SiteMinder SSO在weblogic10的变化
1.问题描述:
在weblogic8下,siteminder sso agent(Servlet) 如果用户没用权限会跳转到wls_http_bridge_not_authorized.jsp页面,而在weblogic10下却直接跳转到403页面?
2.问题定位:
首先说明一下Assert Provider的作用:
.认证cookie的有效性;
.调用authentication provider.authorize()的获取角色。
核心代码在com.netegrity.wlsextensions.Servlet.java
从sso登陆的日志分析:
//1.先登陆某个系统A后,跳转系统B的weclome页面
Target from ServletAuthentication.getTargetURLForFormAuthentication is http://xxxxxx:80/index.screen>
//2.因为没有登陆过系统B,容器跳转到login page url (/login), 进入Servlet的service(HttpServletRequest req, HttpServletResponse response),带着cookie
Found SMSESSION cookie ap311F3+FKgWA1m/PuVr7GHe3E1fhirjMy1HNrt0XSKwE…>
//3.没有登陆过系统B,所以request.getPrincipal为null
Principal from request is null>
//4.根据cookie 认证合法性,并获取角色列表
User [YANGJUN, r_xxxx, ……..] authenticated.>
//5.重定向到原始url,因为容器判断该用户没有此url的权限,weblogic8重定向到login page(/login),weblogic10 却跳转到403页面而不是login page(/login)
Redirecting to Target with http://xxxxxx:80/index.screen>
以下只有 weblogic8才有效
//6.重新进入Servlet的service(HttpServletRequest req, HttpServletResponse response)
Target from ServletAuthentication.getTargetURLForFormAuthentication is http://xxxx:80/index.screen>
Found SMSESSION cookie ap311F3+FKgWA1m/PuVr7GHe3E1fhirjMy1HNrt0XSKwE….>
//7.判断isSamePrincipal,发现用户名重复,如果有重复,说明原先登陆过,而且是因为没有权限重定向的
Authorization failure>
Principals from SMSESSION cookie is [YANGJUN, r_xxxxxx, …….>
YANGJUN equals YANGJUN>
//8.跳转到没有权限的页面wls_http_bridge_not_authorized.jsp
weblogic10与weblogic8跳转代码差异:
Weblogic8 weblogic.servlet.security.internal. FormSecurityModule.java boolean checkUserPerm() if(webAppSecurity.isFullSecurityDelegationRequired()) { ServletRequestImpl servletrequestimpl = WebAppServletContext.getOriginalRequest(httpservletrequest); if(checkPerm(servletrequestimpl, resourceconstraint, null)) return true; } stuffSession(httpservletrequest, httpservletresponse); try { webAppSecurity.sendLoginPage(httpservletrequest, httpservletresponse); //跳转到login page } catch(ServletException servletexception) { } return false; Weblogic10 weblogic.servlet.security.internal. FormSecurityModule.java boolean checkUserPerm(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse, SessionInternal sessioninternal, ResourceConstraint resourceconstraint, AuthenticatedSubject authenticatedsubject, boolean flag) throws IOException, ServletException { if(httpservletrequest.getRequestURI().endsWith("j_security_check")) return processJSecurityCheck(httpservletrequest, httpservletresponse, sessioninternal); if(authenticatedsubject != null) return processLoggedInUser(httpservletrequest, httpservletresponse, authenticatedsubject); if(webAppSecurity.isFullSecurityDelegationRequired() && webAppSecurity.hasPermission(httpservletrequest, httpservletresponse, null, resourceconstraint)) return true; if(flag && webAppSecurity.hasAuthFilters()) { invokeAuthFilterChain(httpservletrequest, httpservletresponse); return false; } if(isForbidden(resourceconstraint)) //直接跳转到403 sendForbiddenResponse(httpservletrequest, httpservletresponse); else //首次登陆跳转到login sendLoginPage(httpservletrequest, httpservletresponse); return false; }
3.结论:
SiteMinder sso agent Servlet for weblgoic10 的代码可以简化,删除判断没有权限判断的代码。