Spring Security AuthenticationCredentialsNotFoundException,SecurityContextHolder.getContext为null

Question

我有一个奇怪的错误,几个小时的调试,我无法理解.

更新1:我使用在Tomcat 7上运行的Spring Security 4.0.3.

问题接近这个问题,也许SecurityContextHolder是在这期间失去了response.redirect()但答案没有帮助.

问题似乎也接近这个问题,但答案对我来说没有意义.

这是我的配置:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class ProjectSecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.authorizeRequests().antMatchers("/login").anonymous();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser(Constants.PROFIL_ADMIN).password(Constants.PROFIL_ADMIN).
            roles("ADMIN","TEST_SERVICE");
    }
}

登录后,我尝试获取安全的URL:

@RequestMapping(value = "/myurl", method = RequestMethod.GET)
@ResponseBody
public boolean getTestService(HttpServletRequest request)
        throws SQLException, PoRulesException {

    System.out.println("get security context");
    System.out.println("--------------------");
    SecurityContext secuContext = (SecurityContext) request.getSession().getAttribute("SPRING_SECURITY_CONTEXT");
    System.out.println(secuContext);
    System.out.println("get security context holder");
    System.out.println(SecurityContextHolder.getContext());

    return testService.getTestMethod();
}

服务内部的方法

@Secured("ROLE_TEST_SERVICE")
public boolean getTestMethod() {
    Sysout.out.println("Hiii")
    return true
}

现在,日志不起作用时:

INFO    2016-07-11 15:57:00,006 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController  - Login
INFO    2016-07-11 15:57:00,057 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController  - User : axel
INFO    2016-07-11 15:57:00,065 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController  - Authenticate : true
INFO    2016-07-11 15:57:00,065 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController  - Authenticate : org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bbbc4f45: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_CONSULTER_CA,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 613DFE47B2CE6E29DA3C227F8E028590; Granted Authorities: ROLE_ADMIN, ROLE_TEST_SERVICE
get security context
--------------------
org.springframework.security.core.context.SecurityContextImpl@bbbc4f45: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bbbc4f45: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_CONSULTER_CA,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 613DFE47B2CE6E29DA3C227F8E028590; Granted Authorities: ROLE_ADMIN, ROLE_TEST_SERVICE
get security context holder
org.springframework.security.core.context.SecurityContextImpl@ffffffff: Null authentication
ERROR   2016-07-11 15:57:01,960 [http-bio-8080-exec-10] com.po.exception.GlobalControllerExceptionHandler  - org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:378)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:222)
    at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:655)
    at com.po.service.CAService$$EnhancerBySpringCGLIB$$f6e21857.getVarAndPrevCa(<generated>)
    at com.po.mvc.controller.CaController.getVarAndPrevCa(CaController.java:56)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:222)
    at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137)
    at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:814)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:737)
    at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:969)
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:860)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:845)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:964)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:304)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)

当它工作.我只是看到没有区别... Spring上下文已设置并包含凭证作为sysout proove但未SecurityContextHolder设置.

INFO    2016-07-11 16:09:45,374 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController  - Login
INFO    2016-07-11 16:09:45,393 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController  - User : axel
INFO    2016-07-11 16:09:45,395 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController  - Authenticate : true
INFO    2016-07-11 16:09:45,395 [http-bio-8080-exec-3] com.po.mvc.controller.LoginController  - Authenticate : org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bbbc4f45: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_TEST_SERVICE; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 613DFE47B2CE6E29DA3C227F8E028590; Granted Authorities: ROLE_ADMIN, ROLE_TEST_SERVICE
get security context
--------------------
org.springframework.security.core.context.SecurityContextImpl@bbbc4f45: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bbbc4f45: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_TEST_SERVICE Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 613DFE47B2CE6E29DA3C227F8E028590; Granted Authorities: ROLE_ADMIN, ROLE_CONSULTER_CA, ROLE_USER
get security context holder
org.springframework.security.core.context.SecurityContextImpl@4440cc59: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4440cc59: Principal: org.springframework.security.core.userdetails.User@fc8a: Username: ADM; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_CONSULTER_CA,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 19994511EEE72462E8D680CDADCFEC4C; Granted Authorities: ROLE_ADMIN, ROLE_CONSULTER_CA, ROLE_USER

INFO    2016-07-11 16:09:46,879 [http-bio-8080-exec-3] Hiii

它何时起作用与何时起作用的唯一区别是:

• 当我从我的网站的一个页面连接时起作用,例如我mywebsite.com公开并开始mywebsite.com/login?user=me工作
• 但如果我来自谷歌,则不起作用 mywebsite.com/login?user=me

SPRING_SECURITY_CONTEXT在两种情况下都设置了session属性,但没有SecurityContextHolder在第222行中触发异常@Secured

我不想SecurityContextHolder在方法中手动检查(在重定向之后),如果null设置了SPRING_SECURITY_CONTEXT不是的会话属性null,我想在根目录中修复问题.

Answer 1

假设您无法与现有的SSO提供程序集成，以下解决方案可能是您所希望的最佳解决方案。

从根本上讲，除非您将自己限制在容器中的单个线程内（否则这是一个糟糕的主意），否则您将无法执行任何操作。从以下文档SecurityContextHolder：

将给定SecurityContext与当前执行线程关联。

这很重要- 当前执行线程。如果发出由线程A处理的登录请求，则尝试转到安全页面，但此请求由线程B处理，则SecurityContext在A上设置的用户将在B 上不可用。

通过在会话中存储安全上下文并根据需要存储/获取它，Spring Security能够为您处理此问题（请参阅参考资料org.springframework.security.web.session.SessionManagementFilter）。不过，您将需要对配置进行一些更改。

首先，您需要创建一个从扩展的新类AbstractAuthenticationProcessingFilter，并覆盖该attemptAuthentication方法。然后，需要注册此新过滤器，并需要替换现有的org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter。该类也是一个很好的地方，可以使您了解所有这些如何相互联系以及可以配置什么。

这个新的过滤器将按照

public Authentication attemptAuthentication(HttpServletRequest request,
    HttpServletResponse response) throws AuthenticationException {
    UserLDAP ldapUser = CorpLDAP.findUser(request);
    User user = new User(ldapUser.getProfil(), ldapUser.getPwd(), Collections.emptyList());
    return new UsernamePasswordAuthenticationToken(user, "", Collections.emptyList());
}

这将返回经过完全身份验证的用户，以后可以使用。这就是将存储在中的内容SecurityContextHolder，并且可以轻松地进行检索。它也将存储在会话中（如果已配置），所以我建议确保它可序列化。由于您不使用密码，因此强烈建议您不要将密码存储在中User。

希望这将为您指明正确的方向。

Answer 2

最后我在这里找到了解决方案

\n\n

https://spring.io/blog/2013/07/03/spring-security-java-config-preview-web-security/

\n\n

我的配置缺少这一点

\n\n

\n

最后一步是我们需要映射 springSecurityFilterChain。我们可以通过扩展 AbstractSecurityWebApplicationInitializer 并可选地重写方法来自定义映射来轻松地做到这一点。

\n\n

下面最基本的示例接受默认映射并添加具有以下特征的 springSecurityFilterChain：

\n\n

springSecurityFilterChain 映射到 \xe2\x80\x9c/*\xe2\x80\x9d springSecurityFilterChain\n 使用 ERROR 和 REQUEST 的调度类型 \n springSecurityFilterChain 映射插入在任何 servlet 之前\n 已配置的过滤器映射

\n

\n\n

public class SecurityWebApplicationInitializer \n   extends AbstractSecurityWebApplicationInitializer {\n}\n

\n\n

只需添加该类即可解决问题，如果没有，您可以添加 @Order

\n\n

\xe2\x80\x9cWebApplicationInitializer\xe2\x80\x9d 的顺序

\n\n

\n

如果在调用 AbstractSecurityWebApplicationInitializer 之后添加任何 servlet 过滤器映射，则它们可能会意外添加到 springSecurityFilterChain 之前。除非应用程序包含不需要保护的 Filter 实例，否则 springSecurityFilterChain 应位于任何其他 Filter 映射之前。@Order 注释可用于帮助确保任何 WebApplicationInitializer 以确定的顺序加载。

\n

\n\n

@Order(1)\npublic class SpringWebMvcInitializer extends\n   AbstractAnnotationConfigDispatcherServletInitializer {\n\n  @Override\n  protected Class<?>[] getRootConfigClasses() {\n    return new Class[] { HelloWebSecurityConfiguration.class };\n  }\n  ...\n}\n\n    @Order(2)\n    public class SecurityWebApplicationInitializer \n       extends AbstractSecurityWebApplicationInitializer {\n    }\n

\n