Spring Security Tomcat 6.x vs Tomcat 7.x访问此资源需要完全身份验证

时间:2015-07-04 21:18:41

标签: tomcat spring-security

目前我正在使用Spring安全性登录的应用程序。

Spring Security 3.2.7.RELEASE with Tomcat 6.0.43

我尝试将应用程序升级到Tomcat 7.0.62。

以下是我配置的一部分。我注意到在Tomcat 6.0.43中SecurityContextHolderAwareRequestFilter包含了身份验证:SecurityContextHolder.getContext()。getAuthentication()。但是当在Tomcat 7.0.62中运行时却没有。

我无法弄清楚为什么会发生这种情况,因此,在exceptionTranslationFilter中访问此资源需要进行完全身份验证时缺少的身份验证。

也许某人有一个小费或方向可以调查? 

<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
    <security:filter-chain-map path-type="ant">
        <security:filter-chain pattern="/error/*"
            filters="none" />
        <security:filter-chain pattern="/back*"
            filters="none" />
        <security:filter-chain pattern="/j_spring_security_check*"
            filters="httpSessionContextIntegrationFilter,authenticationProcessingFilter" />
        <security:filter-chain pattern="/**"
            filters="logoutFilter, httpSessionContextIntegrationFilter,securityContextHolderAwareRequestFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor" />
    </security:filter-chain-map>
</bean>

<bean id="httpSessionContextIntegrationFilter"
    class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />

<bean id="securityContextHolderAwareRequestFilter"
    class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter" />

<bean id="anonymousProcessingFilter"
    class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
    <property name="key" value="changeThis" />
    <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS" />
</bean>

<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint">
        <bean
            class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
            <property name="loginFormUrl" value="/login.jsp" />
            <property name="forceHttps" value="false" />
        </bean>
    </property>
    <property name="accessDeniedHandler">
        <bean
            class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
            <property name="errorPage" value="/accessDenied.jsp" />
        </bean>
    </property>
</bean>

1 个答案:

答案 0 :(得分:2)

在剥离我的应用程序后,我发现web.xml中的cookie-config是它无效的原因:

   <session-config>
        <session-timeout>600</session-timeout>
        <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>
        </cookie-config>
    </session-config>

删除cookie-config解决了我的问题,因为显然你可以在tomcat的server.xml / context.xml中安排它。

相关问题
最新问题