为什么Spring Security在Tomcat中工作,但在部署到Weblogic时却没有? [英] Why is Spring Security working in Tomcat but not when deployed to Weblogic?
问题描述
我不是一个真正的Java开发人员,但是客户的项目要求我,所以也许我错过了一些明显的东西。
I'm not really a Java developer, but a project for a client has required me to be, so maybe I'm missing something glaringly obvious.
I使用SpringBoot,当应用程序在我的本地计算机和测试服务器上的Tomcat中运行时,一切正常。但是,只要将应用程序部署到Weblogic,就好像根本没有安全性可访问所有路径。登录和退出路线也不存在。
I'm using SpringBoot and everything works fine when the application runs in Tomcat on my local machine and on our testing server. However, as soon as the application is deployed to Weblogic it's as if there is no security at all with all routes accessible. Login and logout routes are non-existent as well.
话虽如此。其他一切似乎都运行正常,完全没有任何安全性。
That being said. Everything else appears to work fine, just without any security at all.
我无法访问Weblogic,因为客户端是部署代码的人,但是他们告诉了我们它在12c上运行。我该怎么做才能修复或解决这个问题?
I don't have access to Weblogic as the client is the one deploying the code but they have told us that it's running on 12c. What can I do to fix or troubleshoot this?
这是我的Application.java中的相关配置:
Here's the relevant config from my Application.java:
/**
* The type Authentication security.
*/
@Order(Ordered.HIGHEST_PRECEDENCE)
@Configuration
protected static class AuthenticationSecurity extends GlobalAuthenticationConfigurerAdapter {
/**
* The Users.
*/
@Autowired
private Users users;
/**
* Init void.
*
* @param auth the auth
* @throws Exception the exception
*/
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(users).passwordEncoder(new BCryptPasswordEncoder());
}
}
/**
* The type Application security.
*/
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
/**
* Configure void.
*
* @param http the http
* @throws Exception the exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.authorizeRequests()
.antMatchers("/vendor/*","/public/**/*","/partners/*","/events/*", "/login").permitAll()
.anyRequest().fullyAuthenticated().and().formLogin().loginPage("/login")
.and().logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout")).and()
.exceptionHandling().accessDeniedPage("/access?error");
// @formatter:on
}
}
提前致谢。
推荐答案
听起来好像你遇到了 SEC-2465 。简而言之,WebLogic中存在与添加Filter实例相关的错误。来自上面的JIRA:
It sounds as though you are running into SEC-2465. In short, there is a bug in WebLogic related to adding Filter instances. From the above JIRA:
Oracle承认它是一个错误:17382048,修复了补丁16769849.
据报道在WLS中修复12.1.3
Oracle acknowledged it as a bug: 17382048, fixed with patch 16769849. It is reported as being fixed in WLS 12.1.3
客户端应更新其WebLogic服务器以获得修复。或者,您可以创建自己的 AbstractSecurityWebApplicationInitializer ,它使用类方法注册springSecurityFilterChain:
The client should update their WebLogic server to get a fix. Alternatively, you can create your own version of AbstractSecurityWebApplicationInitializer that registers springSecurityFilterChain with the class method:
servletContext.addFilter(String filterName, java.lang.Class<? extends Filter> filterClass)
您的AbstractSecurityWebApplicationInitializer的子类将改为扩展您的自定义类。
Your subclass of AbstractSecurityWebApplicationInitializer would then extend your custom class instead.
更新
根据更新的信息,我仍然认为该问题与上面提到的WebLogic错误有关。使用SpringBootServletInitializer时,过滤器添加 FilterRegistrationBean 作为实例而不是类。
Based on the updated information, I still contend the issue is related to the WebLogic bug mentioned above. When using SpringBootServletInitializer, the Filters are added with FilterRegistrationBean as an instance rather than a class.
最简单选项是更新到WebLogic,因为一切都应该按原样运行。
The easiest option is to update to WebLogic since everything should work as is.
要解决此问题,可以禁用Spring Security和任何其他过滤器的注册。您可以通过创建 FilterRegistrationBean 如下所示:
To workaround the issue, you can disable the registration of Spring Security and any other Filters. You can do this by creating a FilterRegistrationBean like the following:
@Bean
public FilterRegistrationBean springSecurityFilterChainRegistrationBean(@Qualifier("springSecurityFilterChain") Filter filter) {
FilterRegistrationBean bean = new FilterRegistrationBean();
bean.setFilter(filter);
bean.setEnabled(false);
return bean;
}
然后你需要确保使用
servletContext.addFilter(String filterName, java.lang.Class<? extends Filter> filterClass)
通过实现 WebApplicationInitializer ,可以使用上述机制注册Spring Security。例如,您可以创建以下类:
Spring Security can be registered with the above mechanism by implementing WebApplicationInitializer. For example, you can create the following class:
package demo;
import java.util.EnumSet;
import javax.servlet.FilterRegistration.Dynamic;
import javax.servlet.*;
import org.springframework.web.WebApplicationInitializer;
import org.springframework.web.filter.DelegatingFilterProxy;
public class SecurityInitializer implements WebApplicationInitializer {
@Override
public void onStartup(ServletContext context) throws ServletException {
Dynamic registration =
context.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class);
EnumSet<DispatcherType> dispatcherTypes =
EnumSet.of(DispatcherType.REQUEST, DispatcherType.ERROR, DispatcherType.ASYNC);
registration.addMappingForUrlPatterns(dispatcherTypes, true, "/*");
}
}
DelegatingFilterProxy 将查找名为springSecurityFilterChain的bean,并在每次调用doFilter时委托给它。
DelegatingFilterProxy will look up a bean of the name "springSecurityFilterChain" and delegate to it every time doFilter is invoked.
这篇关于为什么Spring Security在Tomcat中工作,但在部署到Weblogic时却没有?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
