为什么融合中间件转发会导致我的 Spring Security 身份验证过程出现问题?
我们设置了融合中间件来处理我们的证书。它在端口 443 上进行配置,并在处理认证过程后将其请求转发到在端口 8001 上设置的 weblogic 11g 实例。该实例处理身份验证并通过中间件返回响应。我们正在使用 Spring 2.5.6 和 Spring 2.5.6。春季安全2.0.4。这是一个基于 Flex 的 Web 应用程序。使用 firebug/firefox,我能够验证服务器是否正确处理身份验证请求,并尝试返回我的 loginSuccess.htm (通过我的 org.springframework.security.ui.webapp.AuthenticationProcessingFilter 配置) spring security 配置文件),但我可以看到它是一个 302 转发,它是错误的,Firebug 的状态显示为“已中止”。
另请注意,身份验证和应用程序在独立的 weblogic 实例上运行良好;当我们在 Web 应用程序和客户端之间引入融合中间件时,我们开始遇到身份验证问题。
这是我的 AuthenticationProcessingFilter 配置条目的片段:
<bean id="authenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureUrl" value="/loginFailure.htm"/>
<property name="defaultTargetUrl" value="/loginSuccess.htm"/>
<property name="filterProcessesUrl" value="/login.htm"/>
<property name="rememberMeServices" ref="rememberMeServices"/>
<property name="alwaysUseDefaultTargetUrl" value="true" />
<property name="usernameParameter" value="username"/>
<property name="passwordParameter" value="password"/>
</bean>
任何见解都会有用。我们引入 Fusion Middleware,因为它是 Oracle 推荐的生产方法;我们之前遇到了证书问题。
We have Fusion Middleware set up to handle our certificates. It's configured on port 443 and forwards its requests after handling the certification process to an instance of weblogic 11g set up on port 8001. That instance handles the authentication and returns the response through Middleware. We're using Spring 2.5.6 & Spring Security 2.0.4. It's a flex-based web application. Using firebug/firefox, I was able to verify that the server handles the authentication request properly, and attempts to return my loginSuccess.htm (configured via org.springframework.security.ui.webapp.AuthenticationProcessingFilter in my spring security config file) but I can see it's a 302 forward, it's error'd with a status from firebug saying Aborted.
Also to note, the authentication and application work fine on a standalone instance of weblogic; it's when we introduced the Fusion Middleware piece in between the web application and the client that we started to run into the authentication issues.
Here's a snippet of my AuthenticationProcessingFilter config entry:
<bean id="authenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureUrl" value="/loginFailure.htm"/>
<property name="defaultTargetUrl" value="/loginSuccess.htm"/>
<property name="filterProcessesUrl" value="/login.htm"/>
<property name="rememberMeServices" ref="rememberMeServices"/>
<property name="alwaysUseDefaultTargetUrl" value="true" />
<property name="usernameParameter" value="username"/>
<property name="passwordParameter" value="password"/>
</bean>
Any insight would be useful. We introduced Fusion Middleware since it's Oracle's recommended production approach; we were having issues with certificates beforehand.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
dvuke - 使用 Oracle Fusion Middleware 可以通过应用程序服务器处理重定向 - 因此基本上不需要在 Spring 过滤器中进行更改。
这种在 httpd.conf 文件中使用永久重定向属性的方法可能会解决您所描述的问题。因此,代码中的任何重定向都可能被迫始终通过 https 提供。
至少有一个途径可以研究!
dvuke - using Oracle Fusion Middleware the redirection can be handled via the app server - so essentially there would be no need to make changes in your spring filter.
This approach using a permanent redirect attribute in your httpd.conf file may fix the issue you describe. So any redirection in your code could be forced to always be served up over https.
At least an avenue to look into!