Spring Security + Flex + BlazeDS登录问题

Question

我们的公司FLEX / Spring / BlazeDS应用存在问题。 基本上，在FireFox和IE（不是Chrome）中，如果您多次对网站进行身份验证（登录/注销/登录/注销），最终将最终处于一种状态，然后您可以通过简单地单击登录名中的任何内容来对服务器进行身份验证。密码字段，至少在关闭浏览器并重新打开之前。 这是怎么回事？

当查看Spring Security日志时，可以看到SecurityContext没有被正确地使无效，并被重新使用。 我在下面提供了一些摘要，以了解解决方案。

仅当我对应用程序https://staging.website.net:8181/使用默认的glassfish servlet上下文时，才会出现这种情况

如果我对应用程序使用直接上下文，则不会发生： https : //staging.website.net : 8181/myapp

这是我们的注销过滤器和spring-security的详细信息

<security:http entry-point-ref="oamAuthenticationProcessingFilterEntryPoint"
        auto-config="false">
        <security:intercept-url pattern="/messagebroker/**/*"
            access="ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN" />
        <security:intercept-url pattern="/cms/login"
            access="ROLE_ANONYMOUS" />
        <security:intercept-url pattern="/cms*"
            access="ROLE_CMS,ROLE_ADMIN" />
        <security:intercept-url pattern="/gen*"
            access="ROLE_CMS,ROLE_ADMIN" />
        <security:intercept-url pattern="/test*"
            access="ROLE_ANONYMOUS,ROLE_USER" />
        <intercept-url pattern="*/index.jsp" filters="none" />          
        <intercept-url pattern="*/" filters="none" />                   
        <!-- <security:form-login login-page="/index.jsp" /> -->
        <security:logout logout-success-url="/index.jsp" />
        <security:anonymous granted-authority="ROLE_ANONYMOUS" />
    </security:http>
    <bean id="splashPageLogoutFilter"
        class="<redacted>.security.SplashPageLogoutFilter">
        <security:custom-filter position="FIRST" />
        <constructor-arg index="0">
            <list>
                <ref bean="securityContextLogoutHandler" />
            </list>
        </constructor-arg>
    </bean>
    <bean id="securityContextLogoutHandler" class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" />
    <bean id="daoAuthenticationProvider"
        class="<redacted>.security.UserAuthentication">
        <security:custom-authentication-provider />
        <property name="allowedFailAttempts" value="5" />
        <property name="allowedAttemptsBeforeCaptcha" value="3" />
        <property name="userDetailsService" ref="customUserDetailsService" />
        <property name="passwordEncoder">
            <bean name="passwordEncoder"
                class="org.springframework.security.providers.encoding.ShaPasswordEncoder" />
        </property>
        <property name="saltSource">
            <bean
                class="org.springframework.security.providers.dao.salt.SystemWideSaltSource">
                <property name="systemWideSalt" value="not1thing" />
            </bean>
        </property>
    </bean>

我们的上下文处理程序：

    @Override
protected void doFilterHttp(HttpServletRequest request,
        HttpServletResponse response, FilterChain chain)
        throws IOException, ServletException {  
    // SSO Login Request
    boolean logout = false;
    if ("POST".equals(request.getMethod())
            && request.getRequestURI().endsWith("/webSSO")) {
        logout = true;
    }

    if ("GET".equals(request.getMethod())
            && (request.getRequestURI().contains("index.jsp"))) {
        logout = true;
    }

    if (logout) {           
        Authentication auth = SecurityContextHolder.getContext()
                .getAuthentication();
        logger.info("doFilterHttp caused Logout.");
        for (int i = 0; i < handlers.length; i++) {
            handlers[i].logout(request, response, auth);
        }
    }

    chain.doFilter(request, response);
}

我可以看到doFilterHttp正在将用户注销，然后他们被发送到索引页面，但是这样做几次后，用户可以使用任何密码登录。 查看spring安全调试显示以下内容：

sec.log

2011-11-25 09:06:30,689|ExceptionTranslationFilter|Chain processed normally
2011-11-25 09:06:30,690|HttpSessionContextIntegrationFilter|SecurityContextHolder now cleared, as request processing completed
2011-11-25 09:09:36,017|FilterChainProxy|Converted URL to lowercase, from: '/messagebroker/amfsecure'; to: '/messagebroker/amfsecure'
2011-11-25 09:09:36,018|FilterChainProxy|Candidate is: '/messagebroker/amfsecure'; pattern is /**; matched=true
2011-11-25 09:09:36,019|FilterChainProxy|/messagebroker/amfsecure at position 1 of 10 in additional filter chain; firing Filter: 'org.springframework.flex.config.SessionFixationProtectionConfigurer$PriorityOrderedRequestContextFilter@65b8b2
'
2011-11-25 09:09:36,019|FilterChainProxy|/messagebroker/amfsecure at position 2 of 10 in additional filter chain; firing Filter: '<redacted>.security.SplashPageLogoutFilter[ order=0; ]'
2011-11-25 09:09:36,021|FilterChainProxy|/messagebroker/amfsecure at position 3 of 10 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]'
2011-11-25 09:09:36,024|HttpSessionContextIntegrationFilter|Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT to associate with SecurityContextHolder: 'org.springframework.security.context.SecurityContextImpl@a9f1ed4c: Authentic
ation: org.springframework.security.providers.UsernamePasswordAuthenticationToken@a9f1ed4c: Principal: <redacted>.security.UserDetailsServiceImpl$1@5674e6; Password: [PROTECTED]; Authenticated: true; Details: <redacted>.security.UserAuthentication$1@14b9a6; Granted Authorities: ROLE_USER'
2011-11-25 09:09:36,025|FilterChainProxy|/messagebroker/amfsecure at position 4 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.logout.LogoutFilter[ order=300; ]'
2011-11-25 09:09:36,025|FilterChainProxy|/messagebroker/amfsecure at position 5 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]'
2011-11-25 09:09:36,026|FilterChainProxy|/messagebroker/amfsecure at position 6 of 10 in additional filter chain; firing Filter: 'org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1100; ]'
2011-11-25 09:09:36,026|SavedRequestAwareWrapper|Wrapper not replaced; SavedRequest was: null
2011-11-25 09:09:36,027|FilterChainProxy|/messagebroker/amfsecure at position 7 of 10 in additional filter chain; firing Filter: 'org.springframework.security.providers.anonymous.AnonymousProcessingFilter[ order=1300; ]'
2011-11-25 09:09:36,027|AnonymousProcessingFilter|SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.providers.UsernamePasswordAuthenticationToken@a9f1ed4c: Principal: <redacted>.security.UserDetailsServiceImpl$1@5674e6; Password: [PROTECTED]; Authenticated: true; Details: <redacted>.security.UserAuthentication$1@14b9a6; Granted Authorities: ROLE_USER'
2011-11-25 09:09:36,028|FilterChainProxy|/messagebroker/amfsecure at position 8 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.ExceptionTranslationFilter[ order=1400; ]'
2011-11-25 09:09:36,029|FilterChainProxy|/messagebroker/amfsecure at position 9 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.SessionFixationProtectionFilter[ order=1600; ]'
2011-11-25 09:09:36,030|FilterChainProxy|/messagebroker/amfsecure at position 10 of 10 in additional filter chain; firing Filter: 'org.springframework.security.intercept.web.FilterSecurityInterceptor@36e1ed'
2011-11-25 09:09:36,030|DefaultFilterInvocationDefinitionSource|Converted URL to lowercase, from: '/messagebroker/amfsecure'; to: '/messagebroker/amfsecure'
2011-11-25 09:09:36,031|DefaultFilterInvocationDefinitionSource|Candidate is: '/messagebroker/amfsecure'; pattern is /messagebroker/**/*; matched=true
2011-11-25 09:09:36,032|AbstractSecurityInterceptor|Secure object: FilterInvocation: URL: /messagebroker/amfsecure; ConfigAttributes: [ROLE_ANONYMOUS, ROLE_USER, ROLE_ADMIN]
2011-11-25 09:09:36,033|AbstractSecurityInterceptor|Previously Authenticated: org.springframework.security.providers.UsernamePasswordAuthenticationToken@a9f1ed4c: Principal: <redacted>.security.UserDetailsServiceImpl$1@56
74e6; Password: [PROTECTED]; Authenticated: true; Details: <redacted>.security.UserAuthentication$1@14b9a6; Granted Authorities: ROLE_USER
2011-11-25 09:09:36,034|AbstractSecurityInterceptor|Authorization successful
2011-11-25 09:09:36,035|AbstractSecurityInterceptor|RunAsManager did not change Authentication object
2011-11-25 09:09:36,037|FilterChainProxy|/messagebroker/amfsecure reached end of additional filter chain; proceeding with original chain

这个问题困扰了我一段时间，有人可以帮忙吗？

克里斯，干杯

Answer 1

我自己不是很确定答案，很难知道这种有限的信息可能会发生什么...但是您是否尝试过在过滤器的注销块内执行会话无效（request.getSession（）。invalidate（））？ 查看会话被强行销毁后问题是否仍然存在。 可能会提供更多有关问题可能出在哪里的线索。