我们有一个基于appfuse入门套件2.2.1版的示例Web应用程序,它使用Spring security 3.1.3.RELEASE。我们将在WAS 7上部署它,我们正在IBM WebSphere 8.5.5.8(Liberty)上对其进行测试。 我们的问题是在成功/失败登录请求之后,有些东西会破坏请求的servletPath值并将其设置为null。
((HttpServletRequest)请求).getServletPath()
这是LocaleFilter尝试使用/ j_security_check值为getServletPath()执行chain.doFilter的时间,我们遇到:
应用程序类引发的异常' org.springframework.security.web.util.AntPathRequestMatcher.getRequestPath:116' 显示java.lang.NullPointerException: 在org.springframework.security.web.util.AntPathRequestMatcher.getRequestPath(AntPathRequestMatcher.java:116) 在org.springframework.security.web.util.AntPathRequestMatcher.matches(AntPathRequestMatcher.java:100) 在org.springframework.security.web.DefaultSecurityFilterChain.matches(DefaultSecurityFilterChain.java:42) 在org.springframework.security.web.FilterChainProxy.getFilters(FilterChainProxy.java:203) 在org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:176) 在org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) 在org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) 在org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) 在com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) 在[内部班级] 在com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:59) 在com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) 在[内部班级] at org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:213) at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:171) at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:394) 在com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) 在[内部班级] at ir.dpi.webapp.filter.LocaleFilter.doFilterInternal(LocaleFilter.java:67) 在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) 在com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) 在[内部班级] 在org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) 在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) 在com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) 在[内部班级] 在com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:129) 在com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:77) 在com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) 在[内部课程]
这是我们的security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/images/**" security="none"/>
<http pattern="/styles/**" security="none"/>
<http pattern="/scripts/**" security="none"/>
<http auto-config="false" create-session="always">
<intercept-url pattern="/app/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/app/passwordHint*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER"/>
<form-login login-page="/login" authentication-failure-url="/login?error=true" login-processing-url="/j_security_check"/>
<remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/>
</http>
<authentication-manager >
<authentication-provider user-service-ref="userDao" >
<password-encoder ref="passwordEncoder" >
<salt-source ref="saltSource" />
</password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource"
p:userPropertyToUse="username"/>
<global-method-security>
<protect-pointcut expression="execution(* *..service.UserManager.getUsers(..))" access="ROLE_ADMIN"/>
<protect-pointcut expression="execution(* *..service.UserManager.removeUser(..))" access="ROLE_ADMIN"/>
</global-method-security>
</beans:beans>
任何帮助都将不胜感激。
答案 0 :(得分:0)
我使用this code ranch topic找到了解决方案。 AppFuse使用不同的Filters(javax.servlet),IBM WebSphere的Wrapping机制对会话创建优先级敏感。所以我在web.xml文件中向上移动了Spring securityFilter映射。
<filter-mapping>
<filter-name>securityFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>sitemesh</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
...
现在登录过程完全完成。
请注意,在Liberty server.xml中设置这些设置至关重要:
<httpSession cookieName="MY_LIBERTY_COOKIE" />
<basicRegistry />
IBM WebSphere Application Server(WAS Full)中的等效设置设置为:
会话管理 - &gt;一般属性 - &gt;启用Cookie
同样在WAS版本7中(可能适用于其他版本),需要使用:
<http auto-config="false" disable-url-rewriting="true" create-session="always">
在spring security.xml文件中。