春天的SecurityContext返回错误页面空验证 [英] Spring SecurityContext returning null authentication on error pages
问题描述
我想写像403(拒绝访问)和500(内部服务器错误)错误的自定义错误页。他们会从Velocity模板来呈现和使用用户的语言环境有翻译的所有消息。认证和本地化解析应用程序工作正常。
I am trying to write a custom error page for errors like 403 (access denied) and 500 (internal server error). They would be rendered from Velocity template and have all messages translated using user's locale. Authentication and locale resolution works fine in the application.
我在web.xml中设置的位置是需要的页面,并在webmvc-context.xml中我通过添加requet到视图控制器。
I set up location in web.xml to be the desired page and in webmvc-context.xml I added requet-to-view controller via .
我遇到的问题是, SecurityContextHolder.getContext()。getAuthentication()在错误页面视图返回null。看着我看到日志:
The problem I ran into is that SecurityContextHolder.getContext().getAuthentication() returns null in the error page view. Looking at the log I saw:
06.10 14:42:26 DEBUG - context.HttpSessionSecurityContextRepository(HttpSessionSecurityContextRepository.java:351) - - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@ece7b0b7: Authentication: ...
06.10 14:42:26 DEBUG - context.SecurityContextPersistenceFilter(SecurityContextPersistenceFilter.java:89) - - SecurityContextHolder now cleared, as request processing completed
06.10 14:42:26 DEBUG - servlet.DispatcherServlet(DispatcherServlet.java:691) - - DispatcherServlet with name 'foo' processing GET request for [/foo/app/error/403.html]
因此,无论春季或Tomcat重定向到一个错误页面,并最终确定该请求武功,因此上下文被清除。而新的请求不接受春季安全过滤器,因此不能恢复的背景下。
So either Spring or Tomcat redirect to an error page and the request gest finalized, thus the context is cleared. And the new "request" doesn't undergo Spring Security filters, thus not restoring the context.
的常用方法不起作用,但似乎验证信息,在会话中的某个地方,也因为AbstractTemplateView记录以下内容:
The usual way doesn't work, but it seems that the authentication information is somewhere in the session, also because AbstractTemplateView logs the following:
Exposing session attribute 'SPRING_SECURITY_CONTEXT' with value [org.springframework.security.core.context.SecurityContextImpl@edfbd958: Authentication: org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken@edfbd958...
我如何正确地得到这样正常和错误页面将会做得一样?
How do I properly get so that both normal and error pages would act the same?
推荐答案
您正在运行到的问题是,在的ExceptionTranslationFilter 它转换成异常的错误页面到来之前的 SecurityContextPersistenceFilter 这拉鉴别出的 SecurityContextRepository ,并把它放入 SecurityContextHolder中。当请求完成的 SecurityContextPersistenceFilter 取出信息的 SecurityContextHolder中。
The problem you're running into is that the ExceptionTranslationFilter which translates exceptions into error pages comes before the SecurityContextPersistenceFilter which pulls the authentication out of the SecurityContextRepository and puts it into the SecurityContextHolder. When the request finishes the SecurityContextPersistenceFilter takes the information back out of the SecurityContextHolder.
它清除原因 SecurityContextHolder中是, SecurityContextHolder中通常线程本地,如果servlet容器分别为重复使用一个线程(大部分做到这一点),他们可能会不小心给那些凭据给别人。
The reason it clears the SecurityContextHolder is that the SecurityContextHolder is typically thread local and if the servlet container were to reuse a thread (most do this) they might accidentally give those credentials to someone else.
通常情况下,的ExceptionTranslationFilter 是最外面的过滤器,以避免任何异常没有得到转化的风险。
Typically the ExceptionTranslationFilter is the outermost filter to avoid the risk of any exceptions not getting translated.
您最好的选择是可能会写一个自定义的的ExceptionTranslationFilter 这需要在 SecurityContextRepository (通常是HTTP会话你所提到的),并提供访问验证通过 SecurityContextRepository ,而不是 SecurityContextHolder中。请记住,在验证仍将为空,如果用户没有登录。
Your best bet is to probably write a custom ExceptionTranslationFilter which takes in the SecurityContextRepository (often the HTTP session as you mentioned) and provides access to the Authentication via the SecurityContextRepository and not the SecurityContextHolder. Keep in mind that the Authentication will still be null if the user isn't logged in.
这篇关于春天的SecurityContext返回错误页面空验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
