Spring Security AuthenticationCredentialsNotFoundException,SecurityContextHolder.getContext 为空

【问题标题】:Spring Security AuthenticationCredentialsNotFoundException, SecurityContextHolder.getContext is nullSpring Security AuthenticationCredentialsNotFoundException,SecurityContextHolder.getContext 为空
【发布时间】:2016-11-13 13:04:16
【问题描述】:

我有一个奇怪的错误,调试了几个小时,我无法理解。

更新 1:我使用 Spring Security 4.0.3,在 Tomcat 7 上运行。

问题接近this question,可能SecurityContextHolderresponse.redirect()期间丢失,但答案无济于事。

问题似乎也接近this question,但答案对我来说毫无意义。

这是我的配置:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class ProjectSecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.authorizeRequests().antMatchers("/login").anonymous();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser(Constants.PROFIL_ADMIN).password(Constants.PROFIL_ADMIN).
            roles("ADMIN","TEST_SERVICE");
    }
}

登录后我尝试获取一个安全的 URL:

@RequestMapping(value = "/myurl", method = RequestMethod.GET)
@ResponseBody
public boolean getTestService(HttpServletRequest request)
        throws SQLException, PoRulesException {

    System.out.println("get security context");
    System.out.println("--------------------");
    SecurityContext secuContext = (SecurityContext) request.getSession().getAttribute("SPRING_SECURITY_CONTEXT");
    System.out.println(secuContext);
    System.out.println("get security context holder");
    System.out.println(SecurityContextHolder.getContext());

    return testService.getTestMethod();
}

服务内部的方法

@Secured("ROLE_TEST_SERVICE")
public boolean getTestMethod() {
    Sysout.out.println("Hiii")
    return true
}

现在,当它不起作用时的日志:

INFO    2016-07-11 15:57:00,006 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController  - Login
INFO    2016-07-11 15:57:00,057 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController  - User : axel
INFO    2016-07-11 15:57:00,065 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController  - Authenticate : true
INFO    2016-07-11 15:57:00,065 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController  - Authenticate : org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bbbc4f45: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_CONSULTER_CA,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 613DFE47B2CE6E29DA3C227F8E028590; Granted Authorities: ROLE_ADMIN, ROLE_TEST_SERVICE
get security context
--------------------
org.springframework.security.core.context.SecurityContextImpl@bbbc4f45: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bbbc4f45: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_CONSULTER_CA,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 613DFE47B2CE6E29DA3C227F8E028590; Granted Authorities: ROLE_ADMIN, ROLE_TEST_SERVICE
get security context holder
org.springframework.security.core.context.SecurityContextImpl@ffffffff: Null authentication
ERROR   2016-07-11 15:57:01,960 [http-bio-8080-exec-10] com.po.exception.GlobalControllerExceptionHandler  - org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:378)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:222)
    at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:655)
    at com.po.service.CAService$$EnhancerBySpringCGLIB$$f6e21857.getVarAndPrevCa(<generated>)
    at com.po.mvc.controller.CaController.getVarAndPrevCa(CaController.java:56)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:222)
    at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137)
    at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:814)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:737)
    at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:969)
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:860)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:845)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:964)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:304)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)

以及何时有效。我只是看不出有什么区别...... Spring 上下文已设置并包含凭据作为 sysout proove 但未设置 SecurityContextHolder

INFO    2016-07-11 16:09:45,374 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController  - Login
INFO    2016-07-11 16:09:45,393 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController  - User : axel
INFO    2016-07-11 16:09:45,395 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController  - Authenticate : true
INFO    2016-07-11 16:09:45,395 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController  - Authenticate : org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bbbc4f45: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_TEST_SERVICE; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 613DFE47B2CE6E29DA3C227F8E028590; Granted Authorities: ROLE_ADMIN, ROLE_TEST_SERVICE
get security context
--------------------
org.springframework.security.core.context.SecurityContextImpl@bbbc4f45: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bbbc4f45: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_TEST_SERVICE Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 613DFE47B2CE6E29DA3C227F8E028590; Granted Authorities: ROLE_ADMIN, ROLE_CONSULTER_CA, ROLE_USER
get security context holder
org.springframework.security.core.context.SecurityContextImpl@4440cc59: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4440cc59: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_CONSULTER_CA,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 19994511EEE72462E8D680CDADCFEC4C; Granted Authorities: ROLE_ADMIN, ROLE_CONSULTER_CA, ROLE_USER

INFO    2016-07-11 16:09:46,879 [http-bio-8080-exec-3] Hiii

有效和无效之间的唯一区别是:

  • 当我从我的网站页面连接时有效,例如我在 mywebsite.com 上,这是公开的,然后转到 mywebsite.com/login?user=me 它有效
  • 但如果我来自 Google 的 mywebsite.com/login?user=me 则不起作用

会话属性SPRING_SECURITY_CONTEXT 在这两种情况下都设置了,但SecurityContextHolder 没有设置,它在@Secured line 222 中触发了一个异常

我不想在方法中使用手动检查SecurityContextHolder 之类的技巧(重定向后),如果是null 设置会话属性SPRING_SECURITY_CONTEXT 不是null,我想解决这个问题在根。

【问题讨论】:

  • 在控制器内的 SecurityContext 中设置身份验证对象,而不是 Filter > Manager > Provider 的经典 Spring 安全模式对我来说听起来很陌生。
  • 尽管如此,我还是看到了一些奇怪的东西。根据 UsernamePasswordAuthenticationToken api,它有两个构造函数;一个获取和 (Object principal, Object credentials) 生成未经身份验证的令牌,另一个获取 (Object principal, Object credentials, Collection extends GrantedAuthority> authority) 返回经过身份验证的令牌。您正在使用第一个,因此您的令牌可能无法通过身份验证
  • 什么样的 SSO?如果您使用的是 SAML 或 OAuth,那么与其正确集成可能会更有意义,而不是尝试解决 Spring Security。如果没有,那就有点棘手了。
  • 老实说,这是一家非常大的公司,锁定了进程,我没有安全性,我们必须处理提供的ldap api,这是标准进程。
  • 使用 LDAP 和你已经拥有的每个 API 在 Spring Security 中都可以。 @ipsi 说有点棘手的是从控制器内部调用 ldap 身份验证,而不是 Filter > AuthenticationManager > Provider > UserDetailsS​​ervice 架构

标签: java spring spring-security


【解决方案1】:

假设您无法与现有的 SSO 提供商集成,以下解决方案可能是您所希望的最佳解决方案。

从根本上说,除非您将自己限制在容器中的单个线程中(这是一个糟糕的主意),否则您正在做的事情是行不通的。来自SecurityContextHolder 上的文档:

将给定的SecurityContext 与当前执行线程相关联。

这很重要 - 当前 执行线程。如果您发出由线程 A 处理的登录请求,然后您尝试转到受保护的页面,但此请求由线程 B 处理,那么您在 A 上设置的 SecurityContext不会 在 B 上可用。

Spring Security 完全有能力为您处理这个问题,方法是将安全上下文存储在会话中并根据需要存储/获取它(请参阅org.springframework.security.web.session.SessionManagementFilter)。不过,您需要对配置进行一些更改。

首先,您需要创建一个从AbstractAuthenticationProcessingFilter 扩展的新类,并覆盖attemptAuthentication 方法。然后需要注册这个新过滤器,并且需要替换现有的org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter。该课程也是了解这一切如何联系在一起以及您可以配置什么的好地方。

这个新的过滤器会做一些类似的事情

public Authentication attemptAuthentication(HttpServletRequest request,
    HttpServletResponse response) throws AuthenticationException {
    UserLDAP ldapUser = CorpLDAP.findUser(request);
    User user = new User(ldapUser.getProfil(), ldapUser.getPwd(), Collections.emptyList());
    return new UsernamePasswordAuthenticationToken(user, "", Collections.emptyList());
}

这将返回一个完全经过身份验证的用户,以后可以使用该用户。这将存储在SecurityContextHolder 中,并且可以轻松检索。它还将存储在会话中(如果已配置),因此我建议确保它是可序列化的。由于您不使用密码,我强烈建议不要将其存储在User 中。

希望这会让你朝着正确的方向前进。

【讨论】:

  • 答案似乎很有趣,但最后我找到了一个与此相去甚远的解决方案,SecurityContextHolder 丢失了,因为在某些情况下(/login in GET from the website)配置的 bean 以错误的顺序加载.我真的不明白。如果你或有人能解释为什么扩展 AbstractSecurityWebApplicationInitializer 真的能解决问题,我会给它赏金。
【解决方案2】:

我终于在这里找到了解决方案

https://spring.io/blog/2013/07/03/spring-security-java-config-preview-web-security/

我的配置错过了这一点

最后一步是我们需要映射 springSecurityFilterChain。我们可以 通过扩展 AbstractSecurityWebApplicationInitializer 轻松做到这一点 以及可选的重写方法来自定义映射。

下面最基本的例子接受默认映射并添加 springSecurityFilterChain 具有以下特点:

springSecurityFilterChain 映射到“/*” springSecurityFilterChain 使用 ERROR 和 REQUEST 的调度类型 springSecurityFilterChain 映射被插入到任何 servlet 之前 过滤已配置的映射

public class SecurityWebApplicationInitializer 
   extends AbstractSecurityWebApplicationInitializer {
}

只添加那个类就解决了问题,如果没有你可以添加@Order

“WebApplicationInitializer 的排序”

如果在之后添加了任何 servlet 过滤器映射 AbstractSecurityWebApplicationInitializer 被调用,它们可能是 在 springSecurityFilterChain 之前意外添加。除非一个 应用程序包含不需要保护的过滤器实例, springSecurityFilterChain 应该在任何其他过滤器映射之前。 @Order 注释可用于帮助确保任何 WebApplicationInitializer 以确定的顺序加载。

@Order(1)
public class SpringWebMvcInitializer extends
   AbstractAnnotationConfigDispatcherServletInitializer {

  @Override
  protected Class<?>[] getRootConfigClasses() {
    return new Class[] { HelloWebSecurityConfiguration.class };
  }
  ...
}

    @Order(2)
    public class SecurityWebApplicationInitializer 
       extends AbstractSecurityWebApplicationInitializer {
    }

【讨论】:

  • SecurityWebApplicationInitializer 为我解决了这个问题,干杯!
猜你喜欢
  • 2013-07-08
  • 2021-08-02
  • 2020-01-24
  • 1970-01-01
  • 1970-01-01
  • 2017-10-17
  • 2020-06-02
  • 2018-01-27
  • 1970-01-01
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode