使用 BrowserLauncher 2 打开 URl 时,Acegi 抛出 AuthenticationCredentialsNotFoundException
我们有一个使用 Acegi 安全性的 JSF Web 应用程序。我们还有一个独立的 Java Swing 应用程序。 Swing 应用程序的一项功能是在浏览器窗口中加载用户的主页。
为此,我们当前使用 Commons HttpClient 通过 Web 应用程序对用户进行身份验证:
String url = "http://someUrl/j_acegi_security_check";
HttpClient client = new HttpClient();
System.setProperty(trustStoreType, "Windows-ROOT");
PostMethod method = new PostMethod(url);
method.addParameter("j_username", "USERNAME");
method.addParameter("j_password", "PASSWORD");
int statusCode = client.executeMethod(method);
if (statusCode == HttpStatus.SC_MOVED_TEMPORARILY ) {
Header locationHeader= method.getResponseHeader("Location");
String redirectUrl = locationHeader.getValue();
BrowserLauncher launcher = new BrowserLauncher();
launcher.openURLinBrowser(redirectUrl);
}
这会返回 HTTP 302 重定向响应,我们从中获取重定向 url 并使用 BrowserLauncher 2 打开它。该 url 包含新的会话 ID 等例如:
http://someUrl/HomePage.jsf;jsessionid=C4FB2F643CE48AC2DE4A8A4C354033D4
我们看到的问题是 Acegi 处理重定向但抛出 AuthenticationCredentialsNotFoundException。似乎由于某种原因,在安全上下文中找不到经过身份验证的凭据。
有谁知道为什么会发生这种情况?如果有人需要更多信息,我将很乐意提供。
非常感谢,
理查德
We have a JSF web application that uses Acegi security. We also have a standalone Java Swing application. One function of the Swing app is to load the user's home page in a browser window.
To do this we're currently using Commons HttpClient to authenticate the user with the web app:
String url = "http://someUrl/j_acegi_security_check";
HttpClient client = new HttpClient();
System.setProperty(trustStoreType, "Windows-ROOT");
PostMethod method = new PostMethod(url);
method.addParameter("j_username", "USERNAME");
method.addParameter("j_password", "PASSWORD");
int statusCode = client.executeMethod(method);
if (statusCode == HttpStatus.SC_MOVED_TEMPORARILY ) {
Header locationHeader= method.getResponseHeader("Location");
String redirectUrl = locationHeader.getValue();
BrowserLauncher launcher = new BrowserLauncher();
launcher.openURLinBrowser(redirectUrl);
}
This returns a HTTP 302 redirect response, from which we take the redirect url and open it using BrowserLauncher 2. The url contains the new session ID, something like:
http://someUrl/HomePage.jsf;jsessionid=C4FB2F643CE48AC2DE4A8A4C354033D4
The problem we're seeing is that Acegi processes the redirect but throws an AuthenticationCredentialsNotFoundException. It seems that for some reason the authenticated credentials cannot be found in the security context.
Does anyone have an idea as to why this is happening? If anyone needs more info then I'll be happy to oblige.
Many thanks,
Richard
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我从来没有做过Acegi/SpringSecurity,但是症状很明显:请求中缺少一些重要信息。如果没有新的内容需要在后续请求的标头中传回,您至少需要调查所有响应标头。也许是另一个代表 Acegi 凭证的 cookie 条目。
但另一个需要注意的是,您实际上无法在本地浏览器实例中仅打开 URL,因为无法沿其传递必要的请求标头。您需要让 Swing 应用程序充当内置 Web 浏览器。例如,在
InputStream中获取 HTML 响应,并以某种方式在 Swing 框架中渲染/显示它。我会检查是否还没有现有的 API,因为它会涉及比您最初想象的更多的工作..(轻描淡写)。I have never done Acegi/SpringSecurity, but the symptoms are clear enough: some important information is missing in the request. You at least need to investigate all the response headers if there isn't something new which needs to be passed back in the header of the subsequent request. Maybe another cookie entry which represents the Acegi credentials.
But another caveat is that you in fact cannot open just the URL in a local browser instance, because there's no way to pass the necessary request headers along it. You'll need to have your Swing application act as a builtin webbrowser. E.g. get HTML response in an
InputStreamand render/display it somehow in a Swing frame. I would check if there isn't already an existing API for that, because it would involve much more work than you'd initially think .. (understatement).在这种情况下,您可以执行基本身份验证并在每个请求中设置此标头,而不是发送 jsessionid:
令牌 VVNFUk5BTUU6UEFTU1dPUkQ= 是经过 base64 编码的用户名和密码。
示例:
是:
还有一件事:使用 SSL。
In this case you can do Basic Authentication and set this header in every request instead of sending the jsessionid:
The token VVNFUk5BTUU6UEFTU1dPUkQ= is the username and the password encoded base64.
Example:
is:
One more thing: use SSL.