到这一点。在这种情况下,您可以实现自己的标记“a”,将 jsessionid 附加到 href 的每个值。

于 2010-12-17T21:25:12.690 回答