我正在更新旧程序以使用Spring Security。以前,它使用Acegi安全性,并在初始检查SSO标头到会话cookie后缓存凭据;使用Spring Security 3.1.4,我能够检查SSO用户名头的程序(SM_USER - 不,我们不再使用Siteminder了,但为了避免在切换到OAM时出现痛苦的软件更新,我们将OAM配置为将SM_USER标头插入请求中),并在tomcat(6.0)中使用阀门设置进行本地工作;但是,当使用实时SSO部署到开发环境时,它仅在POSTS上失败,然后仅在使用相同URL但不同HTTP RequestMethod的页面上失败。查看网络流量,旧代码和新代码之间的区别似乎是新代码正在进行OAM SSO身份验证请求,然后后验证重定向会丢弃POST数据并将RequestMethod更改为GET;所以我想也许将凭证缓存添加到应用程序中可以解决问题;但是我很难找到一个可以添加的配置来启用缓存,这就是我转向你的地方。
这是针对每个请求进行身份验证的安全配置,并且可以在本地运行:
<security:http use-expressions="true" auto-config="true" entry-point-ref="http403EntryPoint">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:intercept-url pattern="/fastjump/auth/admin/*" access="hasRole('ROLE_ADMINISTRATOR')" />
<security:intercept-url pattern="/fastjump/auth/*" access="permitAll" />
<security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
</security:http>
<bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="SM_USER"/>
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="userDetailsService"/>
</bean>
</property>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
<!-- This is the class that handles actually looking up the user from the persistent store and associating their
GrantedAuthority objects. This custom implementation uses a PersonService object to do the lookup. -->
<bean id="userDetailsService" class="corporate.fastjump.security.DefaultUserDetailsService">
<property name="personService" ref="personService"/>
<property name="fastJumpService" ref="fastJumpService"/>
</bean>
<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
我尝试将以下内容添加到安全配置中:
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map>
<security:filter-chain filters="httpSessionContextIntegrationFilter, securityContextHolderAwareRequest, siteminderFilter" pattern="/fastjump/auth/**"/>
</security:filter-chain-map>
</bean>
<bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<property name="securityContextRepository">
<bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">
<property name="allowSessionCreation" value="false"/>
</bean>
</property>
</bean>
<bean id="securityContextHolderAwareRequest" class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter">
</bean>
这是web.xml:
<!-- This filter is used to implement request level authorization. -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<!-- Note that we only send requests which require authentication and authorization services through the
Spring Security filters -->
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/auth/*</url-pattern>
</filter-mapping>
但是现在为/ auth上下文请求添加了一个基本的auth挑战。我错过了将缓存与pre auth联系在一起的部分。有没有人有任何建议?
答案 0 :(得分:0)
事实证明,SSO是问题,但不是我们最初的想法。我们有多个不同的SSO域(DEV,INT,PROD),我们在有问题的页面上有一个自动完成器,它被硬编码到Prod域中的Web服务,而Web Service API被明确排除在来自SSO保护的生产域(它对所有用户开放),查询生产服务器的行为导致查询生产SSO域,并用生产凭证覆盖会话。回到Dev服务器并尝试使用Prod creds执行POST失败,并且在查询Dev SSO以获取正确凭据的过程中,它删除了POST数据,并将html请求类型更改为GET。我们的解决方案是更新自动完成器以获得逻辑以确定它正在运行的服务器(通过JavaScript,查看主机),然后根据我们所处的环境构建自动完成后端的URL。