个人中心
gpt4 book ai didi

java - Spring 安全 : saved SecurityContext got a Null authentication

转载 作者:行者123 更新时间:2023-12-03 18:30:12 34 4
gpt4 key购买 nike

我正在使用 Spring Security Oauth1.0a 对请求进行身份验证。预计一旦用户通过身份验证,他/她将获得在网站中浏览的权限。经过身份验证的用户的第一个登录页面包括一些 js 和 img。奇怪的是,在加载这些小片段的过程中,一些文件通过正确的身份验证成功加载。但是几毫秒后,其他小块将由于空身份验证而无法加载。请注意,我打开了我的 servlet 上下文/ session /属性监听器。未检测到任何变化。

10/24'16 13:44:23> DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@3f8eaa51: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@3f8eaa51: Principal: com.my.connected.spring.User@148c0257; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: TEACHER' stored to HttpSession: 'org.apache.catalina.session.StandardSessionFacade@f3abb79 (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-11) [1256269]

到目前为止,安全上下文已按预期填充在 session 中。我自定义的上下文/ session /属性级别监听器此后没有检测到任何变化。所有调试级别的日志都打印在下面。 
10/24'16 13:44:23> DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] Chain processed normally (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-11) [1256269]
10/24'16 13:44:23> DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] SecurityContextHolder now cleared, as request processing completed (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-11) [1256269]
10/24'16 13:44:23> DEBUG [org.springframework.security.web.FilterChainProxy] /home.png at position 1 of 15 in additional filter chain; firing Filter: 'MetadataGeneratorFilter' (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-4) [1256274]
10/24'16 13:44:23> DEBUG [org.springframework.security.web.FilterChainProxy] /home.png at position 2 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-4) [1256274]
10/24'16 13:44:23> DEBUG [org.springframework.security.web.FilterChainProxy] /home.png at position 3 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-4) [1256274]
10/24'16 13:46:37> DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@ffffffff: Null authentication' (CLIENT_IP=|USER_ID=|INV_ID=) (http-nio-443-exec-4) [1391041]

但是,调试和日志都显示 session 属性 SPRING_SECURITY_CONTEXT 的新空身份验证。上下文本身不为空。

更多编码细节: 
//the controller method
@RequestMapping(value = {"/ssoep.lti.do"}, method = {RequestMethod.GET, RequestMethod.POST})
public void ltiEndpoint(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, SSOValidationException{
    request.getRequestDispatcher("/").forward(request, response);
}

//the configuration class
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

protected void configureOAuth(HttpSecurity http) throws Exception {
    http
            .csrf()
            .disable();
    http
            .addFilterAfter(oauthFilter(), BasicAuthenticationFilter.class)
            .authorizeRequests()
            .antMatchers("/ssoep.lti.do*").authenticated();
}

@Bean
public ProtectedResourceProcessingFilter oauthFilter() {
    ProtectedResourceProcessingFilter result = new MheOauthProcessingFilter();
    result.setAuthHandler(mheUserOauthAuthenticationHandler);
    result.setConsumerDetailsService(mheOauthConsumerDetailsService);
    return result;
}
}

我正在使用以下 pom 版本。 
<spring.version>4.3.2.RELEASE</spring.version>
<spring.boot.version>1.4.0.RELEASE</spring.boot.version>
<spring.security.version>4.1.1.RELEASE</spring.security.version>
<spring.security.oauth.version>2.0.11.RELEASE</spring.security.oauth.version>
<spring.security.saml2>1.0.2.RELEASE</spring.security.saml2>

最佳答案

可能是你可能没有添加 spring 安全过滤器链来拦截所有请求

import org.springframework.security.web.context.*;

public class SecurityWebApplicationInitializer
    extends AbstractSecurityWebApplicationInitializer {

    public SecurityWebApplicationInitializer() {
        super(SecurityConfig.class);
    }
}

http://docs.spring.io/spring-security/site/docs/current/reference/html/jc.html#abstractsecuritywebapplicationinitializer-without-existing-spring

关于java - Spring 安全 : saved SecurityContext got a Null authentication,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/40249306/

34 4 0
文章推荐: SQLite 函数的工作原理与 Oracle 的 "Translate"函数类似吗?
文章推荐: WPF FrameworkPropertyMetaData Journal——这有什么意义?
文章推荐: .net - PresentationCore.dll 中发生“System.StackOverflowException”
文章推荐: sql - SQL查询以获取所有具有(全部或部分)搜索名称的名称
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com