会话ID在IE浏览器中使用https和spring security的每个请求都会不断变化

时间:2016-10-14 22:09:34

标签: java spring-mvc internet-explorer spring-security jsessionid

我有一个spring MVC 4,其中Spring安全应用程序部署在websphere 8.5共享服务器上,例如server123。我在公司F5域名上以https app的身份访问该应用程序。

我遇到这个奇怪的问题,其中会话ID在每个servlet请求上都在不断变化。这会导致IE上的无限重定向循环。但是这适用于chrome和firefox。

我在下面调用我的应用程序,其中apps / MyApp /是上下文根,MainPage是控制器请求映射URL https://example.server.com/apps/MyApp/MainPage

我还使用UserNamePasswordAuthenticationFilter配置了SSO身份验证,该身份验证拦截了spring redirect auth url / loginSSO。验证成功后,转发路径/ MainPage在IE中丢失并重复定向到https://example.server.com/apps/MyApp/https://example.server.com/apps/MyApp/loginSSO。这是我的安全配置详细信息。 

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/loginSSO").permitAll();
    http.authorizeRequests()
            .anyRequest()
            .authenticated()
            .and()
            .formLogin()
            .loginPage("/loginSSO")
            .successHandler(successHandler())
            .and()
            .csrf()
            .csrfTokenRepository(csrfTokenRepository())
            .and()
            .addFilterBefore(new CookieFilter(),
                    ChannelProcessingFilter.class)
            .addFilterAfter(new CSRFFilter(), CsrfFilter.class)
            .addFilterBefore(authFilter(),
                    UsernamePasswordAuthenticationFilter.class)
            .requiresChannel()
            .channelProcessors(
                    Arrays.<ChannelProcessor> asList(
                            new InsecureChannelProcessor(),
                            new SecureChannelProcessor()));

    http.portMapper().http(8080).mapsTo(8443).http(80).mapsTo(44)
            .http(9080).mapsTo(9443).http(7777).mapsTo(7443);
}

/**
 * Auth filter.
 * 
 * @return the auth filter
 */
@Bean
public AuthFilter authFilter() {
    AuthFilter authFilter = new AuthFilter();
    try {

        authFilter
                .setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher(
                        "/loginSSO"));
        authFilter.setAuthenticationManager(authenticationManager());

    } catch (Exception e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    return authFilter;
}

@Autowired
@Qualifier("customUserDetailsService")
UserDetailsService userDetailsService;

@Bean
public SavedRequestAwareAuthenticationSuccessHandler successHandler() {
    SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
    successHandler.setTargetUrlParameter("targetUrl");
    return successHandler;
}

@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService);
}

/**
 * Csrf token repository.
 * 
 * @return the csrf token repository
 */
private CsrfTokenRepository csrfTokenRepository() {
    HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
    repository.setSessionAttributeName("_csrf");
    repository.setHeaderName("X-XSRF-TOKEN");
    return repository;
}

}

1 个答案:

答案 0 :(得分:-2)

此问题已得到解决。它恰好是Websphere application.xml文件中应用程序上下文根配置的问题。

相关问题
最新问题