我遇到了Spring Security 3.1.0记住我cookies的问题。我需要尽快找到一个解决方案,我找不到这个问题的原因。Spring Security 3.1.0 - 记住我无法按预期方式工作
这些步骤我下面:
- 转到我的应用程序URL(如http://myapp/app.htm)
- 我重定向到登录页面,所以我登录
- 登录后,关闭浏览器(未注销)
- 打开浏览器,进入我的应用程序URL
在这一点上,我希望进入我的应用程序bypassin g因为记忆我的cookie仍然在我的浏览器中,所以登录表单。尽管如此,登录页面再次出现。
- 转到我的应用程序URL再次
再次尝试,我可以进入我的应用程序通常绕过登录表单。
这很混乱,到目前为止我找不到解释。
我试着调试都尝试,我发现,当Spring Security的RememberMeAuthenticationFilter被解雇了以下内容:
尝试1
请求路径= /app.htm:request.getCookies()不包含我的SPRING_SECURITY_REMEMBER_ME_COOKIE,因此我被重定向到登录页面 请求路径= /security/login.htm:在这一点上request.getCookies()DID有我的SPRING_SECURITY_REMEMBER_ME_COOKIE,它被接受;反正,我已经被重定向到登录页面
尝试2
记住,我的cookie已被接受,所以我可以毫无问题地进入我的应用程序。
下面是Spring Security XML配置和两次尝试的日志。
任何对此的帮助将非常感谢!
春季安全配置(我将省略有关DaoAuthenticationProvider的时候和事件侦听器的所有内容):
<sec:http auto-config="false" use-expressions="true" authentication-manager-ref="authenticationManager">
<sec:custom-filter ref="sessionLocaleResolvingFilter" before="FORM_LOGIN_FILTER"/>
<sec:intercept-url pattern="/security/*.htm" requires-channel="https" />
<sec:intercept-url pattern="/retrieve-password/*.htm" requires-channel="https" />
<sec:intercept-url pattern="/messagebroker/*" access="authenticated" requires-channel="http" />
<sec:intercept-url pattern="/platform/*.htm"
access="hasRole('limited') or (authenticated and !hasRole('role1') and !hasRole('role2'))"
requires-channel="http" />
<sec:intercept-url pattern="/app.htm" access="authenticated" requires-channel="http" />
<sec:intercept-url pattern="/**" requires-channel="http" />
<sec:form-login login-page="/security/login.htm" default-target-url="/app.htm"
login-processing-url="/security/process-login.htm" authentication-failure-url="/security/login.htm?error=true" />
<sec:logout logout-url="/security/logout.htm" delete-cookies="JSESSIONID,SPRING_SECURITY_REMEMBER_ME_COOKIE"
logout-success-url="/security/logout-success.htm" invalidate-session="true"/>
<sec:anonymous/>
<sec:remember-me use-secure-cookie="true" key="myAppServices"
services-ref="ipTokenBasedRememberMeServicesBean" />
<sec:session-management session-fixation-protection="none"/>
<sec:access-denied-handler error-page="/denied-access.htm"/>
</sec:http>
<bean id="sessionLocaleResolvingFilter" class="com.myapp.spring.security.SessionLocaleResolvingFilter" />
<bean class="com.myapp.spring.security.IPTokenBasedRememberMeServices"
id="ipTokenBasedRememberMeServicesBean">
<constructor-arg value="myAppServices"/>
<constructor-arg ref="myAppJdbcDaoImpl"/>
</bean>
<bean id="myAppPasswordEncoder" class="com.myapp.spring.security.MyAppPasswordEncoder" />
<bean id="authenticationManager"
class="o.s.s.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider" />
</list>
</property>
</bean>
<!-- Other beans... -->
日志中的第一次尝试(使用操作系统和与OSS org.springframework.security取代org.springframework) :
o.s.s.web.access.channel.ChannelProcessingFilter:134 - Request: FilterInvocation: URL: /app.htm?lang=en; ConfigAttributes: [REQUIRES_INSECURE_CHANNEL]
o.s.s.web.context.HttpSessionSecurityContextRepository:127 - No HttpSession currently exists
o.s.s.web.context.HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: null. A new one will be created.
o.s.s.web.FilterChainProxy:318 - /app.htm?lang=en at position 9 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
o.s.s.web.authentication.AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: '[email protected]: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: ROLE_ANONYMOUS'
o.s.s.web.FilterChainProxy:318 - /app.htm?lang=en at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
o.s.s.web.FilterChainProxy:318 - /app.htm?lang=en at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
o.s.s.web.util.AntPathRequestMatcher:103 - Checking match of request : '/app.htm'; against '/messagebroker/*'
o.s.s.web.util.AntPathRequestMatcher:103 - Checking match of request : '/app.htm'; against '/app.htm'
o.s.s.web.access.intercept.FilterSecurityInterceptor:193 - Secure object: FilterInvocation: URL: /app.htm?lang=en; Attributes: [authenticated]
o.s.s.web.access.intercept.FilterSecurityInterceptor:298 - Previously Authenticated: [email protected]: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: ROLE_ANONYMOUS
o.s.s.access.vote.AffirmativeBased:65 - Voter: [email protected], returned: -1
o.s.s.web.access.ExceptionTranslationFilter:165 - Access is denied (user is anonymous); redirecting to authentication entry point
o.s.s.access.AccessDeniedException: Access is denied
at o.s.s.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at o.s.s.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:205)
at o.s.s.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:114)
at o.s.s.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at o.s.s.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at o.s.s.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at o.s.s.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
(X more)
o.s.s.web.DefaultRedirectStrategy:36 - Redirecting to 'http://arbad67464/services/security/login.htm'
o.s.s.web.context.HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
o.s.s.web.context.SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
o.s.s.web.access.channel.RetryWithHttpsEntryPoint:55 - Redirecting to: https://arbad67464/services/security/login.htm
o.s.s.web.DefaultRedirectStrategy:36 - Redirecting to 'https://arbad67464/services/security/login.htm'
o.s.s.web.access.channel.ChannelProcessingFilter:134 - Request: FilterInvocation: URL: /security/login.htm; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
o.s.s.web.context.HttpSessionSecurityContextRepository:139 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
o.s.s.web.context.HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: [email protected] A new one will be created.
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 4 of 11 in additional filter chain; firing Filter: 'SessionLocaleResolvingFilter'
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 5 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 8 of 11 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
com.myapp.spring.security.IPTokenBasedRememberMeServices:103 - Remember-me cookie detected
com.myapp.spring.security.IPTokenBasedRememberMeServices:118 - Remember-me cookie accepted
o.s.s.authentication.ProviderManager:152 - Authentication attempt using o.s.s.authentication.RememberMeAuthenticationProvider
登录我的第二次尝试:
o.s.s.web.access.channel.ChannelProcessingFilter:134 - Request: FilterInvocation: URL: /app.htm?lang=en; ConfigAttributes: [REQUIRES_INSECURE_CHANNEL]
o.s.s.web.context.HttpSessionSecurityContextRepository:158 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'o.s.s.core.context.SecurityCon[email protected]: Authentication: [email protected]: Principal: [email protected]: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: limited,premium,special; Credentials: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: limited, premium, special'
o.s.s.web.FilterChainProxy:318 - /app.htm?lang=en at position 8 of 11 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
o.s.s.web.authentication.rememberme.RememberMeAuthenticationFilter:142 - SecurityContextHolder not populated with remember-me token, as it already contained: '[email protected]: Principal: [email protected]: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: limited,premium,special; Credentials: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: limited, premium, special'
o.s.s.web.FilterChainProxy:318 - /app.htm?lang=en at position 9 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
o.s.s.web.authentication.AnonymousAuthenticationFilter:107 - SecurityContextHolder not populated with anonymous token, as it already contained: '[email protected]: Principal: [email protected]: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: limited,premium,special; Credentials: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: limited, premium, special'
o.s.s.web.access.intercept.FilterSecurityInterceptor:193 - Secure object: FilterInvocation: URL: /app.htm?lang=en; Attributes: [authenticated]
o.s.s.web.access.intercept.FilterSecurityInterceptor:298 - Previously Authenticated: [email protected]: Principal: [email protected]: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: limited,premium,special; Credentials: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: limited, premium, special
o.s.s.access.vote.AffirmativeBased:65 - Voter: [email protected], returned: 1
o.s.s.web.access.intercept.FilterSecurityInterceptor:214 - Authorization successful
请修剪下来到的东西更容易消化。现在,这只是一个文本墙/代码,让人们不会花时间去查看它。此外,仅仅倾销所有的代码和日志就是指示您尝试查找* actual *问题所需的最小努力,并要求*在此处提供帮助。 – casperOne 2012-02-15 14:20:41
好吧,我知道这可能有些压倒性的,所以我会尽量减少它。但请理解,当我倾销我的日志时,我只打算提供可能对希望提供帮助的任何人有用的其他信息。它本身并不是最小努力的指标 - 我仔细阅读日志并调试了我的应用程序,并试图在发布之前在几个地方找到解决方案。此外,我没有转储所有我的代码,只有XML。如果我没有,任何人都可能帮忙? 无论如何,感谢您的评论。 – nomusicnolife 2012-02-15 15:22:18