我正在使用spring mvc和spring security(3.1版)。 Web应用程序为用户提供了使用google / gmail帐户进行注册登录的选项。这在我的开发环境中工作正常,但是当部署到生产服务器时,注册过程失败,因为在提供正确的Google凭据时会显示错误凭据异常。这是我的spring-security.xml配置中的openid配置:
<openid-login
login-processing-url="/j_spring_openid_security_check"
default-target-url="/home"
user-service-ref="userOpenIdDetailsService"
authentication-failure-handler-ref="openIdAuthFailureHandler"/>
<logout logout-success-url="/login?rc=2" />
<beans:bean id="userOpenIdDetailsService" class="com.xxx.service.OpenIdUserDetailsServiceImpl"/>
<beans:bean id="openIdAuthFailureHandler" class="com.xxx.controllers.OpenIDAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login?rc=6"/>
</beans:bean>
我已经实现了一个身份验证失败处理程序来处理注册过程,当一个openid身份被返回但没有在我的数据库中注册时:
public class OpenIDAuthenticationFailureHandler extends
SimpleUrlAuthenticationFailureHandler {
private static Logger logger = Logger.getLogger(OpenIDAuthenticationFailureHandler.class);
@Override
public void onAuthenticationFailure(HttpServletRequest request,
HttpServletResponse response, org.springframework.security.core.AuthenticationException exception)
throws IOException, ServletException {
if(exception instanceof UsernameNotFoundException
&& exception.getAuthentication() instanceof OpenIDAuthenticationToken
&& ((OpenIDAuthenticationToken)exception.getAuthentication()).
getStatus().equals(OpenIDAuthenticationStatus.SUCCESS)) {
DefaultRedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
OpenIDAuthenticationToken token = (OpenIDAuthenticationToken)exception.getAuthentication();
String url = token.getIdentityUrl();
request.getSession(true).setAttribute("USER_OPENID_CREDENTIAL", url);
String inviteId = (String)request.getSession().getAttribute("INVITE_ID");
if (inviteId != null) {
redirectStrategy.sendRedirect(request, response, "/setup/invite/" + inviteId + "/complete");
} else {
//redirect to create account page
redirectStrategy.sendRedirect(request, response, "/setup/openid/complete");
}
} else {
OpenIDAuthenticationToken token = (OpenIDAuthenticationToken)exception.getAuthentication();
logger.debug("Token Identity: " + token.getIdentityUrl());
logger.debug("Open ID authentication failure: " + exception.getMessage());
logger.debug("Auth Exception: " + exception.toString());
super.onAuthenticationFailure(request, response, exception);
}
}
}
所以我期待一个UsernameNotFoundException,它在上面的处理程序中处理,但是我得到了一个org.springframework.security.authentication.BadCredentialsException。从日志中:
Log --> 10:19:17 DEBUG org.springframework.security.openid.OpenIDAuthenticationFilter - Supplied OpenID identity is https://www.google.com/accounts/o8/id?id=open-id-token-here
Log --> 10:19:17 DEBUG org.springframework.security.openid.OpenIDAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Log in failed - identity could not be verified
Log --> 10:19:17 DEBUG org.springframework.security.openid.OpenIDAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
Log --> 10:19:17 DEBUG org.springframework.security.openid.OpenIDAuthenticationFilter - Delegating to authentication failure handlercom.xxx.controllers.OpenIDAuthenticationFailureHandler@435fef7d
Log --> 10:19:17 DEBUG com.xxx.controllers.OpenIDAuthenticationFailureHandler - Token Identity: Unknown
Log --> 10:19:17 DEBUG com.xxx.controllers.OpenIDAuthenticationFailureHandler - Open ID authentication failure: Log in failed - identity could not be verified
Log --> 10:19:17 DEBUG com.xxx.controllers.OpenIDAuthenticationFailureHandler - Auth Exception: org.springframework.security.authentication.BadCredentialsException: Log in failed - identity could not be verified
答案 0 :(得分:1)
事实证明,生产服务器上的时钟可能与用于验证OpenId请求的互联网时间不一致。就我而言,我的服务器已经运行了177天而没有重启。服务器时钟关闭了一分钟。重启解决了这个问题。否则,将服务器时钟与Internet时间服务器同步也可以解决问题。