3
我遇到了Spring Security 3.1.0記住我cookies的問題。我需要儘快找到一個解決方案,我找不到這個問題的原因。Spring Security 3.1.0 - 記住我無法按預期方式工作
這些步驟我下面:
- 轉到我的應用程序URL(如http://myapp/app.htm)
- 我重定向到登錄頁面,所以我登錄
- 登錄後,關閉瀏覽器(未註銷)
- 打開瀏覽器,進入我的應用程序URL
在這一點上,我希望進入我的應用程序bypassin g因爲記憶我的cookie仍然在我的瀏覽器中,所以登錄表單。儘管如此,登錄頁面再次出現。
- 轉到我的應用程序URL再次
再次嘗試,我可以進入我的應用程序通常繞過登錄表單。
這很混亂,到目前爲止我找不到解釋。
我試着調試都嘗試,我發現,當Spring Security的RememberMeAuthenticationFilter被解僱了以下內容:
嘗試1
請求路徑= /app.htm:request.getCookies()不包含我的SPRING_SECURITY_REMEMBER_ME_COOKIE,因此我被重定向到登錄頁面 請求路徑= /security/login.htm:在這一點上request.getCookies()DID有我的SPRING_SECURITY_REMEMBER_ME_COOKIE,它被接受;反正,我已經被重定向到登錄頁面
嘗試2
記住,我的cookie已被接受,所以我可以毫無問題地進入我的應用程序。
下面是Spring Security XML配置和兩次嘗試的日誌。
任何對此的幫助將非常感謝!
春季安全配置(我將省略有關DaoAuthenticationProvider的時候和事件偵聽器的所有內容):
<sec:http auto-config="false" use-expressions="true" authentication-manager-ref="authenticationManager">
<sec:custom-filter ref="sessionLocaleResolvingFilter" before="FORM_LOGIN_FILTER"/>
<sec:intercept-url pattern="/security/*.htm" requires-channel="https" />
<sec:intercept-url pattern="/retrieve-password/*.htm" requires-channel="https" />
<sec:intercept-url pattern="/messagebroker/*" access="authenticated" requires-channel="http" />
<sec:intercept-url pattern="/platform/*.htm"
access="hasRole('limited') or (authenticated and !hasRole('role1') and !hasRole('role2'))"
requires-channel="http" />
<sec:intercept-url pattern="/app.htm" access="authenticated" requires-channel="http" />
<sec:intercept-url pattern="/**" requires-channel="http" />
<sec:form-login login-page="/security/login.htm" default-target-url="/app.htm"
login-processing-url="/security/process-login.htm" authentication-failure-url="/security/login.htm?error=true" />
<sec:logout logout-url="/security/logout.htm" delete-cookies="JSESSIONID,SPRING_SECURITY_REMEMBER_ME_COOKIE"
logout-success-url="/security/logout-success.htm" invalidate-session="true"/>
<sec:anonymous/>
<sec:remember-me use-secure-cookie="true" key="myAppServices"
services-ref="ipTokenBasedRememberMeServicesBean" />
<sec:session-management session-fixation-protection="none"/>
<sec:access-denied-handler error-page="/denied-access.htm"/>
</sec:http>
<bean id="sessionLocaleResolvingFilter" class="com.myapp.spring.security.SessionLocaleResolvingFilter" />
<bean class="com.myapp.spring.security.IPTokenBasedRememberMeServices"
id="ipTokenBasedRememberMeServicesBean">
<constructor-arg value="myAppServices"/>
<constructor-arg ref="myAppJdbcDaoImpl"/>
</bean>
<bean id="myAppPasswordEncoder" class="com.myapp.spring.security.MyAppPasswordEncoder" />
<bean id="authenticationManager"
class="o.s.s.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider" />
</list>
</property>
</bean>
<!-- Other beans... -->
日誌中的第一次嘗試(使用操作系統和與OSS org.springframework.security取代org.springframework) :
o.s.s.web.access.channel.ChannelProcessingFilter:134 - Request: FilterInvocation: URL: /app.htm?lang=en; ConfigAttributes: [REQUIRES_INSECURE_CHANNEL]
o.s.s.web.context.HttpSessionSecurityContextRepository:127 - No HttpSession currently exists
o.s.s.web.context.HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: null. A new one will be created.
o.s.s.web.FilterChainProxy:318 - /app.htm?lang=en at position 9 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
o.s.s.web.authentication.AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: '[email protected]: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: ROLE_ANONYMOUS'
o.s.s.web.FilterChainProxy:318 - /app.htm?lang=en at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
o.s.s.web.FilterChainProxy:318 - /app.htm?lang=en at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
o.s.s.web.util.AntPathRequestMatcher:103 - Checking match of request : '/app.htm'; against '/messagebroker/*'
o.s.s.web.util.AntPathRequestMatcher:103 - Checking match of request : '/app.htm'; against '/app.htm'
o.s.s.web.access.intercept.FilterSecurityInterceptor:193 - Secure object: FilterInvocation: URL: /app.htm?lang=en; Attributes: [authenticated]
o.s.s.web.access.intercept.FilterSecurityInterceptor:298 - Previously Authenticated: [email protected]: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: ROLE_ANONYMOUS
o.s.s.access.vote.AffirmativeBased:65 - Voter: [email protected], returned: -1
o.s.s.web.access.ExceptionTranslationFilter:165 - Access is denied (user is anonymous); redirecting to authentication entry point
o.s.s.access.AccessDeniedException: Access is denied
at o.s.s.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at o.s.s.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:205)
at o.s.s.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:114)
at o.s.s.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at o.s.s.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at o.s.s.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at o.s.s.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
(X more)
o.s.s.web.DefaultRedirectStrategy:36 - Redirecting to 'http://arbad67464/services/security/login.htm'
o.s.s.web.context.HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
o.s.s.web.context.SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
o.s.s.web.access.channel.RetryWithHttpsEntryPoint:55 - Redirecting to: https://arbad67464/services/security/login.htm
o.s.s.web.DefaultRedirectStrategy:36 - Redirecting to 'https://arbad67464/services/security/login.htm'
o.s.s.web.access.channel.ChannelProcessingFilter:134 - Request: FilterInvocation: URL: /security/login.htm; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
o.s.s.web.context.HttpSessionSecurityContextRepository:139 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
o.s.s.web.context.HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: [email protected] A new one will be created.
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 4 of 11 in additional filter chain; firing Filter: 'SessionLocaleResolvingFilter'
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 5 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 8 of 11 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
com.myapp.spring.security.IPTokenBasedRememberMeServices:103 - Remember-me cookie detected
com.myapp.spring.security.IPTokenBasedRememberMeServices:118 - Remember-me cookie accepted
o.s.s.authentication.ProviderManager:152 - Authentication attempt using o.s.s.authentication.RememberMeAuthenticationProvider
登錄我的第二次嘗試:
o.s.s.web.access.channel.ChannelProcessingFilter:134 - Request: FilterInvocation: URL: /app.htm?lang=en; ConfigAttributes: [REQUIRES_INSECURE_CHANNEL]
o.s.s.web.context.HttpSessionSecurityContextRepository:158 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'o.s.s.core.context.SecurityCon[email protected]: Authentication: [email protected]: Principal: [email protected]: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: limited,premium,special; Credentials: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: limited, premium, special'
o.s.s.web.FilterChainProxy:318 - /app.htm?lang=en at position 8 of 11 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
o.s.s.web.authentication.rememberme.RememberMeAuthenticationFilter:142 - SecurityContextHolder not populated with remember-me token, as it already contained: '[email protected]: Principal: [email protected]: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: limited,premium,special; Credentials: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: limited, premium, special'
o.s.s.web.FilterChainProxy:318 - /app.htm?lang=en at position 9 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
o.s.s.web.authentication.AnonymousAuthenticationFilter:107 - SecurityContextHolder not populated with anonymous token, as it already contained: '[email protected]: Principal: [email protected]: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: limited,premium,special; Credentials: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: limited, premium, special'
o.s.s.web.access.intercept.FilterSecurityInterceptor:193 - Secure object: FilterInvocation: URL: /app.htm?lang=en; Attributes: [authenticated]
o.s.s.web.access.intercept.FilterSecurityInterceptor:298 - Previously Authenticated: [email protected]: Principal: [email protected]: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: limited,premium,special; Credentials: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: limited, premium, special
o.s.s.access.vote.AffirmativeBased:65 - Voter: [email protected], returned: 1
o.s.s.web.access.intercept.FilterSecurityInterceptor:214 - Authorization successful
請修剪下來到的東西更容易消化。現在,這只是一個文本牆/代碼,讓人們不會花時間去查看它。此外,僅僅傾銷所有的代碼和日誌就是指示您嘗試查找* actual *問題所需的最小努力,並要求*在此處提供幫助。 – casperOne 2012-02-15 14:20:41
好吧,我知道這可能有些壓倒性的,所以我會盡量減少它。但請理解,當我傾銷我的日誌時,我只打算提供可能對希望提供幫助的任何人有用的其他信息。它本身並不是最小努力的指標 - 我仔細閱讀日誌並調試了我的應用程序,並試圖在發佈之前在幾個地方找到解決方案。此外,我沒有轉儲所有我的代碼,只有XML。如果我沒有,任何人都可能幫忙? 無論如何,感謝您的評論。 – nomusicnolife 2012-02-15 15:22:18