Fatal编程技术网
  • spring-security/
  • Spring security 超过2MB的Spring security Kerberos文件上载失败,连接重置

Spring security 超过2MB的Spring security Kerberos文件上载失败,连接重置

spring-security

Spring security 超过2MB的Spring security Kerberos文件上载失败,连接重置,spring-security,http-headers,spring-security-kerberos,Spring Security,Http Headers,Spring Security Kerberos,我有一个带有keytab文件的springsecuritykerberos设置。当文件上传操作完成时,我收到一个连接重置错误。只有当文件大小大于2MB时才会发生这种情况。当spring security关闭时,我可以上传大于2MB的文件 我对基于SPNEGO的授权的理解如下 Ajax请求是从broweser发送的 服务器检查标头中的令牌,如果未找到,则发送401 客户端使用kerberos令牌重新发送请求 服务器使用keytab解密令牌,并乐意允许进一步通信 典型的请求将在协商重定向后在头中发送

我有一个带有keytab文件的springsecuritykerberos设置。当文件上传操作完成时,我收到一个连接重置错误。只有当文件大小大于2MB时才会发生这种情况。当spring security关闭时,我可以上传大于2MB的文件

我对基于SPNEGO的授权的理解如下

  • Ajax请求是从broweser发送的
  • 服务器检查标头中的令牌,如果未找到,则发送401
  • 客户端使用kerberos令牌重新发送请求
  • 服务器使用keytab解密令牌,并乐意允许进一步通信
    • 典型的请求将在协商重定向后在头中发送kerberos身份验证令牌。 这些失败的请求在头中没有令牌,这意味着协商阶段没有开始

    上传文件时是否需要设置或删除其他头文件? 2mb限制设置在哪里?我看到Jboss有一个max post参数,但当安全性被移除时,上传工作正常

    环境:Jboss EAP 6.4.16(10台服务器无状态)、JVM 1.7、RHEL 6。前面没有web服务器

    失败请求上的标头-

    Provisional headers are shown
Accept:application/json, text/javascript, */*; q=0.01
Content-Type:multipart/form-data; boundary=----WebKitFormBoundaryeb4P029q02XzceLA
Origin:xxxxx
Referer:http://xxxxxxxxxxxxxxx.html?xxxxxxxxxxxx
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/43.0.2357.130 Safari/537.36
X-Requested-With:XMLHttpRequest
------WebKitFormBoundaryeb4P029q02XzceLA
Content-Disposition: form-data; name="entry"; filename="test.pdf"
Content-Type: application/pdf
------WebKitFormBoundaryeb4P029q02XzceLA--
    代码部分:

    @Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Value("${auth.keytab.url}")
    private Resource keyTabLocation;

    private static final String SECURITY_ACCESS_ROLE = "isFullyAuthenticated() and hasRole('SOME_ROLE')";

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // Please dont format this section
        // Some eclipse version may not support below formatter off.
        // @formatter:off
        HttpSecurity httpSecurity =
                //default response headers disabled to aid xframe
                http.headers().disable().csrf().disable()
                // csrf disabled to facilitate non-browser calls
                    .httpBasic().authenticationEntryPoint(spnegoEntryPoint())
                .and()
                    .sessionManagement()
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                    .authorizeRequests().antMatchers("/**")
                    .access(SECURITY_ACCESS_ROLE).anyRequest().authenticated()
                .and();

            httpSecurity
                    .addFilterBefore(
                            spnegoAuthenticationProcessingFilter(authenticationManagerBean()),
                            BasicAuthenticationFilter.class);

        // @formatter:on
        // Please dont format this section
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(ignoreSecurity.split(","));
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.authenticationProvider(kerberosServiceAuthenticationProvider());
    }

    @Bean(name = "authenticationManager")
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    @Scope("prototype")
    public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
        SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
        ticketValidator.setServicePrincipal(servicePrincipal);
        ticketValidator.setKeyTabLocation(keyTabLocation);
        ticketValidator.setDebug(true);
        return ticketValidator;
    }

    @Bean
    @Scope("prototype")
    public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {
        KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
        provider.setTicketValidator(ticketValidator);
        provider.setUserDetailsService(kerberosUserDetailsService());
        return provider;
    }

    @Bean
    public UserDetailsService kerberosUserDetailsService() {
        return new KerberosUserDetailsService();
    }

    @Bean
    public UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> userDetailsByNameServiceWrapper() {
        UserDetailsService userDetailsService = cookieUserDetailsService();
        return new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(userDetailsService);
    }

    @Bean
    public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
            AuthenticationManager authenticationManager) {
        SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
        filter.setAuthenticationManager(authenticationManager);
        return filter;
    }

    @Bean
    public SpnegoEntryPoint spnegoEntryPoint() {
        return new SpnegoEntryPoint();
    }
}

    @配置
@启用Web安全性
@EnableGlobalMethodSecurity(Prespenabled=true)
公共类安全配置扩展了WebSecurity配置适配器{
@值(${auth.keytab.url}”)
私有资源密钥分配;
private static final String SECURITY_ACCESS_ROLE=“isfullyaauthenticated()和hasRole('SOME_ROLE')”;
@凌驾
受保护的无效配置(HttpSecurity http)引发异常{
//请不要格式化此部分
//某些eclipse版本可能不支持关闭以下格式化程序。
//@formatter:off
HttpSecurity HttpSecurity=
//禁用默认响应头以帮助xframe
http.headers().disable().csrf().disable()
//已禁用csrf以方便非浏览器调用
.httpBasic().authenticationEntryPoint(spnegoEntryPoint())
.及()
.会议管理()
.sessionCreationPolicy(sessionCreationPolicy.STATELESS)
.及()
.authorizeRequests().antMatchers(“/**”)
.access(安全访问角色).anyRequest().authenticated()
.及();
httpSecurity
.addFilterBefore(
SPNEGAuthenticationProcessingFilter(authenticationManagerBean()),
BasicAuthenticationFilter.class);
//@formatter:on
//请不要格式化此部分
}
@凌驾
public void configure(WebSecurity web)引发异常{
忽略()antMatchers(ignoreSecurity.split(“,”);
}
@凌驾
受保护的无效配置(AuthenticationManagerBuilder身份验证)
抛出异常{
auth.authenticationProvider(kerberosServiceAuthenticationProvider());
}
@Bean(name=“authenticationManager”)
@凌驾
公共AuthenticationManager authenticationManagerBean()引发异常{
返回super.authenticationManagerBean();
}
@豆子
@范围(“原型”)
公共SunJaasKerberosTicketValidator SunJaasKerberosTicketValidator(){
SunJaasKerberosTicketValidator ticketValidator=新的SunJaasKerberosTicketValidator();
ticketValidator.setServicePrincipal(服务负责人);
ticketValidator.setkeytablelocation(keytablelocation);
ticketValidator.setDebug(true);
返回票证校验器;
}
@豆子
@范围(“原型”)
公共KerberosServiceAuthenticationProvider KerberosServiceAuthenticationProvider(){
KerberosServiceAuthenticationProvider=新KerberosServiceAuthenticationProvider();
提供者。设置ticketValidator(ticketValidator);
setUserDetailsService(kerberosUserDetailsService());
退货供应商;
}
@豆子
公共用户详细信息服务kerberosUserDetailsService(){
返回新的KerberosUserDetailsService();
}
@豆子
公共UserDetailsByNameServiceWrapper UserDetailsByNameServiceWrapper(){
UserDetailsService UserDetailsService=cookieUserDetailsService();
返回新的UserDetailsByNameServiceWrapper(userDetailsService);
}
@豆子
公共SPNEGAuthenticationProcessingFilter SPNEGAuthenticationProcessingFilter(
AuthenticationManager(AuthenticationManager){
SPNEGAuthenticationProcessingFilter=新的SPNEGAuthenticationProcessingFilter();
filter.setAuthenticationManager(authenticationManager);
回流过滤器;
}
@豆子
公共SpnegoEntryPoint SpnegoEntryPoint(){
返回新的SpnegoEntryPoint();
}
}
    Hi Yasser,复制环境是否仍然可用?Hi Yasser,复制环境是否仍然可用?