我正在尝试将基于 Spring Boot 的应用程序与使用 componentSpace lib 进行 SAML 的 IDp 集成。Spring 应用程序(服务提供者)可以与 Octa 等其他 Idp 一起正常工作。但是在与组件 Space 集成时,它面临问题并出现以下错误。将日志与 Octa 请求进行比较时的差异:
- Octa 正在发送 Get 请求,而来自组件空间的是 post 请求。
- 从 Octa 我能够获得用户 ID(登录 ID),但从组件空间它是作为匿名用户进行的。所以我的问题是我们可以点击获取请求而不是发布。以及为什么不设置 userId 值的任何原因?
日志:
2020-12-16 07:00:55.800 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : No security for POST /saml/sso
2020-12-16 07:00:55.800 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (8/13)
2020-12-16 07:00:55.800 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.s.HttpSessionRequestCache : No saved request
2020-12-16 07:00:55.800 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (9/13)
2020-12-16 07:00:55.803 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (10/13)
2020-12-16 07:00:56.809 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.9.109.194, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
2020-12-16 07:00:56.810 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (11/13)
2020-12-16 07:00:56.810 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (12/13)
2020-12-16 07:00:56.810 TRACE 9144 --- [nio-8443-exec-1] o.s.security.web.FilterChainProxy : Invoking FilterSecurityInterceptor (13/13)
2020-12-16 07:00:56.811 TRACE 9144 --- [nio-8443-exec-1] edFilterInvocationSecurityMetadataSource : Did not match request to Ant [pattern='/saml**', OPTIONS] - [hasAnyRole('ROLE_')] (1/2)
2020-12-16 07:00:57.501 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Did not re-authenticate AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.9.109.194, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] before authorizing
2020-12-16 07:00:57.502 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Authorizing filter invocation [POST /saml/sso] with attributes [authenticated]
2020-12-16 07:01:03.577 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.expression.WebExpressionVoter : Voted to deny authorization
2020-12-16 07:01:03.580 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Failed to authorize filter invocation [POST /saml/sso] with attributes [authenticated] using AffirmativeBased [DecisionVoters=[org.springframework.security.web.access.expression.WebExpressionVoter@24cfcf19], AllowIfAllAbstainDecisions=false]
2020-12-16 07:01:03.709 TRACE 9144 --- [nio-8443-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'delegatingApplicationListener'
2020-12-16 07:01:03.709 TRACE 9144 --- [nio-8443-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'liveReloadServerEventListener'
2020-12-16 07:01:03.736 TRACE 9144 --- [nio-8443-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.9.109.194, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:73) ~[spring-security-core-5.4.1.jar:5.4.1]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.attemptAuthorization(AbstractSecurityInterceptor.java:238) ~[spring-security-core-5.4.1.jar:5.4.1]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:208) ~[spring-security-core-5.4.1.jar:5.4.1]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:113) ~[spring-security-web-5.4.1.jar:5.4.1]