pac4j的SSO身份验证令牌撤销问题（多个提供商）

Question

在使用pac4j依赖项实现SSO支持的webapp中，我遇到了一个问题。

上下文：

• Java EE / JRE 1.7.0.79，Tomcat 7.0.70，org.springframework：spring：3.2.16.RELEASE，org.springframework.security：spring-security-core：3.2.9.RELEASE，org.pac4j： spring-security-pac4j：1.4.1，org.pac4j：pac4j-oauth：1.8.3，org.pac4j：pac4j-saml：1.8.3
• 在webapp配置中启用了多个第三方身份验证提供程序（例如Google OAuth和任何SAML），并在登录页面上以2个按钮转发到用户界面：＆＃34;使用Google登录＆＃34;，＆＃34;使用my_SAML_provider_label＆＃34;
登录

要求：

• 升级Java或/和Tomcat是一种选择。升级spring和pac4j不是
• 不要随时使用Spring注释注入

发出enduser-sequence：

• 1 /点击＆＃34;使用Google登录＆＃34; （useragent被重定向到Google的身份验证页面）
• 2 /在Google页面上正确验证，外部用户在回拨时将与您的本地应用用户匹配或不匹配
• 3 /返回本地webapp登录页面
• 4 /点击＆＃34;使用my_SAML_provider_label登录＆＃34; now（useragent被重定向到提供者身份验证页面）
• 5 /在第三方网页上正确验证，外部用户在回拨时将与您的本地应用用户匹配或不匹配
• 6 /在日志中断言以下异常：org.pac4j.oauth.profile.google2.Google2Profile无法强制转换为org.pac4j.s​​aml.profile.SAML2Profile

发出stacktrace：

java.lang.ClassCastException: org.pac4j.oauth.profile.google2.Google2Profile cannot be cast to org.pac4j.saml.profile.SAML2Profile
at com.company.module.sso.SAMLAuthenticationService.retrieveAuthenticatedUser(SAMLAuthenticationService.java:59)
..
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.company.module.filters.ApplicationAvailabilityFilter.doFilter(ApplicationAvailabilityFilter.java:59)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.company.module.filters.LogFilter.doFilter(LogFilter.java:57)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.company.module.filters.ChronoFilter.doFilter(ChronoFilter.java:78)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.company.module.filters.HibernateFilter.doFilter(HibernateFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1082)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:623)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)

相关源代码：

的applicationContext-security.xml文件：

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
    xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.2.xsd">
    ..
    <beans:bean id="clientFilter" class="org.pac4j.springframework.security.web.ClientAuthenticationFilter">
        <beans:constructor-arg value="/outer-authentication"/>
        <beans:property name="clients" ref="clients" />
        <beans:property name="sessionAuthenticationStrategy" ref="sas" />
        <beans:property name="authenticationManager" ref="authenticationManager" />
    </beans:bean>
    ..
    <beans:bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" />
</beans:beans>

SAMLAuthenticationService.java：

..
ClientAuthenticationToken token = null;
try {
    token = (ClientAuthenticationToken) SecurityContextHolder.getContext().getAuthentication();
    final SAML2Profile samlProfile = (SAML2Profile) token.getUserProfile(); // L59
    ..
} finally {
    token.eraseCredentials(); // troubleshooting: not clearing credentials made no difference
}
..

观察：

• 首先尝试通过SAML提供商登录，然后通过Google登录提供同样的问题：用户序列顺序似乎无关紧要
• 解决方法是停止Tomcat，清理其工作目录，然后重新启动它
• 无论哪种方式都是等待初始身份验证令牌（回调/从提供者1获得）到期（通过pac4j配置I / O将到期延迟设置为1h）
• 一旦最终用户再次执行错误序列，问题将再次发生冲击

猜测：

• 在尝试读取当前身份验证过程的身份验证令牌（回调/从提供者2获取）之前，与先前SSO身份验证的身份验证令牌（从提供者1回调/获取）的不正确撤销相关
• 间接地，由于org.springframework.security.web.authentication.session.SessionAuthenticationStrategy的不当使用（我在Spring Security XML配置中的实现似乎是标准/默认）

由于

Answer 1

似乎解决了：在任何可能发生从一个提供者跳转到另一个提供者的情况之前，必须调用Spring安全性SecurityContextHolder.clearContext();。

这种情况可能是：

• 远程用户已由SSO提供商成功进行身份验证，但未与本地用户匹配
• 本地用户已通过SSO提供商在本地应用上签名，但浏览或重定向到本地应用主页，然后可以通过其他SSO提供商尝试进行SSO身份验证
• 本地用户询问或被重定向到注销URL：在销毁网络会话时，这也应该清除Spring安全性的上下文

我还没有测试并发场景（1个本地用户通过不同的浏览器通过不同的SSO提供商，多个用户进行身份验证），所以即使我可以断言初始问题已经解决，这可能仍会产生副作用（丢弃预期用户上下文（所需），但也包括其他用户上下文（不需要的））。

用户身份验证存在于1个会话中，而安全上下文存在于1个线程中。所以我有点迷失，以便抓住它。