Spring Security 3.1.4:由于anonymousUser身份验证无法访问目标页面

Posted

技术标签:

【中文标题】Spring Security 3.1.4:由于anonymousUser身份验证无法访问目标页面【英文标题】:Spring Security 3.1.4: Cannot access target page due to anonymousUser authentication 【发布时间】:2014-11-01 23:21:58 【问题描述】:

当用户密码被重置时,用户应该转到安全问题页面,而不是用户被踢回登录页面。启用 spring 调试日志后,我注意到 spring 正在创建匿名用户身份验证。

我正在使用 Spring security 3.1.4

以下是我的应用日志

2014-09-08 13:34:42,355 DEBUG | org.springframework.security.web.savedrequest.HttpSessionRequestCache |  | bzyJYL3H4y4h | DefaultSavedRequest added to Session: DefaultSavedRequest[https://qa-cp/PP/enduser/securityQuestions.do?clear=true]
2014-09-08 13:34:42,355 DEBUG | org.springframework.security.web.access.ExceptionTranslationFilter |  | bzyJYL3H4y4h | Calling Authentication entry point.
2014-09-08 13:34:42,355 DEBUG | org.springframework.security.web.DefaultRedirectStrategy |  | bzyJYL3H4y4h | Redirecting to 'https://qa-cp/PP/index.do'
2014-09-08 13:34:42,355 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository |  | bzyJYL3H4y4h | SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2014-09-08 13:34:42,356 DEBUG | org.springframework.security.web.context.SecurityContextPersistenceFilter |  | bzyJYL3H4y4h | SecurityContextHolder now cleared, as request processing completed
2014-09-08 13:34:43,369 DEBUG | org.springframework.security.web.FilterChainProxy |  | orAnz9si9ErQ | /index.do at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-09-08 13:34:43,370 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository |  | orAnz9si9ErQ | HttpSession returned null object for SPRING_SECURITY_CONTEXT
2014-09-08 13:34:43,371 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository |  | orAnz9si9ErQ | No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@6814b7b1. A new one will be created.
2014-09-08 13:34:43,371 DEBUG | org.springframework.security.web.FilterChainProxy |  | orAnz9si9ErQ | /index.do at position 2 of 12 in additional filter chain; firing Filter: 'WelcomePageRedirectFilter'
2014-09-08 13:34:43,373 DEBUG | org.springframework.security.web.FilterChainProxy |  | orAnz9si9ErQ | /index.do at position 3 of 12 in additional filter chain; firing Filter: 'InternalAuthenticationFilter'
2014-09-08 13:34:43,374 DEBUG | org.springframework.security.web.FilterChainProxy |  | orAnz9si9ErQ | /index.do at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2014-09-08 13:34:43,375 DEBUG | org.springframework.security.web.FilterChainProxy |  | orAnz9si9ErQ | /index.do at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2014-09-08 13:34:43,375 DEBUG | org.springframework.security.web.FilterChainProxy |  | orAnz9si9ErQ | /index.do at position 6 of 12 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2014-09-08 13:34:43,376 DEBUG | org.springframework.security.web.FilterChainProxy |  | orAnz9si9ErQ | /index.do at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2014-09-08 13:34:43,377 DEBUG | org.springframework.security.web.savedrequest.DefaultSavedRequest |  | orAnz9si9ErQ | pathInfo: both null (property equals)
2014-09-08 13:34:43,378 DEBUG | org.springframework.security.web.savedrequest.DefaultSavedRequest |  | orAnz9si9ErQ | queryString: arg1=clear=true; arg2=null (property not equals)
2014-09-08 13:34:43,379 DEBUG | org.springframework.security.web.savedrequest.HttpSessionRequestCache |  | orAnz9si9ErQ | saved request doesn't match
2014-09-08 13:34:43,379 DEBUG | org.springframework.security.web.FilterChainProxy |  | orAnz9si9ErQ | /index.do at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2014-09-08 13:34:43,380 DEBUG | org.springframework.security.web.FilterChainProxy |  | orAnz9si9ErQ | /index.do at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2014-09-08 13:34:43,381 DEBUG | org.springframework.security.web.authentication.AnonymousAuthenticationFilter | anonymousUser | orAnz9si9ErQ | Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 10.9.120.74; SessionId: C69492D05E3009DEC64122CC220B9A4B; Granted Authorities: ROLE_ANONYMOUS'
2014-09-08 13:34:43,382 DEBUG | org.springframework.security.web.FilterChainProxy | anonymousUser | orAnz9si9ErQ | /index.do at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2014-09-08 13:34:43,383 DEBUG | org.springframework.security.web.FilterChainProxy | anonymousUser | orAnz9si9ErQ | /index.do at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2014-09-08 13:34:43,384 DEBUG | org.springframework.security.web.FilterChainProxy | anonymousUser | orAnz9si9ErQ | /index.do at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'

在尝试登录几分钟后,spring 对用户进行身份验证。以下是日志

2014-09-08 13:34:51,089 DEBUG | org.springframework.security.web.FilterChainProxy |  | IfMNPOKYArlz | /j_spring_security_check at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-09-08 13:34:51,090 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository |  | IfMNPOKYArlz | HttpSession returned null object for SPRING_SECURITY_CONTEXT
2014-09-08 13:34:51,092 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository |  | IfMNPOKYArlz | No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@6814b7b1. A new one will be created.
2014-09-08 13:34:51,093 DEBUG | org.springframework.security.web.FilterChainProxy |  | IfMNPOKYArlz | /j_spring_security_check at position 2 of 12 in additional filter chain; firing Filter: 'WelcomePageRedirectFilter'
2014-09-08 13:34:51,100 DEBUG | org.springframework.security.web.FilterChainProxy |  | IfMNPOKYArlz | /j_spring_security_check at position 3 of 12 in additional filter chain; firing Filter: 'InternalAuthenticationFilter'
2014-09-08 13:34:51,100 DEBUG | org.springframework.security.web.FilterChainProxy |  | IfMNPOKYArlz | /j_spring_security_check at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2014-09-08 13:34:51,101 DEBUG | org.springframework.security.web.FilterChainProxy |  | IfMNPOKYArlz | /j_spring_security_check at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2014-09-08 13:34:51,102 DEBUG | org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter |  | IfMNPOKYArlz | Request is to process authentication
2014-09-08 13:34:51,103 DEBUG | org.springframework.security.authentication.ProviderManager |  | IfMNPOKYArlz | Authentication attempt using com.dc.apps.collaborationportal.security.service.CPDaoAuthenticationProvider
2014-09-08 13:34:51,110 DEBUG | org.springframework.security.web.FilterChainProxy |  | orAnz9si9ErQ | /j_spring_security_check at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-09-08 13:34:51,110 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository |  | orAnz9si9ErQ | HttpSession returned null object for SPRING_SECURITY_CONTEXT
2014-09-08 13:34:51,111 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository |  | orAnz9si9ErQ | No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@6814b7b1. A new one will be created.
2014-09-08 13:34:51,111 DEBUG | org.springframework.security.web.FilterChainProxy |  | orAnz9si9ErQ | /j_spring_security_check at position 2 of 12 in additional filter chain; firing Filter: 'WelcomePageRedirectFilter'
2014-09-08 13:34:51,112 DEBUG | org.springframework.security.web.FilterChainProxy |  | orAnz9si9ErQ | /j_spring_security_check at position 3 of 12 in additional filter chain; firing Filter: 'InternalAuthenticationFilter'
2014-09-08 13:34:51,112 DEBUG | org.springframework.security.web.FilterChainProxy |  | orAnz9si9ErQ | /j_spring_security_check at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2014-09-08 13:34:51,113 DEBUG | org.springframework.security.web.FilterChainProxy |  | orAnz9si9ErQ | /j_spring_security_check at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2014-09-08 13:34:51,114 DEBUG | org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter |  | orAnz9si9ErQ | Request is to process authentication
2014-09-08 13:34:51,114 DEBUG | org.springframework.security.authentication.ProviderManager |  | orAnz9si9ErQ | Authentication attempt using com.dc.apps.collaborationportal.security.service.CPDaoAuthenticationProvider
2014-09-08 13:34:51,164 DEBUG | org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter |  | IfMNPOKYArlz | Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@79680fbd: Principal: org.springframework.security.core.userdetails.User@49520377: Username: test1@dc.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 11.22.22.33; SessionId: C69492D05E3009DEC64122CC220B9A4B; Not granted any authorities
2014-09-08 13:34:51,178 DEBUG | org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter |  | orAnz9si9ErQ | Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@79680fbd: Principal: org.springframework.security.core.userdetails.User@49520377: Username: test1@dc.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 11.22.22.33; SessionId: C69492D05E3009DEC64122CC220B9A4B; Not granted any authorities
2014-09-08 13:34:51,355 DEBUG | org.springframework.security.web.DefaultRedirectStrategy | test1@dc.com | orAnz9si9ErQ | Redirecting to '/PP/enduser/securityQuestions.do?clear=true'
2014-09-08 13:34:51,356 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository | test1@dc.com | orAnz9si9ErQ | SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@79680fbd: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@79680fbd: Principal: org.springframework.security.core.userdetails.User@49520377: Username: test1@dc.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 11.22.22.33; SessionId: C69492D05E3009DEC64122CC220B9A4B; Not granted any authorities'
2014-09-08 13:34:51,357 DEBUG | org.springframework.security.web.context.SecurityContextPersistenceFilter |  | orAnz9si9ErQ | SecurityContextHolder now cleared, as request processing completed
2014-09-08 13:34:51,396 DEBUG | org.springframework.security.web.DefaultRedirectStrategy | test1@dc.com | IfMNPOKYArlz | Redirecting to '/PP/enduser/securityQuestions.do?clear=true'
2014-09-08 13:34:51,397 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository | test1@dc.com | IfMNPOKYArlz | HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session
2014-09-08 13:34:51,398 DEBUG | org.springframework.security.web.context.SecurityContextPersistenceFilter |  | IfMNPOKYArlz | SecurityContextHolder now cleared, as request processing completed
2014-09-08 13:34:52,372 DEBUG | org.springframework.security.web.FilterChainProxy |  | orAnz9si9ErQ | /enduser/securityQuestions.do?clear=true at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-09-08 13:34:52,373 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository |  | orAnz9si9ErQ | Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@79680fbd: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@79680fbd: Principal: org.springframework.security.core.userdetails.User@49520377: Username: test1@dc.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 11.22.22.33; SessionId: C69492D05E3009DEC64122CC220B9A4B; Not granted any authorities'

更新:security-applicationContext.xml

<beans:bean id="trustedAuthenticationFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
   <beans:property name="principalRequestHeader" value="X-Remote-Authenticate"/>
   <beans:property name="authenticationManager" ref="authenticationManager" />
   <beans:property name="exceptionIfHeaderMissing" value="false" />
</beans:bean>   


<!-- LOCAL LOGIN CONFIGURATION -->
<http use-expressions="true" auto-config="false" disable-url-rewriting="true" entry-point-ref="loginUrlAuthenticationEntryPoint"
        request-matcher-ref="localAuthRequestMatcher">
  <intercept-url pattern="/admin/**" access="hasRole('ADMIN_PERMISSION')" />
  <intercept-url pattern="/system/**" access="hasRole('ADMIN_PERMISSION')" />
  <intercept-url pattern="/enduser/**" access="isAuthenticated()" />
  <intercept-url pattern="/changePassword.do" access="permitAll"/>      
  <intercept-url pattern="/index.do" access="isAnonymous()" />
  <custom-filter after="SECURITY_CONTEXT_FILTER" ref="welcomePageRedirectFilter" />
  <custom-filter before="LOGOUT_FILTER" ref="internalAuthenticationFilter" />
  <custom-filter before="FORM_LOGIN_FILTER" ref="customUsernamePasswordAuthenticationFilter"/>
  <form-login login-page="/index.do" authentication-failure-handler-ref="DCAuthenticationFailureHandler" authentication-success-handler-ref="DCAuthenticationSuccessHandler" />
  <http-basic />
  <anonymous />      
  <session-management session-authentication-strategy-ref="customSessionFixationProtectionStrategy" />  
  <logout success-handler-ref="localLogoutSuccessHandler" />       
</http> 

<beans:bean id="exceptionTranslator"
  class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <beans:constructor-arg><beans:ref bean="loginUrlAuthenticationEntryPoint" /></beans:constructor-arg>    
</beans:bean>   

<beans:bean id="localLogoutSuccessHandler"
  class="com.dc.core.security.authentication.impl.CustomLogoutSuccessHandler">
  <beans:property name="defaultTargetUrl" value="/index.do" />          
</beans:bean>

将用户重定向到安全问题页面的代码

@Component
@Primary
public class CPAuthenticationSuccessHandler extends DCAuthenticationSuccessHandler 
@Autowired
private CollaborationSecurityService      collabSecurityService;

@Autowired
private AuthenticationFilterConfiguration authenticationConfiguration;

@Autowired
private FailedLoginsLock                  failedLoginsLock;

private static final String               SECURITY_QUESTIONS_URL = "/enduser/securityQuestions.do?clear=true";

private static final Logger               LOGGER                 = Logger.getInstance("dc.auth");

@Override
public void onAuthenticationSuccess(final HttpServletRequest request, HttpServletResponse response,
        Authentication authentication) throws IOException, ServletException 
    new DefaultRedirectStrategy().sendRedirect(request, response,
            this.onCPAuthenticationSuccessUrl(request, response, authentication));


public String onCPAuthenticationSuccessUrl(final HttpServletRequest request, HttpServletResponse response,
        Authentication authentication) throws IOException, ServletException 
    LOGGER.log(Level.INFO, "Successful Authentication Principal--> " + authentication.getPrincipal());
    boolean isNewSession = false;
    Session session = null;

    try 
        if (!sessionHandler.sessionAlreadyBound(sessionFactory)) 
            session = sessionHandler.initiateSession(sessionFactory);
            sessionHandler.beginTransaction(session);
            isNewSession = true;
        

        if (!SecurityHelper.isCurrentUserAnonymous()
                && collabSecurityService.needSecurityQuestionSetup(authentication.getName()))
            return SECURITY_QUESTIONS_URL;
        else

        return super.onAuthenticationSuccessUrl(request, response, authentication);

     finally 
        if (isNewSession) 
            sessionHandler.endTransaction(false, sessionFactory);
        
    


public void setApplicationContext(ApplicationContext applicationContext) throws BeansException 
    super.setApplicationContext(applicationContext);

我真的不知道 spring 身份验证出了什么问题。我真的很感谢有人在这方面的帮助

【问题讨论】:

能分享一下spring的配置和代码吗?看你的代码并猜测问题的本质是不可能的 @SezinKarli 我正在尝试使用代码和配置更新我的问题,但似乎我的问题已经有 30000 个字符,并且不允许我添加任何其他字符 @RanPaul 你可以删除一些日志。配置会告诉我们更多... @Evgeni 使用 securityContext.xml 更新了问题 【参考方案1】:

我在 spring security 5 中遇到了同样的问题,也许可以帮助其他有类似问题的人。

固定过滤器调用的优先级可以帮助解决这个问题。

如果您的身份验证过滤器在调用 SecurityContextPersistenceFilter 类之前对您的用户进行身份验证,则此类会重置上下文并且您的用户会从上下文中清除:

    HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
    SecurityContext contextBeforeChainExecution = this.repo.loadContext(holder);
    try 
        SecurityContextHolder.setContext(contextBeforeChainExecution);
    ...
    

在下一个过滤器链中,您的已验证用户丢失,AnonymousAuthenticationFilter 在身份验证为空时注册 anonymousUser

最终你必须在SecurityContextPersistenceFilter 之后更改过滤器的优先级。

例如,在非 xml 配置中,您可以像这样设置过滤器优先级:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter 

   @Override
   protected void configure(HttpSecurity http) throws Exception 
      ...

      http.addFilterAfter(YOUR_FILTER_CLASS, SecurityContextPersistenceFilter.class);

      ...
   

【讨论】:

以上是关于Spring Security 3.1.4:由于anonymousUser身份验证无法访问目标页面的主要内容,如果未能解决你的问题,请参考以下文章

Spring core 3.2.2 + Spring security 3.1.4:java.lang.IncompatibleClassChangeError:org.springframework

Spring security3.1.x session问题,求解

Spring Security 3.1.4 taglib 授权/身份验证不适用于 Tomcat 7 上 JSF 2.2 中的角色层次结构

由于重定向循环,Grails Spring Security 无法显示登录页面

2022-06-12 spring security 配置json登录filter

无法为会话序列化会话属性 SPRING_SECURITY_CONTEXT