开发者

Spring Security remember-me authentication from https to http cookie writing failure

问答 作者:

I'm using Spring Security 3.0.5 for authentication and I'm using remember-me as well. Currently, the login page is a https page and the page that I redirect to afte successfully authentication is a http page. I use to have everything under https, but we have a few things on our site which wont operate under https in IE8, so I thought I would try this route. The bel开发者_开发百科ow debug log seems to indicate that the cookie can't be written from https to http, is there a way to accomplish this?

Debug Trace:

15:13:53,373 DEBUG UsernamePasswordAuthenticationFilter:289 - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@b7fef7f9: Principal: com.dc.api.model.Users@470ad8; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 204.17.229.254; SessionId: 1C083D7977FDD3C8D1FA94BEA6665C54; Granted Authorities: com.dc.api.model.Authority@bd4e16
15:13:53,373 DEBUG TokenBasedRememberMeServices:271 - Did not send remember-me cookie (principal did not set parameter '_spring_security_remember_me')
15:13:53,374 DEBUG TokenBasedRememberMeServices:229 - Remember-me login not requested.
15:13:53,374 DEBUG DefaultListableBeanFactory:242 - Returning cached instance of singleton bean 'eventDispatcher'
15:13:53,375 DEBUG SavedRequestAwareAuthenticationSuccessHandler:107 - Using default Url: /registered/home.html
15:13:53,375 DEBUG DefaultRedirectStrategy:36 - Redirecting to '/dreamcatcher/registered/home.html'

Spring Security Config:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
    xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:util="http://www.springframework.org/schema/util"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/util
    http://www.springframework.org/schema/util/spring-util-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.0.xsd
    http://www.springframework.org/schema/context
    http://www.springframework.org/schema/context/spring-context-3.0.xsd">
    <context:annotation-config />
    <context:component-scan base-package="dc" />
    <global-method-security />
    <http access-denied-page="/auth/denied.html">
         <intercept-url filters="none" pattern="/javax.faces.resource/**" />
         <intercept-url filters="none" pattern="/services/rest-api/1.0/**" />
         <intercept-url filters="none" pattern="/preregistered/*"/>
         <intercept-url
            pattern="/**/*.xhtml"
            access="ROLE_NONE_GETS_ACCESS" />
        <intercept-url
            pattern="/auth/**"
            access="ROLE_ANONYMOUS,ROLE_USER" />
         <intercept-url
            pattern="/auth/*"
            access="ROLE_ANONYMOUS" />
         <intercept-url
            pattern="/registered/*"
            access="ROLE_USER" />
          <intercept-url
            pattern="/*"
           access="ROLE_ANONYMOUS" />
        <form-login
            login-processing-url="/j_spring_security_check.html"
            login-page="/auth/login.html"
            default-target-url="/registered/home.html"
            authentication-failure-url="/auth/login.html" />
         <logout invalidate-session="true" 
              logout-url="/auth/logout.html" 
              success-handler-ref="DCLogoutSuccessHandler"/>
        <anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
        <remember-me user-service-ref="userManager" key="keyvaluehere"/>
        <custom-filter after="FORM_LOGIN_FILTER" ref="xmlAuthenticationFilter"/>
    </http>
    <!-- Configure the authentication provider -->
    <authentication-manager alias="am">
        <authentication-provider user-service-ref="userManager">
                <password-encoder ref="passwordEncoder" />
        </authentication-provider>
        <authentication-provider ref="xmlAuthenticationProvider" />
    </authentication-manager>
</beans:beans>

From a security point of view, it is the correct behavior, because a attacker could steal the session id/cooki used in https if the same session id/cooki is used in http too.

So there the one of the fundamental rules, to create a new session if the uses switches from http to https. So if you have a https session, use it in http and then in https again would break this rule. -- So it is a feature of Spring Security, not a Bug.

Anyway, this simplest solution woud be, making the http resources aviable under https too. So you do not need to switch back to http after the user is logged in (https).

It is possible by changing the cookie with a filter, I have answered this question here

继续阅读:httphttpsspringspring-security

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9