我(仍然)尝试在Grails 2.5.x中使用自定义AuthenticationProvider。我需要获取表单数据,因此我编写了一个PreAuthenticatedProcessingFilter来执行此操作并编写主体。
这两个类都被调用了,所以我至少有一些bean配置正确。问题是信息没有从过滤器中存储,因此AuthenticationProvider没有要进行身份验证的数据。我将显示类中的相关详细信息以及随之而来的日志条目。
preauth过滤器:
class PreAuthenticationRequestParametersFilter extends AbstractPreAuthenticatedProcessingFilter {
protected Map xmlMap
@Override
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
if (! request.getParameter('SAMLResponse')) {
// no need to process if we don't have a SAML response.
// Remember this will get called on pretty much every request.
return null
}
String samlResponseXml = request.getParameter('SAMLResponse')
log.warn("xmlfoo: ${samlResponseXml?.length()} and sch: ${SecurityContextHolder.getContext().authentication}")
if (! samlResponseXml) return null
xmlMap = decodeXml(samlResponseXml)
log.warn("principal: ${xmlMap.userDetails}")
return xmlMap.userDetails
}
// (not showing decodeXml, shouldn't be necessary)
SAMLAuth:
class SAMLAuthenticationProvider implements AuthenticationProvider {
@Override
Authentication authenticate(Authentication authentication) throws AuthenticationException {
log.warn("hello from samlauthprovider, auth: ${authentication}")
String name = authentication.name
log.warn("name: ${name}")
String principal = authentication.principal
log.warn("principal: ${principal}")
if (name == '' || principal == '') return null // authentication
// code continues, but the failure has already occurred, these are blank in the log below
日志:
WARN myapp.PreAuthenticationRequestParametersFilter - user email: bob@domain.com with user User(id: 4, username: bob, firstName: bob, lastName: b, email: bob@domain.com, enabled: true, accountExpired: false, accountLocked: false, passwordExpired: false)
WARN myapp.PreAuthenticationRequestParametersFilter - issuer: https://saml.domain.com/adfs/services/trust with auth 1
WARN myapp.PreAuthenticationRequestParametersFilter - principal: myapp.MyAppUserDetails@8ee96c84: Username: bob@domain.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER
WARN security.SAMLAuthenticationProvider - hello from samlauthprovider,
auth: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@b37b: Principal: ; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 172.31.2.90; SessionId: null; Not granted any authorities
WARN security.SAMLAuthenticationProvider - name:
WARN security.SAMLAuthenticationProvider - principal:
// next logs are in my "login failed" code, which we shouldn't reach in this case
我很清楚有一个spring-security-saml类。我没有使用它是出于与这个问题相关的原因。
编辑更多日志记录,我看到流程是PreAuthenticated,然后是我的成功处理程序,然后是我的SAMLAuthenticationProvider。在成功处理程序之后,事情似乎迷失了。由于几个原因,这真的很奇怪 - 为什么在AuthenticationProvider之前调用成功处理程序?