访问自定义weblogic提供程序时Internet Explorer错误 [英] Internet Explorer buggy when accessing a custom weblogic provider
问题描述
我在版本10.3上创建了一个自定义Weblogic安全身份验证提供程序,其中包含一个用于验证用户的自定义登录模块。作为提供者的一部分,我实现了ServletAuthenticationFilter并添加了一个过滤器。过滤器充当域中所有应用程序的公共登录页面。
I've created a custom Weblogic Security Authentication Provider on version 10.3 that includes a custom login module to validate users. As part of the provider, I've implemented the ServletAuthenticationFilter and added one filter. The filter acts as a common log on page for all the applications within the domain.
当我们通过在地址栏中输入任何安全URL时访问它们时,这可以正常工作IE和Firefox。但是当我们在IE中为链接添加书签时,会发生奇怪的事情。如果我单击书签,您将看到我们的登录页面,然后在您成功登录系统后,即使用户已经过身份验证,也会显示基本身份验证页面。这在Firefox中永远不会发生,只有IE。它也是断断续续的。 5个IE中的1个时间将正确地重定向并且不显示基本的auth窗口。 Firefox和Opera每次都会正确重定向。我们捕获了响应头并比较了成功和失败,它们是相同的。
When we access any secured URLs by entering them in the address bar, this works fine in IE and Firefox. But when we bookmark the link in IE an odd thing happens. If I click the bookmark, you will see our log on page, then after you've successfully logged into the system the basic auth page will display, even though the user is already authenticated. This never happens in Firefox, only IE. It's also intermittent. 1 time out of 5 IE will correctly redirect and not show the basic auth window. Firefox and Opera will correctly redirect everytime. We've captured the response headers and compared the success and failures, they are identical.
final boolean isAuthenticated = authenticateUser(userName, password, req);
// Send user on to the original URL
if (isAuthenticated) {
res.sendRedirect(targetURL);
return;
}
正如您所看到的,一旦用户通过身份验证,我会重定向到原始网址。我缺少一步吗? authenticateUser()方法是从Oracle文档中的示例逐字获取的。
As you can see, once the user is authenticated I do a redirect to the original URL. Is there a step I'm missing? The authenticateUser() method is taken verbatim from an example in Oracle's documents.
private boolean authenticateUser(final String userName, final String password, HttpServletRequest request) {
boolean results;
try {
ServletAuthentication.login(new CallbackHandler() {
@Override
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
NameCallback nameCallback = (NameCallback) callback;
nameCallback.setName(userName);
}
if (callback instanceof PasswordCallback) {
PasswordCallback passwordCallback = (PasswordCallback) callback;
passwordCallback.setPassword(password.toCharArray());
}
}
}
}, request);
results = true;
} catch (LoginException e) {
results = false;
}
return results;
我在这里问这个问题,因为我不知道问题是否与Weblogic配置或代码。如果这个问题更适合ServerFault,请告诉我,我会在那里发布。
I am asking the question here because I don't know if the issue is with the Weblogic config or the code. If this question is more suited to ServerFault please let me know and I will post there.
奇怪的是,它每次都在Firefox和Opera中运行,但在Internet Explorer中却不行。我希望不使用Internet Explorer是一种选择,但它目前是公司的标准。任何帮助或方向将不胜感激。我已经针对IE 6& amp; 8并在3个不同的环境中部署自定义提供程序,我仍然可以重现该错误。
It is odd that it works everytime in Firefox and Opera but not in Internet Explorer. I wish that not using Internet Explorer was an option but it is currently the company standard. Any help or direction would be appreciated. I have tested against IE 6 & 8 and deployed the custom provider on 3 different environments and I can still reproduce the bug.
推荐答案
我们发现了它。
修复方法是在weblogic服务器上禁用auth cookie。出于某种原因,Internet Explorer会丢失cookie,导致Weblogic认为会话被黑客入侵。这就是促使基本身份验证登录的原因。
The fix was to disable auth cookies on the weblogic server. For some reason Internet Explorer would lose the cookie causing Weblogic to think the session was being hacked. That is what prompted the basic auth login.
我们仍然不知道是什么原因导致IE丢失了cookie,但这个提供程序是用于内部网以便修复赢了这会损害我们的整体安全。
We still don't know what was causing IE to lose the cookie but this provider is for an intranet so the fix won't harm our overall security.
我希望这可以帮助其他人。
I hope this helps someone else.
这篇关于访问自定义weblogic提供程序时Internet Explorer错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
