如何解决调试Spring Security筛选器链
我在使用Spring的应用程序中使用了自定义实现的SSO。 (最近我正在将应用程序升级到Spring 5.2.5和Java 11。)
在该SSO过程的最后阶段,将发布如下所示的URL,该URL绕过身份验证/登录页面并打开主页。
http://localhost:8181/MyApp/j_spring_security_check?tokenId=999a1ec9-d92a-4a5e-a7ec-a8985c421000
但没有打开主页,而是将我定向到
access-denied-handler error-page="/ui/ordinary/noauthorization.xhtml"
但是当我查看Spring调试日志时,我意识到permitAll
是匹配的。没有访问被拒绝。
我如何才能知道这里到底发生了什么?为什么不进入未调用的主页或CustomAuthenticationFilter.attemptAuthentication
方法(覆盖UsernamePasswordAuthenticationFilter
)?
[2020-09-02 01:39:04,782][DEBUG] Checking match of request : '/j_spring_security_check'; against '/noauthorization.xhtml' - org.springframework.security.web.util.matcher.AntPathRequestMatcher.matches(AntPathRequestMatcher.java:177)
[2020-09-02 01:39:04,782][DEBUG] Checking match of request : '/j_spring_security_check'; against '/login' - org.springframework.security.web.util.matcher.AntPathRequestMatcher.matches(AntPathRequestMatcher.java:177)
[2020-09-02 01:39:04,782][DEBUG] Checking match of request : '/j_spring_security_check'; against '/j_spring_security_check' - org.springframework.security.web.util.matcher.AntPathRequestMatcher.matches(AntPathRequestMatcher.java:177)
[2020-09-02 01:39:04,782][DEBUG] Secure object: FilterInvocation: URL: /j_spring_security_check?tokenId=3e004f91-1aec-4f98-bc5c-1f49b69c209a; Attributes: [permitAll] - org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:219)
[2020-09-02 01:39:04,782][DEBUG] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@ca1ab61a: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: node08gmgybqdzxi6l88ent9iokp01; Granted Authorities: ROLE_ANONYMOUS - org.springframework.security.access.intercept.AbstractSecurityInterceptor.authenticateIfRequired(AbstractSecurityInterceptor.java:348)
[2020-09-02 01:39:04,782][DEBUG] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@75a450d1,returned: 1 - org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:66)
[2020-09-02 01:39:04,782][DEBUG] Authorization successful - org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:243)
[2020-09-02 01:39:04,782][DEBUG] RunAsManager did not change Authentication object - org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:256)
[2020-09-02 01:39:04,782][DEBUG] /j_spring_security_check?tokenId=3e004f91-1aec-4f98-bc5c-1f49b69c209a reached end of additional filter chain; proceeding with original chain org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:313)
[2020-09-02 01:39:04,791][DEBUG] Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@b7199c7 - org.springframework.security.web.header.writers.HstsHeaderWriter.writeHeaders(HstsHeaderWriter.java:169)
[2020-09-02 01:39:04,791][DEBUG] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. - org.springframework.security.web.context.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper.saveContext(HttpSessionSecurityContextRepository.java:351)
[2020-09-02 01:39:04,791][DEBUG] Chain processed normally - org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
[2020-09-02 01:39:04,792][DEBUG] SecurityContextHolder now cleared,as request processing completed - org.springframework.security.web.context.SecurityContextPersistenceFilter.
发布问题后,我对xml进行了许多更改,但据我所记得, 我的securityContext.xml如下所示:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans default-lazy-init="true"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns="http://www.springframework.org/schema/security"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:p="http://www.springframework.org/schema/p" xmlns:task="http://www.springframework.org/schema/task"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd">
<context:component-scan base-package="com.myapp.authentication" />
<http auto-config='true' use-expressions="true" entry-point-ref="myAuthenticationEntryPoint">
<custom-filter ref="customAuthenticationFilter" position="PRE_AUTH_FILTER"/>
<intercept-url pattern="/css/**" access="permitAll" />
<intercept-url pattern="/images/**" access="permitAll" />
<intercept-url pattern="/templates/**" access="isAuthenticated()" />
.
.
<intercept-url pattern="/ui/ordinary" access="denyAll" />
<intercept-url pattern="/ui/ordinary/" access="denyAll" />
.
.
<intercept-url pattern="/ui/ordinary/**"
access="hasAnyRole('ROLE_ORDINARY','ROLE_ADMINISTRATOR','ROLE_ROOT')" />
<intercept-url pattern="/ui/**" access="isAuthenticated()" />
<intercept-url pattern="/login.xhtml" access="permitAll" />
<intercept-url pattern="/j_spring_security_check" access="permitAll" />
<intercept-url pattern="/noauthorization.xhtml" access="permitAll" />
<intercept-url pattern="/**" access="denyAll" />
<form-login login-page='/login.xhtml'
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/login.xhtml"
always-use-default-target="false"
default-target-url="/ui/ordinary/list.xhtml" />
<access-denied-handler error-page="/ui/ordinary/noauthorization.xhtml" />
<logout logout-url="/j_spring_security_logout" logout-success-url="/login.xhtml?logout" delete-cookies="JSESSIONID" />
<csrf disabled="true" />
<session-management invalid-session-url="/login.xhtml"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="customSpringAuthentication" />
</authentication-manager>
<beans:bean id="customAuthenticationFilter"
class="com.mayapp.authentication.CustomAuthenticationFilter" p:postOnly="false" p:authenticationManager-ref="authenticationManager">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="authenticationFailureHandler" ref="failureHandler"/>
<beans:property name="authenticationSuccessHandler" ref="successHandler"/>
<beans:property name="sessionAuthenticationStrategy" ref="sessionFixationAttackHandler"/>
</beans:bean>
<beans:bean id="successHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/ui/ordinary/list.xhtml"/>
</beans:bean>
<beans:bean id="failureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login.xhtml?login_error=true"/>
</beans:bean>
<beans:bean id="customSpringAuthentication" class="com.mayapp.authentication.CustomSpringAuthentication"/>
<beans:bean id="myAuthenticationEntryPoint" class="com.mayapp.authentication.CustomAuthenticationEntryPoint">
<!-- beans:property name="loginFormUrl" value="/login.xhtml" /-->
<beans:constructor-arg value="/login.xhtml"/>
</beans:bean>
<beans:bean id="sessionFixationAttackHandler" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"/>
</beans:beans>
解决方法
经过大量的实验,我能够解决问题。
我删除了
<intercept-url pattern="/j_spring_security_check" access="permitAll" />
解决该问题的最重要的方法是在令牌过滤器的构造函数中添加“ setRequiresAuthenticationRequestMatcher”,如下所示:
公共类CustomAuthenticationFilter扩展 UsernamePasswordAuthenticationFilter {
public CustomAuthenticationFilter() {
super();
super.setPostOnly(false);
super.setRequiresAuthenticationRequestMatcher( new AntPathRequestMatcher("/j_spring_security_check","GET") );
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request,HttpServletResponse response) throws AuthenticationException {
.
.
}
}
感谢所有恳请我提供更多详细信息以帮助我的人。我很感激
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。