使用ajax插件的Dojo Uploader - 弹簧安全问题

时间:2012-07-25 03:46:54

标签: spring spring-security dojo

我正在使用Dojo上传器。它在HTML5插件方面运行得很好。但是,如果我强制使用Flash插件,它将失败并显示下一条消息:

“服务器无法响应”

在服务器端,Spring安全性正在抛出这个:

    Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
22:33:06,375 DEBUG ty.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:205)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:114)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at com.springsource.insight.collection.tcserver.request.HttpRequestOperationCollectionValve.traceNextValve(HttpRequestOperationCollectionValve.java:116)
    at com.springsource.insight.collection.tcserver.request.HttpRequestOperationCollectionValve.invoke(HttpRequestOperationCollectionValve.java:98)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
    at java.lang.Thread.run(Thread.java:662)

flash插件是否缺少会话ID?

这是我的js代码:

forma = new Form({
            method: 'post',
            enctype: 'multipart/form-data',
            'class': 'Uploader',
            action: dojo.config.app.urlBase + 'upload/cargaArchivos'
        }, 'cargaForm');

        btnCargar = new Button({
            type: 'submit',
            label: 'Cargar'
        }, 'submitCarga');  

        btnReset = new Button({
            type: 'reset',
            label: 'Limpiar',
            onClick: function(){
                // limpiamos el array de archivos agregados
                uploader.reset();
                console.log(uploader.getFileList());
            }
        }, 'resetForm');

        uploader = new dojox.form.Uploader({
            id: 'uploader',
            name: 'uploadedfile',
            showInput: 'before',
            isDebug: true,
            url: dojo.config.app.urlBase + 'upload/cargaArchivos',
            multiple: true,
            force: 'flash',
            onComplete: function(respuesta){
                // Aqui se puede hacer algo con el objeto de respuesta que se devuelve.
                console.log(respuesta);
            },
            onChange: function(archivos){
                // Aquí se podrían listar los archivos en alguna tabla. 
                console.log(archivos);
            }
        }, 'uploader');
        uploader.startup();     
    }

注意:我正在创建像'new dojox.form.Uploader'这样的Uploader,因为我正在避免一个已知的bug,请参阅:Programmatic Dojox Uploader - ajax upload not working

更新,我没有使用FileUploader因为它已被弃用,但Uploader.upload()方法也会收到一个formData对象。

首先我要尝试的是阅读cookie。检查其他请求的标题:

Accept  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language es-mx,en-us;q=0.7,en;q=0.3
Connection  keep-alive
Content-Type    application/x-www-form-urlencoded
**Cookie    undefined=root; undefined=6%2C6%2F4; JSESSIONID=9F0E7745730639A3D0989C5D379A74FB**
Host    localhost:8080
Referer http://localhost:8080/sep-sajja-web/
User-Agent  Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1
X-Requested-With    XMLHttpRequest

因此cookie名称是JSESSIONID。但是当我尝试

dojo.cookie('JSESSIONID');

它返回undefined ......我会继续尝试。

普通javascript:

document.cookie.split(";")

只给我一个饼干:[“undefined = 6%2C6%2F4”]

也许权限很重要?

...更新 是的,它看起来像 - > how can i read JSESSIONID with javascript?

1 个答案:

答案 0 :(得分:2)

这是如何通过Flash插件将数据发送到服务器的示例

http://livedocs.dojotoolkit.org/dojox/form/FileUploader#server-side

我无法找到关于是否使用帖子发送cookie(从调用窗口继承)的信息 - 但应该有一个可能的解决方案,通过GET查询参数或自定义 POST数据。

new dojox.form.Uploader( {
    // ... your configurations
    postData: {
      sessionid: dojo.cookie('JSPCOOKIENAME_UNKNOWN_TO_ME')
});

您可能已经注意到,springframework对我来说并不熟悉,但是通过简单搜索如何基于令牌创建身份验证,我认为您正在寻找与以下内容的相似之处。至少会有一些类别流行语来搜索

    Authentication authentication = this.authenticationProvider.authenticate(token);
    SecurityContextHolder.getContext().setAuthentication(authentication);

如果您启用了登录功能,我相信令牌可以通过

进行审核
UsernamePasswordAuthenticationToken token = 
  new UsernamePasswordAuthenticationToken(username, password);
User details = new User(username);
token.setDetails(details);

您需要知道servlet使用了哪个authenticationprovider,并且在<filters>

下的webapp web.xml中找到了相关信息。