1. 首頁
  2. 問答
  3. 爲什麼訪問拒絕沒有jsessionid的資源?

爲什麼訪問拒絕沒有jsessionid的資源?

2010-12-17 68 views
0

我已經構建了一個可以在我自己的本地環境中工作的應用程序。但是,當我部署到使用Siteminder進行身份驗證的開發環境時,我得到了一個「訪問被拒絕」的所有圖像和css文件。我注意到身份驗證後有一個jsessionid附加到URL,所以測試手動複製+粘貼該jsessionid圖像的URL。現在圖像顯示!爲什麼訪問拒絕沒有jsessionid的資源?

任何人有任何想法可能會出錯? jsessionid如何才能訪問圖像和css?

我會很高興張貼任何代碼示例是否有幫助?

**編輯

我打開一些額外的日誌記錄,我看到那裏的問題,但不是真的如何解決它。

19:40:27,236 INFO [STDOUT] 2010-12-17 19:40:27,236 [http-0.0.0.0-30080-1] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Authentication exception occurred; redirecting to authentication entry point 
org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException: SM_USER header not found in request. 
    at org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter.getPreAuthenticatedPrincipal(RequestHeaderAuthenticationFilter.java:43) 
    at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doAuthenticate(AbstractPreAuthenticatedProcessingFilter.java:98) 
    at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:86) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) 
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) 
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) 
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149) 
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) 
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) 
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) 
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) 
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179) 
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) 
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) 
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104) 
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) 
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) 
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241) 
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) 
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580) 
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) 
    at java.lang.Thread.run(Thread.java:619)

我的春天的安全設置:

<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:security="http://www.springframework.org/schema/security" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd 
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.3.xsd"> 

    <bean id="filterSecurityInterceptor" 
     class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> 
     <property name="authenticationManager" ref="authenticationManager" /> 
     <property name="accessDecisionManager" ref="accessDecisionManager" /> 
     <property name="securityMetadataSource"> 
      <security:filter-security-metadata-source> 
       <security:intercept-url pattern="/" 
        access="ROLE_VIEW_WELCOME" /> 
       <security:intercept-url pattern="/cfs" 
        access="ROLE_VIEW_WELCOME" /> 
       <security:intercept-url pattern="/app" 
        access="ROLE_VIEW_WELCOME" /> 
       <security:intercept-url pattern="/welcome/**" 
        access="ROLE_VIEW_WELCOME" /> 
       <security:intercept-url pattern="/styles/**" 
        access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
       <security:intercept-url pattern="/scripts/**" 
        access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
       <security:intercept-url pattern="/images/**" 
        access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
       <security:intercept-url pattern="/ruleManagement/**" 
        access="ROLE_VIEW_RULE_MANAGEMENT" /> 
       <security:intercept-url pattern="/vendorManagement/**" 
        access="ROLE_VENDOR_MANAGEMENT" /> 
       <security:intercept-url pattern="/userManagement/**" 
        access="ROLE_USER_MANAGEMENT" /> 
       <security:intercept-url pattern="/titleManagement/**" 
        access="ROLE_TITLE_MANAGEMENT" /> 
       <security:intercept-url pattern="/typeManagement/**" 
        access="ROLE_TYPE_MANAGEMENT" /> 
       <security:intercept-url pattern="/seriesManagement/**" 
        access="ROLE_SERIES_MANAGEMENT" /> 
       <security:intercept-url pattern="/sequenceManagement/**" 
        access="ROLE_SEQUENCE_MANAGEMENT" /> 
       <security:intercept-url pattern="/roleManagement/**" 
        access="ROLE_GROUP_MANAGEMENT" />     
       <security:intercept-url pattern="/reports/**" 
        access="ROLE_REPORTS" />          
       <security:intercept-url pattern="/reportsNew/**" 
        access="ROLE_REPORTS" />           
       <security:intercept-url pattern="/fingerprint/**" 
        access="ROLE_FINGERPRINT" /> 
       <security:intercept-url pattern="/**" 
        access="ROLE_VIEW_OTHER" /> 
      </security:filter-security-metadata-source> 
     </property> 
    </bean> 

    <bean id="exceptionTranslationFilter" 
     class="org.springframework.security.web.access.ExceptionTranslationFilter"> 
     <property name="authenticationEntryPoint" ref="preauthenticationProcessingFilterEntryPoint" /> 
     <property name="accessDeniedHandler" ref="accessDeniedHandler" /> 
    </bean> 

    <security:authentication-manager alias="authenticationManagerParent" /> 

    <bean id="authenticationManager" 
     class="org.springframework.security.authentication.ProviderManager" 
     parent="authenticationManagerParent"> 
     <property name="providers"> 
      <list> 
       <ref local="preauthAuthProvider" /> 
      </list> 
     </property> 
    </bean> 

    <bean id="accessDecisionManager" 
     class="org.springframework.security.access.vote.AffirmativeBased"> 
     <property name="allowIfAllAbstainDecisions" value="false" /> 
     <property name="decisionVoters"> 
      <list> 
       <bean class="org.springframework.security.access.vote.RoleVoter" /> 
       <bean class="org.springframework.security.access.vote.AuthenticatedVoter" /> 
      </list> 
     </property> 
    </bean> 

    <bean id="sessionRegistry" class="org.acegisecurity.concurrent.SessionRegistryImpl" /> 

    <bean id="defaultConcurrentSessionController" 
     class="org.acegisecurity.concurrent.ConcurrentSessionControllerImpl"> 
     <property name="sessionRegistry" ref="sessionRegistry" /> 
     <property name="exceptionIfMaximumExceeded" value="true" /> 
    </bean> 

    <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy"> 
     <security:filter-chain-map path-type="ant"> 
      <security:filter-chain pattern="/**" 
       filters="securityContextPersistenceFilter, exceptionTranslationFilter, siteminderFilter, filterSecurityInterceptor" /> 
     </security:filter-chain-map> 
    </bean> 

    <bean id="securityContextPersistenceFilter" 
     class="org.springframework.security.web.context.SecurityContextPersistenceFilter"> 
     <property name='securityContextRepository'> 
      <bean 
       class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'> 
       <property name='allowSessionCreation' value='true' /> 
      </bean> 
     </property> 
    </bean> 

    <bean id="siteminderFilter" 
     class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter"> 
     <property name="principalRequestHeader" value="SM_USER" /> 
     <property name="authenticationManager" ref="authenticationManager" /> 
     <property name="continueFilterChainOnUnsuccessfulAuthentication" 
      value="false" /> 
    </bean> 

    <bean id="mockSiteMinderFilter" class="com.disney.cfs.util.SiteMinderMockFilter"/> 

    <bean id="preauthAuthProvider" 
     class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider"> 
     <property name="preAuthenticatedUserDetailsService" ref="userDetailsService"/> 
    </bean> 

    <bean id="userDetailsService" class="com.disney.cfs.util.UserDetailsServiceUtil"/> 

    <bean id="preauthenticationProcessingFilterEntryPoint" 
     class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" /> 

    <bean id="accessDeniedHandler" 
     class="org.springframework.security.web.access.AccessDeniedHandlerImpl"> 
     <property name="errorPage" value="/accessDenied.jsp" /> 
    </bean> 
</beans>

來源

2010-12-17 Corey

回答

1

檢查瀏覽器設置。可能你的cookies被禁用。在這種情況下,識別會話的唯一方法是通過URL參數傳遞它。

其他可能性是您的身份驗證軟件包(Siteminder)的配置。我個人不知道,但我想這可能需要通過參數傳遞會話ID,然後將它與它從cookie中獲取的值進行比較。這是一種製作非常安全的應用程序的方法,它使黑客的生活變得非常困難。所以,對你來說更好的解決方案可能是將jsessionid附加到每個url。如果您使用自定義標籤庫,則可以輕鬆完成。在這種情況下,您可以實現自己的標籤「a」,將jsessionid附加到每個href值。

來源

2010-12-17 21:25:12 AlexR

+0

感謝您的回覆... 我的瀏覽器啓用了Cookies。 我將不得不與團隊覈對,看看您是否正確地使用Siteminder檢查url中的jsessionid。 – Corey 2010-12-17 22:06:58

相關問題

 相關問題