访问自定义 weblogic 提供程序时 Internet Explorer 出现错误
我在版本 10.3 上创建了一个自定义 Weblogic 安全身份验证提供程序,其中包含用于验证用户的自定义登录模块。作为提供程序的一部分,我实现了 ServletAuthenticationFilter 并添加了一个过滤器。该过滤器充当域内所有应用程序的公共登录页面。
当我们通过在地址栏中输入任何安全 URL 来访问它们时,这在 IE 和 Firefox 中运行良好。但是当我们在 IE 中为链接添加书签时,奇怪的事情发生了。如果我单击书签,您将看到我们的登录页面,然后在成功登录系统后,即使用户已经通过身份验证,也会显示基本身份验证页面。这种情况在 Firefox 中永远不会发生,只有 IE 才会发生。也是间歇性的。五分之一的时间 IE 将正确重定向并且不显示基本身份验证窗口。 Firefox 和 Opera 每次都会正确重定向。我们捕获了响应标头并比较了成功和失败,它们是相同的。
final boolean isAuthenticated = authenticateUser(userName, password, req);
// Send user on to the original URL
if (isAuthenticated) {
res.sendRedirect(targetURL);
return;
}
正如您所看到的,一旦用户通过身份验证,我就会重定向到原始 URL。我缺少一个步骤吗? authenticateUser() 方法逐字取自 Oracle 文档中的示例。
private boolean authenticateUser(final String userName, final String password, HttpServletRequest request) {
boolean results;
try {
ServletAuthentication.login(new CallbackHandler() {
@Override
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
NameCallback nameCallback = (NameCallback) callback;
nameCallback.setName(userName);
}
if (callback instanceof PasswordCallback) {
PasswordCallback passwordCallback = (PasswordCallback) callback;
passwordCallback.setPassword(password.toCharArray());
}
}
}
}, request);
results = true;
} catch (LoginException e) {
results = false;
}
return results;
我在这里问这个问题是因为我不知道问题是出在 Weblogic 配置还是代码上。如果这个问题更适合 ServerFault,请告诉我,我会在那里发布。
奇怪的是它每次都能在 Firefox 和 Opera 中运行,但在 Internet Explorer 中却不行。我希望不使用 Internet Explorer 是一种选择,但它目前是公司标准。任何帮助或指导将不胜感激。我已经针对 IE 6 和 IE 进行了测试。 8 并在 3 个不同的环境中部署了自定义提供程序,我仍然可以重现该错误。
I've created a custom Weblogic Security Authentication Provider on version 10.3 that includes a custom login module to validate users. As part of the provider, I've implemented the ServletAuthenticationFilter and added one filter. The filter acts as a common log on page for all the applications within the domain.
When we access any secured URLs by entering them in the address bar, this works fine in IE and Firefox. But when we bookmark the link in IE an odd thing happens. If I click the bookmark, you will see our log on page, then after you've successfully logged into the system the basic auth page will display, even though the user is already authenticated. This never happens in Firefox, only IE. It's also intermittent. 1 time out of 5 IE will correctly redirect and not show the basic auth window. Firefox and Opera will correctly redirect everytime. We've captured the response headers and compared the success and failures, they are identical.
final boolean isAuthenticated = authenticateUser(userName, password, req);
// Send user on to the original URL
if (isAuthenticated) {
res.sendRedirect(targetURL);
return;
}
As you can see, once the user is authenticated I do a redirect to the original URL. Is there a step I'm missing? The authenticateUser() method is taken verbatim from an example in Oracle's documents.
private boolean authenticateUser(final String userName, final String password, HttpServletRequest request) {
boolean results;
try {
ServletAuthentication.login(new CallbackHandler() {
@Override
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
NameCallback nameCallback = (NameCallback) callback;
nameCallback.setName(userName);
}
if (callback instanceof PasswordCallback) {
PasswordCallback passwordCallback = (PasswordCallback) callback;
passwordCallback.setPassword(password.toCharArray());
}
}
}
}, request);
results = true;
} catch (LoginException e) {
results = false;
}
return results;
I am asking the question here because I don't know if the issue is with the Weblogic config or the code. If this question is more suited to ServerFault please let me know and I will post there.
It is odd that it works everytime in Firefox and Opera but not in Internet Explorer. I wish that not using Internet Explorer was an option but it is currently the company standard. Any help or direction would be appreciated. I have tested against IE 6 & 8 and deployed the custom provider on 3 different environments and I can still reproduce the bug.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我们想通了。
修复方法是禁用 weblogic 服务器上的身份验证 cookie。由于某种原因,Internet Explorer 会丢失 cookie,导致 Weblogic 认为会话被黑客入侵。这就是提示基本身份验证登录的原因。
我们仍然不知道是什么导致 IE 丢失 cookie,但该提供程序用于 Intranet,因此修复不会损害我们的整体安全性。
我希望这对其他人有帮助。
We figured it out.
The fix was to disable auth cookies on the weblogic server. For some reason Internet Explorer would lose the cookie causing Weblogic to think the session was being hacked. That is what prompted the basic auth login.
We still don't know what was causing IE to lose the cookie but this provider is for an intranet so the fix won't harm our overall security.
I hope this helps someone else.