IBM WebSphere 8.5.5.8(Liberty) + Spring 安全 3.1.3.RELEASE
IBM WebSphere 8.5.5.8(Liberty) + Spring Security 3.1.3.RELEASE
我们有一个基于 appfuse 初学者工具包版本 2.2.1 构建的示例 Web 应用程序,它使用 Spring 安全性 3.1.3.RELEASE。我们将在 WAS 7 上部署它,并在 IBM WebSphere 8.5.5.8(Liberty) 上对其进行测试。
我们的问题是在 successful/failed 登录请求之后,某些东西破坏了请求的 servletPath 值并将其设置为空。
((HttpServletRequest) request).getServletPath()
这是 LocaleFilter 尝试使用 getServletPath() 的 /j_security_check 值执行 chain.doFilter 的时候,我们遇到了:
Exception thrown by application class 'org.springframework.security.web.util.AntPathRequestMatcher.getRequestPath:116'
java.lang.NullPointerException:
at org.springframework.security.web.util.AntPathRequestMatcher.getRequestPath(AntPathRequestMatcher.java:116)
at org.springframework.security.web.util.AntPathRequestMatcher.matches(AntPathRequestMatcher.java:100)
at org.springframework.security.web.DefaultSecurityFilterChain.matches(DefaultSecurityFilterChain.java:42)
at org.springframework.security.web.FilterChainProxy.getFilters(FilterChainProxy.java:203)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:176)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207)
at [internal classes]
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:59)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207)
at [internal classes]
at org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:213)
at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:171)
at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:394)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207)
at [internal classes]
at ir.dpi.webapp.filter.LocaleFilter.doFilterInternal(LocaleFilter.java:67)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207)
at [internal classes]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207)
at [internal classes]
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:129)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:77)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207)
at [internal classes]
这是我们的 security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/images/**" security="none"/>
<http pattern="/styles/**" security="none"/>
<http pattern="/scripts/**" security="none"/>
<http auto-config="false" create-session="always">
<intercept-url pattern="/app/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/app/passwordHint*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER"/>
<form-login login-page="/login" authentication-failure-url="/login?error=true" login-processing-url="/j_security_check"/>
<remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/>
</http>
<authentication-manager >
<authentication-provider user-service-ref="userDao" >
<password-encoder ref="passwordEncoder" >
<salt-source ref="saltSource" />
</password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource"
p:userPropertyToUse="username"/>
<global-method-security>
<protect-pointcut expression="execution(* *..service.UserManager.getUsers(..))" access="ROLE_ADMIN"/>
<protect-pointcut expression="execution(* *..service.UserManager.removeUser(..))" access="ROLE_ADMIN"/>
</global-method-security>
</beans:beans>
如有任何帮助,我们将不胜感激。
我找到了使用 this code ranch topic 的解决方案。 AppFuse 使用不同的 Filters(javax.servlet) 并且 IBM WebSphere 的 Wrapping 机制对会话创建优先级敏感。所以我在 web.xml 文件中向上移动了 Spring securityFilter 映射。
<filter-mapping>
<filter-name>securityFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>sitemesh</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
...
现在登录过程已经完成。
请注意,在 Liberty 中设置这些设置至关重要 server.xml:
<httpSession cookieName="MY_LIBERTY_COOKIE" />
<basicRegistry />
IBM WebSphere Application Server(WAS Full)中的等效设置设置于:
Session management -> General Properties -> Enable cookies
同样在WAS version 7(可能适用于其他版本)需要使用:
<http auto-config="false" disable-url-rewriting="true" create-session="always">
在 spring security.xml 文件中。
我们有一个基于 appfuse 初学者工具包版本 2.2.1 构建的示例 Web 应用程序,它使用 Spring 安全性 3.1.3.RELEASE。我们将在 WAS 7 上部署它,并在 IBM WebSphere 8.5.5.8(Liberty) 上对其进行测试。 我们的问题是在 successful/failed 登录请求之后,某些东西破坏了请求的 servletPath 值并将其设置为空。
((HttpServletRequest) request).getServletPath()
这是 LocaleFilter 尝试使用 getServletPath() 的 /j_security_check 值执行 chain.doFilter 的时候,我们遇到了:
Exception thrown by application class 'org.springframework.security.web.util.AntPathRequestMatcher.getRequestPath:116' java.lang.NullPointerException: at org.springframework.security.web.util.AntPathRequestMatcher.getRequestPath(AntPathRequestMatcher.java:116) at org.springframework.security.web.util.AntPathRequestMatcher.matches(AntPathRequestMatcher.java:100) at org.springframework.security.web.DefaultSecurityFilterChain.matches(DefaultSecurityFilterChain.java:42) at org.springframework.security.web.FilterChainProxy.getFilters(FilterChainProxy.java:203) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:176) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) at [internal classes] at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:59) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) at [internal classes] at org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:213) at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:171) at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:394) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) at [internal classes] at ir.dpi.webapp.filter.LocaleFilter.doFilterInternal(LocaleFilter.java:67) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) at [internal classes] at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) at [internal classes] at com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:129) at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:77) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) at [internal classes]
这是我们的 security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/images/**" security="none"/>
<http pattern="/styles/**" security="none"/>
<http pattern="/scripts/**" security="none"/>
<http auto-config="false" create-session="always">
<intercept-url pattern="/app/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/app/passwordHint*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER"/>
<form-login login-page="/login" authentication-failure-url="/login?error=true" login-processing-url="/j_security_check"/>
<remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/>
</http>
<authentication-manager >
<authentication-provider user-service-ref="userDao" >
<password-encoder ref="passwordEncoder" >
<salt-source ref="saltSource" />
</password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource"
p:userPropertyToUse="username"/>
<global-method-security>
<protect-pointcut expression="execution(* *..service.UserManager.getUsers(..))" access="ROLE_ADMIN"/>
<protect-pointcut expression="execution(* *..service.UserManager.removeUser(..))" access="ROLE_ADMIN"/>
</global-method-security>
</beans:beans>
如有任何帮助,我们将不胜感激。
我找到了使用 this code ranch topic 的解决方案。 AppFuse 使用不同的 Filters(javax.servlet) 并且 IBM WebSphere 的 Wrapping 机制对会话创建优先级敏感。所以我在 web.xml 文件中向上移动了 Spring securityFilter 映射。
<filter-mapping>
<filter-name>securityFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>sitemesh</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
...
现在登录过程已经完成。
请注意,在 Liberty 中设置这些设置至关重要 server.xml:
<httpSession cookieName="MY_LIBERTY_COOKIE" />
<basicRegistry />
IBM WebSphere Application Server(WAS Full)中的等效设置设置于:
Session management -> General Properties -> Enable cookies
同样在WAS version 7(可能适用于其他版本)需要使用:
<http auto-config="false" disable-url-rewriting="true" create-session="always">
在 spring security.xml 文件中。