SiteMinder SSO在weblogic10的变化

1.问题描述：

      在weblogic8下，siteminder sso agent(Servlet) 如果用户没用权限会跳转到wls_http_bridge_not_authorized.jsp页面，而在weblogic10下却直接跳转到403页面?

 

2.问题定位：

      首先说明一下Assert Provider的作用：

      .认证cookie的有效性;
      .调用authentication provider.authorize()的获取角色。

    
     核心代码在com.netegrity.wlsextensions.Servlet.java

     从sso登陆的日志分析：
   
     //1.先登陆某个系统A后,跳转系统B的weclome页面
     Target from ServletAuthentication.getTargetURLForFormAuthentication is http://xxxxxx:80/index.screen>

     //2.因为没有登陆过系统B，容器跳转到login page url (/login), 进入Servlet的service(HttpServletRequest req, HttpServletResponse response),带着cookie
      Found SMSESSION cookie ap311F3+FKgWA1m/PuVr7GHe3E1fhirjMy1HNrt0XSKwE…>

     //3.没有登陆过系统B，所以request.getPrincipal为null
      Principal from request is null>     

     //4.根据cookie 认证合法性，并获取角色列表
      User [YANGJUN, r_xxxx, ……..] authenticated.>

     //5.重定向到原始url,因为容器判断该用户没有此url的权限，weblogic8重定向到login page(/login),weblogic10 却跳转到403页面而不是login page(/login)
      Redirecting to Target with http://xxxxxx:80/index.screen>

      以下只有 weblogic8才有效
     //6.重新进入Servlet的service(HttpServletRequest req, HttpServletResponse response)
      Target from ServletAuthentication.getTargetURLForFormAuthentication is http://xxxx:80/index.screen>
      Found SMSESSION cookie ap311F3+FKgWA1m/PuVr7GHe3E1fhirjMy1HNrt0XSKwE….>

      //7.判断isSamePrincipal,发现用户名重复,如果有重复，说明原先登陆过，而且是因为没有权限重定向的
        Authorization failure>
        Principals from SMSESSION cookie is [YANGJUN, r_xxxxxx, …….>
        YANGJUN equals YANGJUN>

     //8.跳转到没有权限的页面wls_http_bridge_not_authorized.jsp

      weblogic10与weblogic8跳转代码差异：
   
  

Weblogic8
   weblogic.servlet.security.internal. FormSecurityModule.java

   boolean checkUserPerm()

       if(webAppSecurity.isFullSecurityDelegationRequired())
        {
            ServletRequestImpl servletrequestimpl = WebAppServletContext.getOriginalRequest(httpservletrequest);
            if(checkPerm(servletrequestimpl, resourceconstraint, null))
                return true;
        }
        stuffSession(httpservletrequest, httpservletresponse);
        try
        {
            webAppSecurity.sendLoginPage(httpservletrequest, httpservletresponse);  //跳转到login page
        }
        catch(ServletException servletexception) { }
        return false;

 

Weblogic10
     weblogic.servlet.security.internal. FormSecurityModule.java

     boolean checkUserPerm(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse, SessionInternal sessioninternal, ResourceConstraint resourceconstraint, AuthenticatedSubject authenticatedsubject, boolean flag)
        throws IOException, ServletException
    {
        if(httpservletrequest.getRequestURI().endsWith("j_security_check"))
            return processJSecurityCheck(httpservletrequest, httpservletresponse, sessioninternal);
        if(authenticatedsubject != null)
            return processLoggedInUser(httpservletrequest, httpservletresponse, authenticatedsubject);
        if(webAppSecurity.isFullSecurityDelegationRequired() && webAppSecurity.hasPermission(httpservletrequest, httpservletresponse, null, resourceconstraint))
            return true;
        if(flag && webAppSecurity.hasAuthFilters())
        {
            invokeAuthFilterChain(httpservletrequest, httpservletresponse);
            return false;
        }
        if(isForbidden(resourceconstraint))  //直接跳转到403
            sendForbiddenResponse(httpservletrequest, httpservletresponse);
        else                                                 //首次登陆跳转到login
            sendLoginPage(httpservletrequest, httpservletresponse);
        return false;
    }

 

     

3.结论：

    SiteMinder sso agent Servlet for weblgoic10 的代码可以简化，删除判断没有权限判断的代码。