2012-10-01 95 views
6

我試圖將Spring Saml library集成到示例web應用程序中,並使用Shibboleth作爲IDP。 我可以加載登錄頁面,登錄並顯示索引頁面。HttpSession爲SPRING_SECURITY_CONTEXT返回空對象

問題是,當我點擊其他鏈接時,webapp將我重定向到登錄頁面,然後IDP識別我並重定向到所請求的頁面(如果網絡很快就很難看到)。這就像我沒有登錄Spring安全。

我檢查了日誌,我發現這一點:

org.springframework.security.web.context.HttpSessionSecurityContextRepository - 爲SPRING_SECURITY_CONTEXT org.springframework.security.web.context.HttpSessionSecurityContextRepository的HttpSession返回null對象 - 沒有SecurityContext可從HttpSession獲得:[email protected]。一個新的將被創建。

這是在web.xml

<!-- The definition of the Root Spring Container shared by all Servlets and Filters --> 
<context-param> 
    <param-name>contextConfigLocation</param-name> 
    <param-value> 
     /WEB-INF/spring/root-context.xml 
     /WEB-INF/spring/security/securityContext.xml 
    </param-value> 
</context-param> 
<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
</filter> 
<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

<!-- Creates the Spring Container shared by all Servlets and Filters --> 
<listener> 
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
</listener> 

<!-- Processes application requests --> 
<servlet> 
    <servlet-name>dispatcher</servlet-name> 
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
    <init-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value> 
    </init-param> 
    <load-on-startup>1</load-on-startup> 
</servlet> 

<servlet-mapping> 
    <servlet-name>dispatcher</servlet-name> 
    <url-pattern>/</url-pattern> 
</servlet-mapping> 



<!-- Custom error pages --> 
<error-page> 
    <error-code>400</error-code> 
    <location>/errors/missing-en.html</location> 
</error-page> 
<error-page> 
    <error-code>401</error-code> 
    <location>/errors/restricted-en.html</location> 
</error-page> 
<error-page> 
    <error-code>403</error-code> 
    <location>/errors/restricted-en.html</location> 
</error-page> 
<error-page> 
    <error-code>404</error-code> 
    <location>/errors/missing-en.html</location> 
</error-page> 
<error-page> 
    <error-code>500</error-code> 
    <location>/errors/missing-en.html</location> 
</error-page> 
<error-page> 
    <error-code>503</error-code> 
    <location>/errors/missing-en.html</location> 
</error-page> 

和SecurityContext的

<beans xmlns="http://www.springframework.org/schema/beans" 
xmlns:security="http://www.springframework.org/schema/security" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:context="http://www.springframework.org/schema/context" 
xsi:schemaLocation="http://www.springframework.org/schema/beans 
     http://www.springframework.org/schema/beans/spring-beans-3.1.xsd 
     http://www.springframework.org/schema/security 
     http://www.springframework.org/schema/security/spring-security-3.1.xsd 
     http://www.springframework.org/schema/context 
     http://www.springframework.org/schema/context/spring-context.xsd"> 

<!-- Enable autowiring --> 
<context:annotation-config /> 
<context:component-scan base-package="org.springframework.security.saml" /> 

<security:http pattern="/logout.jsp" security="none" /> 
<security:http pattern="/login.jsp" security="none" /> 
<security:http pattern="/index.html" security="none" /> 

<security:http entry-point-ref="samlEntryPoint"> 
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" /> 
    <security:custom-filter before="FIRST" ref="metadataGeneratorFilter" /> 
    <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter" /> 
</security:http> 

<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy"> 
    <security:filter-chain-map path-type="ant"> 
     <security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint" /> 
     <security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter" /> 
     <security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter" /> 
     <security:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter" /> 
     <security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter" /> 
    </security:filter-chain-map> 
</bean> 

<!-- Handler deciding where to redirect user after successful login --> 
<bean id="successRedirectHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"> 
    <property name="defaultTargetUrl" value="/" /> 
</bean> 
<!-- Use the following for interpreting RelayState coming from unsolicited response as redirect URL: <bean id="successRedirectHandler" class="org.springframework.security.saml.SAMLRelayStateSuccessHandler"> 
    <property name="defaultTargetUrl" value="/" /> </bean> --> 

<!-- Handler for successful logout --> 
<bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler"> 
    <property name="defaultTargetUrl" value="/logout.jsp" /> 
</bean> 

<!-- Register authentication manager with SAML provider --> 
<security:authentication-manager alias="authenticationManager"> 
    <security:authentication-provider ref="samlAuthenticationProvider" /> 
</security:authentication-manager> 

<!-- Logger for SAML messages and events --> 
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger" /> 

<!-- Central storage of cryptographic keys --> 
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager"> 
    <constructor-arg value="/WEB-INF/spring/security/myKeystore.jks" /> 
    <constructor-arg type="java.lang.String" value="betfair" /> 
    <constructor-arg> 
     <map> 
      <entry key="tomcat" value="betfair" /> 
     </map> 
    </constructor-arg> 
    <constructor-arg type="java.lang.String" value="tomcat" /> 
</bean> 

<!-- Entry point to initialize authentication, default values taken from properties file --> 
<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint"> 
    <property name="defaultProfileOptions"> 
     <bean class="org.springframework.security.saml.websso.WebSSOProfileOptions"> 
      <property name="includeScoping" value="false" /> 
     </bean> 
    </property> 
</bean> 

<!-- IDP Discovery Service --> 
<bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery"> 
    <property name="idpSelectionPath" value="/WEB-INF/security/idpSelection.jsp" /> 
</bean> 

<!-- Filter automatically generates default SP metadata --> 
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter"> 
    <constructor-arg> 
     <bean class="org.springframework.security.saml.metadata.MetadataGenerator" /> 
    </constructor-arg> 
</bean> 

<!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there --> 
<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter" /> 

<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here --> 
<!-- Do no forget to call iniitalize method on providers --> 
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager"> 
    <constructor-arg> 
     <list> 

      <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> 
       <constructor-arg> 
        <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider"> 
         <constructor-arg> 
          <value type="java.io.File">/WEB-INF/spring/security/shibboleth.xml</value> 
         </constructor-arg> 
         <property name="parserPool" ref="parserPool" /> 
        </bean> 
       </constructor-arg> 
       <constructor-arg> 
        <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> 
        </bean> 
       </constructor-arg> 
      </bean> 
      <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> 
       <constructor-arg> 
        <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider"> 
         <constructor-arg> 
          <value type="java.io.File">/WEB-INF/spring/security/localhost_sp.xml</value> 
         </constructor-arg> 
         <property name="parserPool" ref="parserPool" /> 
        </bean> 
       </constructor-arg> 
       <constructor-arg> 
        <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> 
         <property name="local" value="true" /> 
         <property name="alias" value="localhost" /> 
         <property name="securityProfile" value="metaiop" /> 
         <property name="sslSecurityProfile" value="pkix" /> 
         <property name="signingKey" value="tomcat" /> 
         <property name="encryptionKey" value="tomcat" /> 
         <property name="tlsKey" value="tomcat" /> 
         <property name="requireArtifactResolveSigned" value="false" /> 
         <property name="requireLogoutRequestSigned" value="false" /> 
         <property name="requireLogoutResponseSigned" value="false" /> 
        </bean> 
       </constructor-arg> 
      </bean> 
     </list> 
    </constructor-arg>  
    <!-- OPTIONAL used when one of the metadata files contains information about this service provider --> 
    <property name="hostedSPName" value="localhost"/> 
    <!-- OPTIONAL property: can tell the system which IDP should be used for authenticating user by default. --> 
    <!-- <property name="defaultIDP" value="http://localhost:8080/opensso"/> --> 
</bean> 

<!-- SAML Authentication Provider responsible for validating of received SAML messages --> 
<bean id="samlAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider"> 
    <!-- OPTIONAL property: can be used to store/load user data after login --> 
    <!-- <property name="userDetails" ref="bean" /> --> 
</bean> 

<!-- Provider of default SAML Context --> 
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl" /> 

<!-- Processing filter for WebSSO profile messages --> 
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter"> 
    <property name="authenticationManager" ref="authenticationManager" /> 
    <property name="authenticationSuccessHandler" ref="successRedirectHandler" /> 
</bean> 

<!-- Processing filter for WebSSO Holder-of-Key profile --> 
<bean id="samlWebSSOHoKProcessingFilter" class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter"> 
    <property name="authenticationManager" ref="authenticationManager" /> 
    <property name="authenticationSuccessHandler" ref="successRedirectHandler" /> 
</bean> 

<!-- Logout handler terminating local session --> 
<bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"> 
    <property name="invalidateHttpSession" value="false" /> 
</bean> 

<!-- Override default logout processing filter with the one processing SAML messages --> 
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter"> 
    <constructor-arg ref="successLogoutHandler" /> 
    <constructor-arg ref="logoutHandler" /> 
    <constructor-arg ref="logoutHandler" /> 
</bean> 

<!-- Filter processing incoming logout messages --> 
<!-- First argument determines URL user will be redirected to after successful global logout --> 
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter"> 
    <constructor-arg ref="successLogoutHandler" /> 
    <constructor-arg ref="logoutHandler" /> 
</bean> 

<!-- Class loading incoming SAML messages from httpRequest stream --> 
<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl"> 
    <constructor-arg> 
     <list> 
      <ref bean="redirectBinding" /> 
      <ref bean="postBinding" /> 
      <ref bean="artifactBinding" /> 
      <ref bean="soapBinding" /> 
      <ref bean="paosBinding" /> 
     </list> 
    </constructor-arg> 
</bean> 

<!-- SAML 2.0 WebSSO Assertion Consumer --> 
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl" /> 

<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer --> 
<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl" /> 

<!-- SAML 2.0 Web SSO profile --> 
<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl" /> 

<!-- SAML 2.0 Holder-of-Key Web SSO profile --> 
<bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl" /> 

<!-- SAML 2.0 ECP profile --> 
<bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl" /> 

<!-- SAML 2.0 Logout Profile --> 
<bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl" /> 

<!-- Bindings, encoders and decoders used for creating and parsing messages --> 
<bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding"> 
    <constructor-arg ref="parserPool" /> 
    <constructor-arg ref="velocityEngine" /> 
</bean> 

<bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding"> 
    <constructor-arg ref="parserPool" /> 
</bean> 

<bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding"> 
    <constructor-arg ref="parserPool" /> 
    <constructor-arg ref="velocityEngine" /> 
    <constructor-arg> 
     <bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl"> 
      <constructor-arg> 
       <bean class="org.apache.commons.httpclient.HttpClient" /> 
      </constructor-arg> 
      <property name="processor"> 
       <bean id="soapProcessor" class="org.springframework.security.saml.processor.SAMLProcessorImpl"> 
        <constructor-arg ref="soapBinding" /> 
       </bean> 
      </property> 
     </bean> 
    </constructor-arg> 
</bean> 

<bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding"> 
    <constructor-arg ref="parserPool" /> 
</bean> 

<bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding"> 
    <constructor-arg ref="parserPool" /> 
</bean> 

<!-- Initialization of OpenSAML library --> 
<bean class="org.springframework.security.saml.SAMLBootstrap" /> 

<!-- Initialization of the velocity engine --> 
<bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine" /> 

<!-- XML parser pool needed for OpenSAML parsing --> 
<bean id="parserPool" class="org.opensaml.xml.parse.BasicParserPool" scope="singleton" /> 

任何想法?

感謝 埃馬努埃萊

回答

2

我遇到過同樣的問題。在調試之後意識到SecurityContext在被保留之前被清除。谷歌搜索後,我發現這個:https://jira.springsource.org/browse/SEC-2027 移動到春季安全版本3.1.2解決它對我來說。

我希望它能幫助別人。

-2

如果你不講究使用Spring,或者你可以嘗試一些作品第一,並移動到春節後,這裏是一個很好的教程。我曾經嘗試這樣做,它的工作原理:

http://fczaja.blogspot.com/2012/06/idp-initiated-sso-and-identity.html

博客作者菲利普是非常敏感,如果必要,可以從他那裏得到澄清。

+0

謝謝,我們會嘗試。其實我們需要Spring,但是認爲解決方案與框架的耦合確實是個好主意 – Emanuele

+0

這個答案與這個問題沒有任何關係! –