在 IE 浏览器中使用 https 和 spring 安全性的每个请求的会话 ID 不断变化
Session id keeps changing for every request with https and spring security in IE browser
我有一个 spring MVC 4,其中 spring 安全应用程序部署在 websphere 8.5 共享服务器上,比如 server123。我以企业 F5 域名上的 https 应用程序访问该应用程序。
我有一个奇怪的问题,会话 ID 在每次 servlet 请求时不断变化。这会导致 IE 上出现无限重定向循环。然而,这适用于 chrome 和 firefox。
我如下调用我的应用程序,其中 apps/MyApp/ 是上下文根,MainPage 是控制器请求映射 url https://example.server.com/apps/MyApp/MainPage .
我还使用 UserNamePasswordAuthenticationFilter 配置了 SSO 身份验证,它拦截了 spring 重定向身份验证 url /loginSSO。身份验证成功后,转发路径 /MainPage 在 IE 中丢失并重定向到 https://example.server.com/apps/MyApp/ and https://example.server.com/apps/MyApp/loginSSO repeatedly.Below 是我的安全配置详细信息。
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/loginSSO").permitAll();
http.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/loginSSO")
.successHandler(successHandler())
.and()
.csrf()
.csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterBefore(new CookieFilter(),
ChannelProcessingFilter.class)
.addFilterAfter(new CSRFFilter(), CsrfFilter.class)
.addFilterBefore(authFilter(),
UsernamePasswordAuthenticationFilter.class)
.requiresChannel()
.channelProcessors(
Arrays.<ChannelProcessor> asList(
new InsecureChannelProcessor(),
new SecureChannelProcessor()));
http.portMapper().http(8080).mapsTo(8443).http(80).mapsTo(44)
.http(9080).mapsTo(9443).http(7777).mapsTo(7443);
}
/**
* Auth filter.
*
* @return the auth filter
*/
@Bean
public AuthFilter authFilter() {
AuthFilter authFilter = new AuthFilter();
try {
authFilter
.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher(
"/loginSSO"));
authFilter.setAuthenticationManager(authenticationManager());
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return authFilter;
}
@Autowired
@Qualifier("customUserDetailsService")
UserDetailsService userDetailsService;
@Bean
public SavedRequestAwareAuthenticationSuccessHandler successHandler() {
SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
successHandler.setTargetUrlParameter("targetUrl");
return successHandler;
}
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
/**
* Csrf token repository.
*
* @return the csrf token repository
*/
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setSessionAttributeName("_csrf");
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
}
此问题已解决。恰好是 Websphere application.xml 文件中应用程序上下文根配置的问题。
我有一个 spring MVC 4,其中 spring 安全应用程序部署在 websphere 8.5 共享服务器上,比如 server123。我以企业 F5 域名上的 https 应用程序访问该应用程序。
我有一个奇怪的问题,会话 ID 在每次 servlet 请求时不断变化。这会导致 IE 上出现无限重定向循环。然而,这适用于 chrome 和 firefox。
我如下调用我的应用程序,其中 apps/MyApp/ 是上下文根,MainPage 是控制器请求映射 url https://example.server.com/apps/MyApp/MainPage .
我还使用 UserNamePasswordAuthenticationFilter 配置了 SSO 身份验证,它拦截了 spring 重定向身份验证 url /loginSSO。身份验证成功后,转发路径 /MainPage 在 IE 中丢失并重定向到 https://example.server.com/apps/MyApp/ and https://example.server.com/apps/MyApp/loginSSO repeatedly.Below 是我的安全配置详细信息。
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/loginSSO").permitAll();
http.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/loginSSO")
.successHandler(successHandler())
.and()
.csrf()
.csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterBefore(new CookieFilter(),
ChannelProcessingFilter.class)
.addFilterAfter(new CSRFFilter(), CsrfFilter.class)
.addFilterBefore(authFilter(),
UsernamePasswordAuthenticationFilter.class)
.requiresChannel()
.channelProcessors(
Arrays.<ChannelProcessor> asList(
new InsecureChannelProcessor(),
new SecureChannelProcessor()));
http.portMapper().http(8080).mapsTo(8443).http(80).mapsTo(44)
.http(9080).mapsTo(9443).http(7777).mapsTo(7443);
}
/**
* Auth filter.
*
* @return the auth filter
*/
@Bean
public AuthFilter authFilter() {
AuthFilter authFilter = new AuthFilter();
try {
authFilter
.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher(
"/loginSSO"));
authFilter.setAuthenticationManager(authenticationManager());
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return authFilter;
}
@Autowired
@Qualifier("customUserDetailsService")
UserDetailsService userDetailsService;
@Bean
public SavedRequestAwareAuthenticationSuccessHandler successHandler() {
SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
successHandler.setTargetUrlParameter("targetUrl");
return successHandler;
}
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
/**
* Csrf token repository.
*
* @return the csrf token repository
*/
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setSessionAttributeName("_csrf");
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
}
此问题已解决。恰好是 Websphere application.xml 文件中应用程序上下文根配置的问题。