在WebApp中使用PAC4J依赖项来实现SSO支持,我遇到了一个问题。
上下文:
- java ee/jre 1.7.0.79,tomcat 7.0.70,org.springframework:spring:3.2.16.Release,org.springframework.security.security:spring-security-core-core:3.2.2.2.9.release,org.pac4j:org.pac4j::pac4j::::pac4j::Spring-Security-PAC4J:1.4.1,org.pac4j:pac4j-oauth:1.8.3,org.pac4j:pac4j-saml:1.8.3
- 在WebApp配置中启用了多个第三方身份验证提供商(例如Google OAuth和任何SAML),在登录页面上以2个按钮转发给UI:"使用Google登录",使用MY_SAML_PROVIDER_LABEL登录,
要求:
- 升级Java或/和Tomcat是一种选择。升级的弹簧和PAC4J不是
- 请勿随时使用春季注释注射
问题EDENUSER-序列:
- 1/单击"使用Google登录"(将用户重定向到Google的身份验证页面)
- 2/在Google页面上正确身份验证,外用户将在回调时或将与您的任何本地应用程序用户匹配
- 3/返回本地WebApp登录页
- 4/单击"使用my_saml_provider_label登录"(现在将用户重定向到提供者身份验证页面)
- 5/在第三方页面上正确身份验证,带有外用户,在回调时将与您的任何本地应用程序用户匹配,
- 6/在日志中断言以下例外:org.pac4j.oauth.profile.google2.google2.google2profile不能被施加到org.pac4j.saml.profile.saml2profile
问题stacktrace:
java.lang.ClassCastException: org.pac4j.oauth.profile.google2.Google2Profile cannot be cast to org.pac4j.saml.profile.SAML2Profile
at com.company.module.sso.SAMLAuthenticationService.retrieveAuthenticatedUser(SAMLAuthenticationService.java:59)
..
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.company.module.filters.ApplicationAvailabilityFilter.doFilter(ApplicationAvailabilityFilter.java:59)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.company.module.filters.LogFilter.doFilter(LogFilter.java:57)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.company.module.filters.ChronoFilter.doFilter(ChronoFilter.java:78)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.company.module.filters.HibernateFilter.doFilter(HibernateFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1082)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:623)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
相关的Sourcecode:
applicationContext-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
..
<beans:bean id="clientFilter" class="org.pac4j.springframework.security.web.ClientAuthenticationFilter">
<beans:constructor-arg value="/outer-authentication"/>
<beans:property name="clients" ref="clients" />
<beans:property name="sessionAuthenticationStrategy" ref="sas" />
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
..
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" />
</beans:beans>
samlauthenticationservice.java:
..
ClientAuthenticationToken token = null;
try {
token = (ClientAuthenticationToken) SecurityContextHolder.getContext().getAuthentication();
final SAML2Profile samlProfile = (SAML2Profile) token.getUserProfile(); // L59
..
} finally {
token.eraseCredentials(); // troubleshooting: not clearing credentials made no difference
}
..
观察:
- 可以通过首先尝试通过SAML提供商进行登录,然后通过Google One获得同一问题:用户序列订单似乎无关紧要
- 解决方法是停止Tomcat,清洁其工作目录,然后重新启动
- 无论哪种方法都是等待初始身份验证令牌(从提供商1获得/获得)到期(到期延迟设置为1H,通过PAC4J配置I/O)
- 问题将在Edduser再次执行故障序列 后立即再次碰撞。
猜测:
- 与先前SSO身份验证的身份验证令牌的不当撤销有关(从提供商1的回调/获得),然后才尝试阅读当前身份验证过程的身份验证令牌(从提供者2获得回调/获得)
- 间接地,由于不当使用org.springframework.security.web.authentication.session.session.sessionauthenticationstaticationstaty(我在Spring Security XML配置中的实现似乎是标准/默认值) ) )
谢谢
解决了似乎:春季安全的SecurityContextHolder.clearContext();必须被调用,在可能发生从一个提供商跳到另一个提供商的任何情况。
这种情况可能是:
- 远程用户成功地验证了SSO提供商,但不匹配本地用户
- 本地用户已经通过SSO提供商在本地应用程序上签名,但浏览或重定向到本地应用主页,然后可能尝试通过另一个SSO提供商尝试SSO身份验证
- 本地用户询问或重定向到注销网址:在销毁网络会话时,这也应清除Spring Security的上下文
我尚未测试并发方案(1个本地用户通过不同的SSO提供商通过不同的浏览器进行身份验证,多个用户),因此,即使我可以断言最初的问题已解决,但仍可能具有副作用(删除预期的用户上下文(所需),以及其他用户上下文(不希望的)。
用户身份验证在1个会话内存在,而安全上下文则存在1个线程。因此,我有点迷路了,以便对此进行适当的抓地力。