1.问题描述:
在weblogic8下,siteminder sso agent(Servlet) 如果用户没用权限会跳转到wls_http_bridge_not_authorized.jsp页面,而在weblogic10下却直接跳转到403页面?
2.问题定位:
首先说明一下Assert Provider的作用:
.认证cookie的有效性;
.调用authentication provider.authorize()的获取角色。
核心代码在com.netegrity.wlsextensions.Servlet.java
从sso登陆的日志分析:
//1.先登陆某个系统A后,跳转系统B的weclome页面
Target from ServletAuthentication.getTargetURLForFormAuthentication is http://xxxxxx:80/index.screen>
//2.因为没有登陆过系统B,容器跳转到login page url (/login), 进入Servlet的service(HttpServletRequest req, HttpServletResponse response),带着cookie
Found SMSESSION cookie ap311F3+FKgWA1m/PuVr7GHe3E1fhirjMy1HNrt0XSKwE…>
//3.没有登陆过系统B,所以request.getPrincipal为null
Principal from request is null>
//4.根据cookie 认证合法性,并获取角色列表
User [YANGJUN, r_xxxx, ……..] authenticated.>
//5.重定向到原始url,因为容器判断该用户没有此url的权限,weblogic8重定向到login page(/login),weblogic10 却跳转到403页面而不是login page(/login)
Redirecting to Target with http://xxxxxx:80/index.screen>
以下只有 weblogic8才有效
//6.重新进入Servlet的service(HttpServletRequest req, HttpServletResponse response)
Target from ServletAuthentication.getTargetURLForFormAuthentication is http://xxxx:80/index.screen>
Found SMSESSION cookie ap311F3+FKgWA1m/PuVr7GHe3E1fhirjMy1HNrt0XSKwE….>
//7.判断isSamePrincipal,发现用户名重复,如果有重复,说明原先登陆过,而且是因为没有权限重定向的
Authorization failure>
Principals from SMSESSION cookie is [YANGJUN, r_xxxxxx, …….>
YANGJUN equals YANGJUN>
//8.跳转到没有权限的页面wls_http_bridge_not_authorized.jsp
weblogic10与weblogic8跳转代码差异:
Weblogic8
weblogic.servlet.security.internal. FormSecurityModule.java
boolean checkUserPerm()
if(webAppSecurity.isFullSecurityDelegationRequired())
{
ServletRequestImpl servletrequestimpl = WebAppServletContext.getOriginalRequest(httpservletrequest);
if(checkPerm(servletrequestimpl, resourceconstraint, null))
return true;
}
stuffSession(httpservletrequest, httpservletresponse);
try
{
webAppSecurity.sendLoginPage(httpservletrequest, httpservletresponse); //跳转到login page
}
catch(ServletException servletexception) { }
return false;
Weblogic10
weblogic.servlet.security.internal. FormSecurityModule.java
boolean checkUserPerm(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse, SessionInternal sessioninternal, ResourceConstraint resourceconstraint, AuthenticatedSubject authenticatedsubject, boolean flag)
throws IOException, ServletException
{
if(httpservletrequest.getRequestURI().endsWith("j_security_check"))
return processJSecurityCheck(httpservletrequest, httpservletresponse, sessioninternal);
if(authenticatedsubject != null)
return processLoggedInUser(httpservletrequest, httpservletresponse, authenticatedsubject);
if(webAppSecurity.isFullSecurityDelegationRequired() && webAppSecurity.hasPermission(httpservletrequest, httpservletresponse, null, resourceconstraint))
return true;
if(flag && webAppSecurity.hasAuthFilters())
{
invokeAuthFilterChain(httpservletrequest, httpservletresponse);
return false;
}
if(isForbidden(resourceconstraint)) //直接跳转到403
sendForbiddenResponse(httpservletrequest, httpservletresponse);
else //首次登陆跳转到login
sendLoginPage(httpservletrequest, httpservletresponse);
return false;
}
3.结论:
SiteMinder sso agent Servlet for weblgoic10 的代码可以简化,删除判断没有权限判断的代码。