1.問題描述:
在weblogic8下,siteminder sso agent(Servlet) 如果用戶沒用權限會跳轉到wls_http_bridge_not_authorized.jsp頁面,而在weblogic10下卻直接跳轉到403頁面?
2.問題定位:
首先說明一下Assert Provider的作用:
.認證cookie的有效性;
.調用authentication provider.authorize()的獲取角色。
核心代碼在com.netegrity.wlsextensions.Servlet.java
從sso登陸的日誌分析:
//1.先登陸某個系統A後,跳轉系統B的weclome頁面
Target from ServletAuthentication.getTargetURLForFormAuthentication is
http://xxxxxx:80/index.screen>
//2.因爲沒有登陸過系統B,容器跳轉到login page url (/login), 進入Servlet的service(HttpServletRequest req, HttpServletResponse response),帶着cookie
Found SMSESSION cookie ap311F3+FKgWA1m/PuVr7GHe3E1fhirjMy1HNrt0XSKwE…>
//3.沒有登陸過系統B,所以request.getPrincipal爲null
Principal from request is null>
//4.根據cookie 認證合法性,並獲取角色列表
User [YANGJUN, r_xxxx, ……..] authenticated.>
//5.重定向到原始url,因爲容器判斷該用戶沒有此url的權限,weblogic8重定向到login page(/login),weblogic10 卻跳轉到403頁面而不是login page(/login)
Redirecting to Target with http://xxxxxx:80/index.screen>
以下只有 weblogic8纔有效
//6.重新進入Servlet的service(HttpServletRequest req, HttpServletResponse response)
Target from ServletAuthentication.getTargetURLForFormAuthentication is
http://xxxx:80/index.screen>
Found SMSESSION cookie ap311F3+FKgWA1m/PuVr7GHe3E1fhirjMy1HNrt0XSKwE….>
//7.判斷isSamePrincipal,發現用戶名重複,如果有重複,說明原先登陸過,而且是因爲沒有權限重定向的
Authorization failure>
Principals from SMSESSION cookie is [YANGJUN, r_xxxxxx, …….>
YANGJUN equals YANGJUN>
//8.跳轉到沒有權限的頁面wls_http_bridge_not_authorized.jsp
weblogic10與weblogic8跳轉代碼差異:
Weblogic8
weblogic.servlet.security.internal. FormSecurityModule.java
boolean checkUserPerm()
if(webAppSecurity.isFullSecurityDelegationRequired())
{
ServletRequestImpl servletrequestimpl = WebAppServletContext.getOriginalRequest(httpservletrequest);
if(checkPerm(servletrequestimpl, resourceconstraint, null))
return true;
}
stuffSession(httpservletrequest, httpservletresponse);
try
{
webAppSecurity.sendLoginPage(httpservletrequest, httpservletresponse); //跳轉到login page
}
catch(ServletException servletexception) { }
return false;
Weblogic10
weblogic.servlet.security.internal. FormSecurityModule.java
boolean checkUserPerm(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse, SessionInternal sessioninternal, ResourceConstraint resourceconstraint, AuthenticatedSubject authenticatedsubject, boolean flag)
throws IOException, ServletException
{
if(httpservletrequest.getRequestURI().endsWith("j_security_check"))
return processJSecurityCheck(httpservletrequest, httpservletresponse, sessioninternal);
if(authenticatedsubject != null)
return processLoggedInUser(httpservletrequest, httpservletresponse, authenticatedsubject);
if(webAppSecurity.isFullSecurityDelegationRequired() && webAppSecurity.hasPermission(httpservletrequest, httpservletresponse, null, resourceconstraint))
return true;
if(flag && webAppSecurity.hasAuthFilters())
{
invokeAuthFilterChain(httpservletrequest, httpservletresponse);
return false;
}
if(isForbidden(resourceconstraint)) //直接跳轉到403
sendForbiddenResponse(httpservletrequest, httpservletresponse);
else //首次登陸跳轉到login
sendLoginPage(httpservletrequest, httpservletresponse);
return false;
}
3.結論:
SiteMinder sso agent Servlet for weblgoic10 的代碼可以簡化,刪除判斷沒有權限判斷的代碼。