我已经在webapplication中实现了SAML2身份验证 . 一切都很好 . 用户登录并可以使用应用程序,但一分钟后他得到401并整页重新加载 .
它
可能是什么原因?它连接到SAML票证NotOnOrAfter atribute?我该如何解决此问题并禁用此重新加载和重新认证?
在日志中,我可以看到:
7:13:55.271 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] o.s.s.w.a.i.FilterSecurityInterceptor:安全对象:FilterInvocation:URL:/sw.js;属性:[authenticated] 2017-02-11 17:13:55.271 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] osswaiFilterSecurityInterceptor:以前经过身份验证:org.springframework.security.authentication.AnonymousAuthenticationToken @ 9055e4a6:校长:anonymousUser;证书:[保护];认证:真实;详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@957e:RemoteIpAddress:127.0.0.1; SessionId:3A25B5C297F7BCF47C70ACA09D03EEC6;授权机构:ROLE_ANONYMOUS 2017-02-11 17:13:55.271 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] ossaccess.vote.AffirmativeBased:Voter:org.springframework.security.web .access.expression.WebExpressionVoter @ 4e54fa5d,返回:-1 2017-02-11 17:13:55.271 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] osswaExceptionTranslationFilter:访问被拒绝(用户是匿名的);重定向到身份验证入口点org.springframework.security.access.AccessDeniedException:在org.springframework.security.access.intercept上的org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)中拒绝访问 . 位于org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter的org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)中的AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) FilterOcurityInterceptor.java:91)org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:331)org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:115)at org .springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:331)org.springframework.security.web.session.SessionManagementFilter.doFilter(Se ssionManagementFilter.java:137)org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:331)org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)at org位于org.springframework.security.web.FilterChainProxy的org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169)的.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:331)位于org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java)的org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)上的$ VirtualFilterChain.doFilter(FilterChainProxy.java:331) :331)org.springframework.securit上的org.springframework.security.saml.SAMLLogoutProcessingFilter.processLogout(SAMLLogoutProcessingFilter.java:206) y.saml.SAMLLogoutProcessingFilter.doFilter(SAMLLogoutProcessingFilter.java:104)2017-02-11 17:13:55.291 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] osswsHttpSessionRequestCache:DefaultSavedRequest添加到会话:DefaultSavedRequest [https://somesite/saml/SSO/sw.js] 2017-02-11 17:13:55.291 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] osswaExceptionTranslationFilter :调用身份验证入口点 . 2017-02-11 17:13:55.306 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] ossscontext.SAMLContextProviderImpl:没有指定IDP,使用默认的MINEIDP 2017-02-11 17:13 :55.307 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] ossecurity.saml.util.SAMLUtil:未指定AssertionConsumerService索引,返回默认值2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] ossecurity.saml.SAMLEntryPoint:使用WebSSO配置文件处理SSO 2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio -127.0.0.1-5814-exec-7] osssaml.websso.WebSSOProfileImpl:使用默认的消费者服务with binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] os security.saml.util.SLF4JLogChute:ResourceManager:找到/templates/saml2-post-binding.vm与loader org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader 2017-02-11 17:13:55.308 DEBUG 29368 - - [http-nio-127.0.0.1-5814-exec-7] ossecurity.saml.util.SLF4JLogChute:ResourceManager:使用loader org.apache.velocity.runtime找到/templates/add-html-head-content.vm . resource.loader.ClasspathResourceLoader 2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] ossecurity.saml.util.SLF4JLogChute:ResourceManager:found / templates / add-html-body-content.vm with loader org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader 2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814- exec-7] osswheader.writers.HstsHeaderWriter:因为它与requestMatcher org不匹配而没有注入HSTS头 . springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@66d6b7bc 2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] wcHttpSessionSecurityContextRepository:SecurityContext is空或内容是匿名的 - 上下文不会存储在HttpSession中 . 2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] osssaml.storage.HttpSessionStorage:将消息a2h65aag15ccg2d837386cch748e34h存储到会话3A25B5C297F7BCF47C70ACA09D03EEC6 2017-02-11 17: 13:55.308 INFO 29368 --- [http-nio-127.0.0.1-5814-exec-7] ossecurity.saml.log.SAMLDefaultLogger:AuthNRequest; SUCCESS; 127.0.0.1; https:// somesite .. -11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] sswcSecurityContextPersistenceFilter:SecurityContextHolder现已清除,请求处理已完成2017-02-11 17:13:55.308 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-7] osbwfOrderedRequestContextFilter:清除线程绑定请求上下文:org.apache.catalina.connector.RequestFacade@7bfe8944 2017-02-11 17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] osbwfOrderedRequestContextFilter:对线程的绑定请求上下文:org.apache.catalina.connector.RequestFacade@7bfe8944 2017-02-11 17:13:56.527 DEBUG 29368 --- [http -nio-127.0.0.1-5814-exec-3] o.s.security.web.FilterChainProxy:/ saml / SSO,位于第1位,共有16个额外的过滤链;触发过滤器:'WebAsyncManagerIntegrationFilter'2017-02-11 17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] ossecurity.web.FilterChainProxy:/ saml / SSO at position 2 16个额外的过滤链;触发过滤器:'SecurityContextPersistenceFilter'2017-02-11 17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] wcHttpSessionSecurityContextRepository:HttpSession为SPRING_SECURITY_CONTEXT返回null对象2017-02-11 17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] wcHttpSessionSecurityContextRepository:HttpSession没有提供SecurityContext:org.apache.catalina.session.StandardSessionFacade@491a27d7 . 将创建一个新的 . 2017-02-11 17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] ossecurity.web.FilterChainProxy:/ saml / SSO,位于第3位,共有16个额外的过滤链;触发过滤器:'HeaderWriterFilter'2017-02-11 17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] ossecurity.web.FilterChainProxy:/ saml / SSO at position 4 16个额外的过滤链;触发过滤:'SAMLLogoutFilter'2017-02-11 17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] ossecurity.web.FilterChainProxy:/ saml / SSO at position 5 16个额外的过滤链;触发过滤器:'MetadataGeneratorFilter'2017-02-11 17:13:56.527 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] ossecurity.web.FilterChainProxy:/ saml / SSO at 6 16个额外的过滤链;触发过滤:'MetadataDisplayFilter'2017-02-11 17:13:56.542 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] ossecurity.web.FilterChainProxy:/ saml / SSO at 7 16个额外的过滤链;触发过滤器:'XhrSamlEntryPoint'2017-02-11 17:13:56.542 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] ossecurity.web.FilterChainProxy:/ saml / SSO at position 8 16个额外的过滤链;触发过滤器:'SAMLProcessingFilter'2017-02-11 17:13:56.542 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] o.s.security.saml.SAMLProcessingFilter:请求处理authentication 2017-02-11 17:13:56.542 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] ossecurity.saml.SAMLProcessingFilter:使用profile urn尝试SAML2身份验证:oasis:names:tc :SAML:2.0:profiles:SSO:browser 2017-02-11 17:13:56.542 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] osssaml.processor.SAMLProcessorImpl:使用检索消息binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 2017-02-11 17:13:56.558 INFO 29368 --- [http-nio-127.0.0.1-5814-exec-3] colMessageXMLSignatureSecurityPolicyRule: SAML协议消息未签名,正在跳过XML签名处理2017-02-11 17:13:56.558 DEBUG 29368 --- [http-nio-127.0.0.1-5814-exec-3] ossecurity.saml.util.SAMLUtil:找到 endpoints org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@5e73661d请求URL https:// somesite / saml / SSO基于元数据中的位置属性2017-02-11 17:13:56.558 DEBUG 29368 --- [http -nio-127.0.0.1-5814-exec-3] ossauthentication.ProviderManager:Authenti阳离子尝试使用org.springframework.security.saml.SAMLAuthenticationProvider 2017-02-11 17:13:56.558 INFO 29368 --- [http-nio-127.0.0.1-5814-exec-3] c.p.k.s.CustomWebSSOProfileConsumerImpl:省略签名变量 . 2017-02-11 17:13:56.558 INFO 29368 --- [http-nio-127.0.0.1-5814-exec-3] ossecurity.saml.log.SAMLDefaultLogger:AuthNResponse; SUCCESS; 127.0.0.1; https:/ / somesite ;;
1 回答
this给我看了路 . 原因是在saml令牌中有'NotOnOrAfter'属性 . 在'SAMLAuthenticationProvider'方法中'authenticate'正在创建'ExpiringUsernameAuthenticationToken',其有效性基于'NotOnOrAfter' . 我所做的是覆盖'getExpirationDate'方法并将令牌有效期扩展到预期时间 .