HttpSession trả về đối tượng rỗng cho SPRING_SECURITY_CONTEXT

Question

Tôi đang cố gắng tích hợp Spring Saml library trong một ứng dụng web mẫu, sử dụng Shibboleth làm IDP. Tôi có thể tải trang đăng nhập, để đăng nhập và hiển thị trang chỉ mục.

Vấn đề là khi tôi nhấp vào các liên kết khác, webapp sẽ chuyển hướng tôi đến trang đăng nhập, IDP sẽ nhận ra tôi và chuyển hướng đến trang được yêu cầu (nếu mạng nhanh thì rất khó để thấy điều này). Nó giống như tôi không đăng nhập vào bảo mật mùa xuân.

Tôi đã kiểm tra các bản ghi và tôi thấy điều này:

org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession trở vô đối tượng cho SPRING_SECURITY_CONTEXT org.springframework.security.web.context.HttpSessionSecurityContextRepository - Không có SecurityContext nào có sẵn từ HttpSession: org.apache.catalina.session.StandardSessionFacade@fde8fb. Một cái mới sẽ được tạo ra.

Đây là web.xml

<!-- The definition of the Root Spring Container shared by all Servlets and Filters --> 
<context-param> 
    <param-name>contextConfigLocation</param-name> 
    <param-value> 
     /WEB-INF/spring/root-context.xml 
     /WEB-INF/spring/security/securityContext.xml 
    </param-value> 
</context-param> 
<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
</filter> 
<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

<!-- Creates the Spring Container shared by all Servlets and Filters --> 
<listener> 
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
</listener> 

<!-- Processes application requests --> 
<servlet> 
    <servlet-name>dispatcher</servlet-name> 
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
    <init-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value> 
    </init-param> 
    <load-on-startup>1</load-on-startup> 
</servlet> 

<servlet-mapping> 
    <servlet-name>dispatcher</servlet-name> 
    <url-pattern>/</url-pattern> 
</servlet-mapping> 



<!-- Custom error pages --> 
<error-page> 
    <error-code>400</error-code> 
    <location>/errors/missing-en.html</location> 
</error-page> 
<error-page> 
    <error-code>401</error-code> 
    <location>/errors/restricted-en.html</location> 
</error-page> 
<error-page> 
    <error-code>403</error-code> 
    <location>/errors/restricted-en.html</location> 
</error-page> 
<error-page> 
    <error-code>404</error-code> 
    <location>/errors/missing-en.html</location> 
</error-page> 
<error-page> 
    <error-code>500</error-code> 
    <location>/errors/missing-en.html</location> 
</error-page> 
<error-page> 
    <error-code>503</error-code> 
    <location>/errors/missing-en.html</location> 
</error-page> 

và securityContext

<beans xmlns="http://www.springframework.org/schema/beans" 
xmlns:security="http://www.springframework.org/schema/security" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:context="http://www.springframework.org/schema/context" 
xsi:schemaLocation="http://www.springframework.org/schema/beans 
     http://www.springframework.org/schema/beans/spring-beans-3.1.xsd 
     http://www.springframework.org/schema/security 
     http://www.springframework.org/schema/security/spring-security-3.1.xsd 
     http://www.springframework.org/schema/context 
     http://www.springframework.org/schema/context/spring-context.xsd"> 

<!-- Enable autowiring --> 
<context:annotation-config /> 
<context:component-scan base-package="org.springframework.security.saml" /> 

<security:http pattern="/logout.jsp" security="none" /> 
<security:http pattern="/login.jsp" security="none" /> 
<security:http pattern="/index.html" security="none" /> 

<security:http entry-point-ref="samlEntryPoint"> 
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" /> 
    <security:custom-filter before="FIRST" ref="metadataGeneratorFilter" /> 
    <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter" /> 
</security:http> 

<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy"> 
    <security:filter-chain-map path-type="ant"> 
     <security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint" /> 
     <security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter" /> 
     <security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter" /> 
     <security:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter" /> 
     <security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter" /> 
    </security:filter-chain-map> 
</bean> 

<!-- Handler deciding where to redirect user after successful login --> 
<bean id="successRedirectHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"> 
    <property name="defaultTargetUrl" value="/" /> 
</bean> 
<!-- Use the following for interpreting RelayState coming from unsolicited response as redirect URL: <bean id="successRedirectHandler" class="org.springframework.security.saml.SAMLRelayStateSuccessHandler"> 
    <property name="defaultTargetUrl" value="/" /> </bean> --> 

<!-- Handler for successful logout --> 
<bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler"> 
    <property name="defaultTargetUrl" value="/logout.jsp" /> 
</bean> 

<!-- Register authentication manager with SAML provider --> 
<security:authentication-manager alias="authenticationManager"> 
    <security:authentication-provider ref="samlAuthenticationProvider" /> 
</security:authentication-manager> 

<!-- Logger for SAML messages and events --> 
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger" /> 

<!-- Central storage of cryptographic keys --> 
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager"> 
    <constructor-arg value="/WEB-INF/spring/security/myKeystore.jks" /> 
    <constructor-arg type="java.lang.String" value="betfair" /> 
    <constructor-arg> 
     <map> 
      <entry key="tomcat" value="betfair" /> 
     </map> 
    </constructor-arg> 
    <constructor-arg type="java.lang.String" value="tomcat" /> 
</bean> 

<!-- Entry point to initialize authentication, default values taken from properties file --> 
<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint"> 
    <property name="defaultProfileOptions"> 
     <bean class="org.springframework.security.saml.websso.WebSSOProfileOptions"> 
      <property name="includeScoping" value="false" /> 
     </bean> 
    </property> 
</bean> 

<!-- IDP Discovery Service --> 
<bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery"> 
    <property name="idpSelectionPath" value="/WEB-INF/security/idpSelection.jsp" /> 
</bean> 

<!-- Filter automatically generates default SP metadata --> 
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter"> 
    <constructor-arg> 
     <bean class="org.springframework.security.saml.metadata.MetadataGenerator" /> 
    </constructor-arg> 
</bean> 

<!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there --> 
<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter" /> 

<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here --> 
<!-- Do no forget to call iniitalize method on providers --> 
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager"> 
    <constructor-arg> 
     <list> 

      <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> 
       <constructor-arg> 
        <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider"> 
         <constructor-arg> 
          <value type="java.io.File">/WEB-INF/spring/security/shibboleth.xml</value> 
         </constructor-arg> 
         <property name="parserPool" ref="parserPool" /> 
        </bean> 
       </constructor-arg> 
       <constructor-arg> 
        <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> 
        </bean> 
       </constructor-arg> 
      </bean> 
      <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> 
       <constructor-arg> 
        <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider"> 
         <constructor-arg> 
          <value type="java.io.File">/WEB-INF/spring/security/localhost_sp.xml</value> 
         </constructor-arg> 
         <property name="parserPool" ref="parserPool" /> 
        </bean> 
       </constructor-arg> 
       <constructor-arg> 
        <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> 
         <property name="local" value="true" /> 
         <property name="alias" value="localhost" /> 
         <property name="securityProfile" value="metaiop" /> 
         <property name="sslSecurityProfile" value="pkix" /> 
         <property name="signingKey" value="tomcat" /> 
         <property name="encryptionKey" value="tomcat" /> 
         <property name="tlsKey" value="tomcat" /> 
         <property name="requireArtifactResolveSigned" value="false" /> 
         <property name="requireLogoutRequestSigned" value="false" /> 
         <property name="requireLogoutResponseSigned" value="false" /> 
        </bean> 
       </constructor-arg> 
      </bean> 
     </list> 
    </constructor-arg>  
    <!-- OPTIONAL used when one of the metadata files contains information about this service provider --> 
    <property name="hostedSPName" value="localhost"/> 
    <!-- OPTIONAL property: can tell the system which IDP should be used for authenticating user by default. --> 
    <!-- <property name="defaultIDP" value="http://localhost:8080/opensso"/> --> 
</bean> 

<!-- SAML Authentication Provider responsible for validating of received SAML messages --> 
<bean id="samlAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider"> 
    <!-- OPTIONAL property: can be used to store/load user data after login --> 
    <!-- <property name="userDetails" ref="bean" /> --> 
</bean> 

<!-- Provider of default SAML Context --> 
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl" /> 

<!-- Processing filter for WebSSO profile messages --> 
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter"> 
    <property name="authenticationManager" ref="authenticationManager" /> 
    <property name="authenticationSuccessHandler" ref="successRedirectHandler" /> 
</bean> 

<!-- Processing filter for WebSSO Holder-of-Key profile --> 
<bean id="samlWebSSOHoKProcessingFilter" class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter"> 
    <property name="authenticationManager" ref="authenticationManager" /> 
    <property name="authenticationSuccessHandler" ref="successRedirectHandler" /> 
</bean> 

<!-- Logout handler terminating local session --> 
<bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"> 
    <property name="invalidateHttpSession" value="false" /> 
</bean> 

<!-- Override default logout processing filter with the one processing SAML messages --> 
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter"> 
    <constructor-arg ref="successLogoutHandler" /> 
    <constructor-arg ref="logoutHandler" /> 
    <constructor-arg ref="logoutHandler" /> 
</bean> 

<!-- Filter processing incoming logout messages --> 
<!-- First argument determines URL user will be redirected to after successful global logout --> 
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter"> 
    <constructor-arg ref="successLogoutHandler" /> 
    <constructor-arg ref="logoutHandler" /> 
</bean> 

<!-- Class loading incoming SAML messages from httpRequest stream --> 
<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl"> 
    <constructor-arg> 
     <list> 
      <ref bean="redirectBinding" /> 
      <ref bean="postBinding" /> 
      <ref bean="artifactBinding" /> 
      <ref bean="soapBinding" /> 
      <ref bean="paosBinding" /> 
     </list> 
    </constructor-arg> 
</bean> 

<!-- SAML 2.0 WebSSO Assertion Consumer --> 
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl" /> 

<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer --> 
<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl" /> 

<!-- SAML 2.0 Web SSO profile --> 
<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl" /> 

<!-- SAML 2.0 Holder-of-Key Web SSO profile --> 
<bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl" /> 

<!-- SAML 2.0 ECP profile --> 
<bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl" /> 

<!-- SAML 2.0 Logout Profile --> 
<bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl" /> 

<!-- Bindings, encoders and decoders used for creating and parsing messages --> 
<bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding"> 
    <constructor-arg ref="parserPool" /> 
    <constructor-arg ref="velocityEngine" /> 
</bean> 

<bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding"> 
    <constructor-arg ref="parserPool" /> 
</bean> 

<bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding"> 
    <constructor-arg ref="parserPool" /> 
    <constructor-arg ref="velocityEngine" /> 
    <constructor-arg> 
     <bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl"> 
      <constructor-arg> 
       <bean class="org.apache.commons.httpclient.HttpClient" /> 
      </constructor-arg> 
      <property name="processor"> 
       <bean id="soapProcessor" class="org.springframework.security.saml.processor.SAMLProcessorImpl"> 
        <constructor-arg ref="soapBinding" /> 
       </bean> 
      </property> 
     </bean> 
    </constructor-arg> 
</bean> 

<bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding"> 
    <constructor-arg ref="parserPool" /> 
</bean> 

<bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding"> 
    <constructor-arg ref="parserPool" /> 
</bean> 

<!-- Initialization of OpenSAML library --> 
<bean class="org.springframework.security.saml.SAMLBootstrap" /> 

<!-- Initialization of the velocity engine --> 
<bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine" /> 

<!-- XML parser pool needed for OpenSAML parsing --> 
<bean id="parserPool" class="org.opensaml.xml.parse.BasicParserPool" scope="singleton" /> 

Bất kỳ ý tưởng?

Cảm ơn Emanuele

Answer 1

Tôi đã gặp phải sự cố tương tự. Sau khi gỡ lỗi nhận ra rằng SecurityContext được xóa trước khi nó được duy trì. Sau khi googling tôi thấy điều này: https://jira.springsource.org/browse/SEC-2027 Di chuyển đến phiên bản an ninh mùa xuân 3.1.2 giải quyết nó cho tôi.

Tôi hy vọng nó sẽ giúp ai đó.

Answer 2

Nếu bạn không phải là đặc biệt về việc sử dụng Spring, hoặc bạn có thể thử một cái gì đó mà làm việc đầu tiên và chuyển sang mùa xuân sau, đây là một hướng dẫn tốt. Tôi đã cố gắng này, nó hoạt động:

http://fczaja.blogspot.com/2012/06/idp-initiated-sso-and-identity.html

Blog tác giả Filip là rất nhạy, bạn có thể nhận được giải thích từ anh ấy nếu cần thiết.