开发者

Spring Security session-fixation-protection="none" Requires HTTP Page Prior to Auth Request

问答 作者:

I had to use session-fixation-protection="none" in my application (form based login) as I have to switch between https (for login) and http (for all other pages) and I run into an issue when I deep dive directly to the login page (https) or go from another https page to login. The main problem seems to be that I must go from an http page first, then my login page (https page) and then it lands properly on the default-target-url page (http page). If I go directly to the https login page, I get the below exception (see debug trace) and the login page is re-displayed under http protocol and then I can login but its via http. Anyone now why this is?

config:

<beans:beans
    xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:util="http://www.springframework.org/schema/util"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/util
    http://www.springframework.org/schema/util/spring-util-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.0.xsd
    http://www.springframework.org/schema/context
    http://www.springframework.org/schema/context/spring-context-3.0.xsd">
    <context:annotation-config />
    <context:component-scan base-package="dc" />
    <global-method-security />
    <http access-denied-page="/auth/denied.html">
         <intercept-url filters="none" pattern="/javax.faces.resource/**" />
         <intercept-url filters="none" pattern="/services/rest-api/1.0/**" />
         <intercept-url filters="none" pattern="/preregistered/*"/>
         <intercept-url
            pattern="/**/*.xhtml"
            access="ROLE_NONE_GETS_ACCESS" />
         <intercept-url
            pattern="/auth/*"
            access="ROLE_ANONYMOUS,ROLE_USER"/>
         <intercept-url
            pattern="/preregistered/*"
            access="ROLE_ANONYMOUS,ROLE_USER"/>
         <intercept-url
            pattern="/registered/*"
            access="ROLE_USER"
            requires-channel="http"/>
        <form-login
            login-processing-url="/j_spring_security_check.html"
            login-page="/auth/login.html"
            default-target-url="/registered/home.html"
            authentication-failure-url="/auth/login.html" />
         <logout invalidate-session="true" 
              logout-url="/auth/logout.html" 
              success-handler-ref="DCLogoutSuccessHandler"/>
        <anonymous username="guest" granted-authority="ROLE_ANONYMO开发者_开发知识库US"/>
        <custom-filter after="FORM_LOGIN_FILTER" ref="xmlAuthenticationFilter" />
        <session-management session-fixation-protection="none"/>
    </http>
    <!-- Configure the authentication provider -->
    <authentication-manager alias="am">
        <authentication-provider user-service-ref="userManager">
                <password-encoder ref="passwordEncoder" />
        </authentication-provider>
        <authentication-provider ref="xmlAuthenticationProvider" />
    </authentication-manager>
</beans:beans>

debug trace:

04:38:26,754 DEBUG ExceptionTranslationFilter:153 - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied is in the debug trace. 04:38:26,755 DEBUG HttpSessionEventPublisher:66 - Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@b3977b]
04:38:26,755 DEBUG HttpSessionRequestCache:39 - DefaultSavedRequest added to Session: DefaultSavedRequest[http://pfg-prod-web01.reliam.com/dreamcatcher/registered/home.html]
04:38:26,756 DEBUG ExceptionTranslationFilter:177 - Calling Authentication entry point.
04:38:26,756 DEBUG DefaultRedirectStrategy:36 - Redirecting to 'http://pfg-prod-web01.reliam.com/dreamcatcher/auth/login.html;jsessionid=11F5897DD5FD398E9083BCC95CBF1C86'
04:38:26,756 DEBUG HttpSessionSecurityContextRepository:338 - SecurityContext is empty or anonymous - context will not be stored in HttpSession.

The second option here fixed my situation:

http://forum.springsource.org/archive/index.php/t-65651.html

Perhaps you could try adding the following listener, if you haven't done so.

<listener>
    <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
</listener>

继续阅读:spring-security

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9