我有一个奇怪的错误,调试了几个小时,我无法理解。
更新 1:我使用 Spring Security 4.0.3,在 Tomcat 7 上运行。
问题接近 this question ,也许 SecurityContextHolder 在 response.redirect() 期间丢失,但答案没有帮助。
问题似乎接近 this question也是,但答案对我来说毫无意义。
这是我的配置:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class ProjectSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().antMatchers("/login").anonymous();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser(Constants.PROFIL_ADMIN).password(Constants.PROFIL_ADMIN).
roles("ADMIN","TEST_SERVICE");
}
}
登录后我尝试获取一个安全的 URL:
@RequestMapping(value = "/myurl", method = RequestMethod.GET)
@ResponseBody
public boolean getTestService(HttpServletRequest request)
throws SQLException, PoRulesException {
System.out.println("get security context");
System.out.println("--------------------");
SecurityContext secuContext = (SecurityContext) request.getSession().getAttribute("SPRING_SECURITY_CONTEXT");
System.out.println(secuContext);
System.out.println("get security context holder");
System.out.println(SecurityContextHolder.getContext());
return testService.getTestMethod();
}
服务内部的方法
@Secured("ROLE_TEST_SERVICE")
public boolean getTestMethod() {
Sysout.out.println("Hiii")
return true
}
现在,当它不起作用时的日志:
INFO 2016-07-11 15:57:00,006 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController - Login
INFO 2016-07-11 15:57:00,057 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController - User : axel
INFO 2016-07-11 15:57:00,065 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController - Authenticate : true
INFO 2016-07-11 15:57:00,065 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController - Authenticate : org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bbbc4f45: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_CONSULTER_CA,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 613DFE47B2CE6E29DA3C227F8E028590; Granted Authorities: ROLE_ADMIN, ROLE_TEST_SERVICE
get security context
--------------------
org.springframework.security.core.context.SecurityContextImpl@bbbc4f45: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bbbc4f45: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_CONSULTER_CA,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 613DFE47B2CE6E29DA3C227F8E028590; Granted Authorities: ROLE_ADMIN, ROLE_TEST_SERVICE
get security context holder
org.springframework.security.core.context.SecurityContextImpl@ffffffff: Null authentication
ERROR 2016-07-11 15:57:01,960 [http-bio-8080-exec-10] com.po.exception.GlobalControllerExceptionHandler - org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:378)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:222)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:655)
at com.po.service.CAService$$EnhancerBySpringCGLIB$$f6e21857.getVarAndPrevCa(<generated>)
at com.po.mvc.controller.CaController.getVarAndPrevCa(CaController.java:56)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:222)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:814)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:737)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:969)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:860)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:845)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:964)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:304)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
以及何时有效。我只是看不出有什么区别...... Spring 上下文已设置并包含凭据作为 sysout proove 但 SecurityContextHolder 未设置。
INFO 2016-07-11 16:09:45,374 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController - Login
INFO 2016-07-11 16:09:45,393 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController - User : axel
INFO 2016-07-11 16:09:45,395 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController - Authenticate : true
INFO 2016-07-11 16:09:45,395 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController - Authenticate : org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bbbc4f45: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_TEST_SERVICE; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 613DFE47B2CE6E29DA3C227F8E028590; Granted Authorities: ROLE_ADMIN, ROLE_TEST_SERVICE
get security context
--------------------
org.springframework.security.core.context.SecurityContextImpl@bbbc4f45: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bbbc4f45: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_TEST_SERVICE Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 613DFE47B2CE6E29DA3C227F8E028590; Granted Authorities: ROLE_ADMIN, ROLE_CONSULTER_CA, ROLE_USER
get security context holder
org.springframework.security.core.context.SecurityContextImpl@4440cc59: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4440cc59: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_CONSULTER_CA,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 19994511EEE72462E8D680CDADCFEC4C; Granted Authorities: ROLE_ADMIN, ROLE_CONSULTER_CA, ROLE_USER
INFO 2016-07-11 16:09:46,879 [http-bio-8080-exec-3] Hiii
有效和无效之间的唯一区别是:
mywebsite.com 上,它是公开的并转到 mywebsite.com/login?user=me 有效mywebsite.com/login?user=me session 属性 SPRING_SECURITY_CONTEXT 在这两种情况下都设置了,但 SecurityContextHolder 没有设置,它在 @Secured line 222 中触发了异常
我不想在方法中使用手动检查 SecurityContextHolder 之类的技巧(重定向后),如果是 null 设置 session 属性 SPRING_SECURITY_CONTEXT 不是 null,我想从根本上解决问题。
最佳答案
假设您无法与现有的 SSO 提供商集成,以下解决方案可能是您所希望的最佳解决方案。
从根本上说,除非您将自己限制在容器中的单个线程中(这是一个糟糕的主意),否则您正在做的事情是行不通的。来自 SecurityContextHolder 上的文档:
Associates a given
SecurityContextwith the current execution thread.
这很重要 - 当前 执行线程。如果您发出登录请求,由线程 A 处理,然后您尝试转到安全页面,但此请求由线程 B 处理,那么您在 A 上设置的 SecurityContext 将 不在 B 上可用。
Spring Security 完全有能力为您处理这个问题,方法是将安全上下文存储在 session 中并根据需要存储/获取它(参见 org.springframework.security.web.session.SessionManagementFilter) .不过,您需要对配置进行一些更改。
首先,您需要创建一个从 AbstractAuthenticationProcessingFilter 扩展的新类,并覆盖 attemptAuthentication 方法。然后需要注册这个新过滤器,并且需要替换现有的 org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter。该类(class)也是了解这一切如何联系在一起以及您可以配置什么的好地方。
这个新的过滤器会做一些类似的事情
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException {
UserLDAP ldapUser = CorpLDAP.findUser(request);
User user = new User(ldapUser.getProfil(), ldapUser.getPwd(), Collections.emptyList());
return new UsernamePasswordAuthenticationToken(user, "", Collections.emptyList());
}
这将返回一个完全经过身份验证的用户,以后可以使用该用户。这将存储在 SecurityContextHolder 中,并且可以轻松检索。它还将存储在 session 中(如果已配置),因此我建议确保它是可序列化的。由于您不使用密码,我会强烈建议不要将其存储在 User 中。
希望这会让你朝着正确的方向前进。
关于java - Spring Security AuthenticationCredentialsNotFoundException,SecurityContextHolder.getContext 为空,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/38309382/