SiteMinder SSO在weblogic10的變化

1.問題描述：

      在weblogic8下，siteminder sso agent(Servlet) 如果用戶沒用權限會跳轉到wls_http_bridge_not_authorized.jsp頁面，而在weblogic10下卻直接跳轉到403頁面?

 

2.問題定位：

      首先說明一下Assert Provider的作用：

      .認證cookie的有效性;
      .調用authentication provider.authorize()的獲取角色。

    
     核心代碼在com.netegrity.wlsextensions.Servlet.java

     從sso登陸的日誌分析：
   
     //1.先登陸某個系統A後,跳轉系統B的weclome頁面
     Target from ServletAuthentication.getTargetURLForFormAuthentication is http://xxxxxx:80/index.screen>

     //2.因爲沒有登陸過系統B，容器跳轉到login page url (/login), 進入Servlet的service(HttpServletRequest req, HttpServletResponse response),帶着cookie
      Found SMSESSION cookie ap311F3+FKgWA1m/PuVr7GHe3E1fhirjMy1HNrt0XSKwE…>

     //3.沒有登陸過系統B，所以request.getPrincipal爲null
      Principal from request is null>     

     //4.根據cookie 認證合法性，並獲取角色列表
      User [YANGJUN, r_xxxx, ……..] authenticated.>

     //5.重定向到原始url,因爲容器判斷該用戶沒有此url的權限，weblogic8重定向到login page(/login),weblogic10 卻跳轉到403頁面而不是login page(/login)
      Redirecting to Target with http://xxxxxx:80/index.screen>

      以下只有 weblogic8纔有效
     //6.重新進入Servlet的service(HttpServletRequest req, HttpServletResponse response)
      Target from ServletAuthentication.getTargetURLForFormAuthentication is http://xxxx:80/index.screen>
      Found SMSESSION cookie ap311F3+FKgWA1m/PuVr7GHe3E1fhirjMy1HNrt0XSKwE….>

      //7.判斷isSamePrincipal,發現用戶名重複,如果有重複，說明原先登陸過，而且是因爲沒有權限重定向的
        Authorization failure>
        Principals from SMSESSION cookie is [YANGJUN, r_xxxxxx, …….>
        YANGJUN equals YANGJUN>

     //8.跳轉到沒有權限的頁面wls_http_bridge_not_authorized.jsp

      weblogic10與weblogic8跳轉代碼差異：
   
  

Weblogic8
   weblogic.servlet.security.internal. FormSecurityModule.java

   boolean checkUserPerm()

       if(webAppSecurity.isFullSecurityDelegationRequired())
        {
            ServletRequestImpl servletrequestimpl = WebAppServletContext.getOriginalRequest(httpservletrequest);
            if(checkPerm(servletrequestimpl, resourceconstraint, null))
                return true;
        }
        stuffSession(httpservletrequest, httpservletresponse);
        try
        {
            webAppSecurity.sendLoginPage(httpservletrequest, httpservletresponse);  //跳轉到login page
        }
        catch(ServletException servletexception) { }
        return false;

 

Weblogic10
     weblogic.servlet.security.internal. FormSecurityModule.java

     boolean checkUserPerm(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse, SessionInternal sessioninternal, ResourceConstraint resourceconstraint, AuthenticatedSubject authenticatedsubject, boolean flag)
        throws IOException, ServletException
    {
        if(httpservletrequest.getRequestURI().endsWith("j_security_check"))
            return processJSecurityCheck(httpservletrequest, httpservletresponse, sessioninternal);
        if(authenticatedsubject != null)
            return processLoggedInUser(httpservletrequest, httpservletresponse, authenticatedsubject);
        if(webAppSecurity.isFullSecurityDelegationRequired() && webAppSecurity.hasPermission(httpservletrequest, httpservletresponse, null, resourceconstraint))
            return true;
        if(flag && webAppSecurity.hasAuthFilters())
        {
            invokeAuthFilterChain(httpservletrequest, httpservletresponse);
            return false;
        }
        if(isForbidden(resourceconstraint))  //直接跳轉到403
            sendForbiddenResponse(httpservletrequest, httpservletresponse);
        else                                                 //首次登陸跳轉到login
            sendLoginPage(httpservletrequest, httpservletresponse);
        return false;
    }

 

     

3.結論：

    SiteMinder sso agent Servlet for weblgoic10 的代碼可以簡化，刪除判斷沒有權限判斷的代碼。