spring security - 使用 tomcat 7 重写 sessionid url
我们使用 spring security 1.2.1、grails 1.3.7 和 tomcat 7.0.22 解决了以下问题。在我们的开发机器上,我们在登录应用程序时没有遇到任何问题。我认为 grails tomcat 插件使用 6.x 版本的 tomcat。我们为登录过程定义了以下测试用例:
- 删除所有 cookie
- 登录
,您可以看到一个非常简单的测试用例:-)。测试结果如下:用户已成功通过身份验证,但登录后被重定向到访问被拒绝页面。会话已创建,因为用户能够执行其他允许的操作,并且日志显示身份验证成功(在调试级别启用 spring 安全日志)。那么为什么会发生重定向到拒绝访问页面的情况呢?
tocmat 7.x 假定没有激活 cookie,并将 sessionid 添加到重定向 url,并通过“set cookie”http 标头另外设置 cookie。这就是 spring security 插件令人困惑的地方。
j_spring_security_check 的 http 响应
HTTP/1.1 302 Moved Temporarily
Connection: Keep-Alive
Content-Length: 0
Date: Fri, 14 Oct 2011 06:41:59 GMT
**Location: https://myserver/main;jsessionid=8341CD832CAF4569A95BBF436395744E**
Server: Apache-Coyote/1.1
**Set-Cookie: JSESSIONID=8341CD832CAF4569A95BBF436395744E;** Path=/etsweb/; HttpOnly
,后跟 http get https://myserver/main;jsessionid=8341CD832CAF4569A95BBF436395744E
http响应
HTTP/1.1 302 Moved Temporarily
Connection: Keep-Alive
Content-Length: 0
Date: Fri, 14 Oct 2011 06:41:59 GMT
Location: https://myserver/login/denied
Server: Apache-Coyote/1.1
解决方案是通过在web.xml文件中设置以下标记来禁用url重写
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
我不知道这是一个spring sec错误还是一个思考错误。
we've fought with following problem using spring security 1.2.1, grails 1.3.7 and tomcat 7.0.22. on our dev machines we had no problems during login in our app. i think the grails tomcat plugin uses a 6.x verion of tomcat. we defined following test cace for the login process:
- delete all cookies
- login
as you can see a very simple test case :-). the result of the test looks as follows: the user was successfully authenticated, but after login gets redirected to the access denied page. the session was created, because the user was able to perform other permitted actions and the log shows a successful authentification (enabeld spring secured log on debug level). so why does the redirect to the access denied page happen?
tocmat 7.x assumes that no cookies are activated and adds the sessionid to the redirect url and addtionally set the cookie via "set cookie" http header. that's the point where the spring security plugin is confused.
http response of j_spring_security_check
HTTP/1.1 302 Moved Temporarily
Connection: Keep-Alive
Content-Length: 0
Date: Fri, 14 Oct 2011 06:41:59 GMT
**Location: https://myserver/main;jsessionid=8341CD832CAF4569A95BBF436395744E**
Server: Apache-Coyote/1.1
**Set-Cookie: JSESSIONID=8341CD832CAF4569A95BBF436395744E;** Path=/etsweb/; HttpOnly
followed by a http get https://myserver/main;jsessionid=8341CD832CAF4569A95BBF436395744E
http response
HTTP/1.1 302 Moved Temporarily
Connection: Keep-Alive
Content-Length: 0
Date: Fri, 14 Oct 2011 06:41:59 GMT
Location: https://myserver/login/denied
Server: Apache-Coyote/1.1
the solution was to disable url rewriting by setting following tag in web.xml file
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
I don't know whether this is a spring sec bug or a thinking bug.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
另外,请确保安全设置中的通配符使用 IS_AUTHENTICATED_ANONYMOUSLY,而不是 ROLE_ANONYMOUS。
'/**': ['IS_AUTHENTICATED_ANONYMOUSLY']
Also, make sure wild card in your security settings is using IS_AUTHENTICATED_ANONYMOUSLY, and not ROLE_ANONYMOUS.
'/**': ['IS_AUTHENTICATED_ANONYMOUSLY']