我们有一个基于 appfuse 入门工具包版本 2.2.1 构建的示例 Web 应用程序,它使用 Spring 安全性 3.1.3.RELEASE。我们将在 WAS 7 上部署它,并在 IBM WebSphere 8.5.5.8(Liberty) 上对其进行测试。我们的问题是在成功/失败的登录请求之后,某些事情会损坏请求的 servletPath 值并将其设置为 null。
((HttpServletRequest) request).getServletPath()
这是 LocaleFilter 尝试使用 getServletPath() 的/j_security_check 值来执行 chain.doFilter 的时候,我们遇到了:
应用程序类 'org.springframework.security.web.util.AntPathRequestMatcher.getRequestPath:116' 引发的异常 java.lang.NullPointerException: at org.springframework.security.web.util.AntPathRequestMatcher.getRequestPath(AntPathRequestMatcher.java:116) at org.springframework.security.web.util.AntPathRequestMatcher.matches(AntPathRequestMatcher.java:100) at org.springframework.security.web.DefaultSecurityFilterChain.matches(DefaultSecurityFilterChain.java:42) at org.springframework.security.web.FilterChainProxy.getFilters(FilterChainProxy.java:203) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:176) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) 在 [内部类] at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:59) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) 在 [内部类] at org.tuckey.web.filters.urlrewrite.NormalRewriteUrl.doRewrite(NormalRewriteUrl.java:213) at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:171) at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:394) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) 在 [内部类] at ir.dpi.webapp.filter.LocaleFilter.doFilterInternal(LocaleFilter.java:67) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) 在 [内部类] at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) 在 [内部类] at com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:129) at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:77) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207) 在 [内部类]
这是我们的安全.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/images/**" security="none"/>
<http pattern="/styles/**" security="none"/>
<http pattern="/scripts/**" security="none"/>
<http auto-config="false" create-session="always">
<intercept-url pattern="/app/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/app/passwordHint*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER"/>
<form-login login-page="/login" authentication-failure-url="/login?error=true" login-processing-url="/j_security_check"/>
<remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/>
</http>
<authentication-manager >
<authentication-provider user-service-ref="userDao" >
<password-encoder ref="passwordEncoder" >
<salt-source ref="saltSource" />
</password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource"
p:userPropertyToUse="username"/>
<global-method-security>
<protect-pointcut expression="execution(* *..service.UserManager.getUsers(..))" access="ROLE_ADMIN"/>
<protect-pointcut expression="execution(* *..service.UserManager.removeUser(..))" access="ROLE_ADMIN"/>
</global-method-security>
</beans:beans>
任何帮助将不胜感激。
我已经找到了使用此代码牧场主题的解决方案。AppFuse 使用不同的 Filters(javax.servlet),IBM WebSphere 的包装机制对会话创建优先级很敏感。所以我在 web.xml 文件中向上移动了 Spring 安全过滤器映射。
<filter-mapping>
<filter-name>securityFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>sitemesh</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
...
现在登录过程已完全完成。
请注意,在 Liberty 服务器中设置这些设置至关重要.xml:
<httpSession cookieName="MY_LIBERTY_COOKIE" />
<basicRegistry />
IBM WebSphere Application Server(WAS Full) 中的等效设置在:
会话管理 -> 常规属性 -> 启用 Cookie
同样在WAS版本7(可能适用于其他版本)中,需要使用:
<http auto-config="false" disable-url-rewriting="true" create-session="always">
在 Spring 安全.xml文件中。