odm teamserver与定制portal sso过程中遇到的Request Headers Referer属性安全性校验问题
从portal sso方式链接到IBM ODM teamserver,方便业务人员操作,更是团队开发的财富、汇金、汇诚等业务系统与odm、filenet等中间件一体化的重要体现。
不过从portal调用ibm_security_check进行退出后,再次从portal sso链接teamserver时,400 bad request返回消息,而直接在浏览器地址栏中访问odm teamserver应用却可以访问。仔细对比这两种http请求可知前者的Request Headers的Referer属性值为portal地址。
从WAS的安装目录找到teamserver的web.xml,有几个filter值得关注sessionFilter、accessFilter、securityCheckPointFilter,其对高规格限制应用的安全性具有很好的借鉴。
<filter>
<filter-name>sessionFilter</filter-name>
<filter-class>ilog.rules.teamserver.web.servlets.filter.IlrSessionFilter</filter-class>
<init-param>
<param-name>exclusion-pattern</param-name>
<param-value>.*?(?:\.js|\.css|\.ico|\.gif|\.png|\.jpg|\.rpc|\.html|/unauthenticatedLogout|/logout|/error403.jsp|/error403b.jsp|/error408.jsp)$</param-value>
</init-param>
</filter>
<filter>
<filter-name>accessFilter</filter-name>
<filter-class>ilog.rules.teamserver.web.servlets.filter.IlrAccessFilter</filter-class>
<init-param>
<description>
List of views that are directly accessible. Accessing a view not listed here will always prompt the user to the
Home page
</description>
<param-name>accessibleViews</param-name>
<param-value>
/login.jsp, /loginError.jsp, /error408.jsp, /home.jsp, /action.jsp,
/explore/explore.jsp, /compose/compose.jsp, /query/query.jsp, /configure/configure.jsp
</param-value>
</init-param>
</filter>
<filter>
<filter-name>securityCheckPointFilter</filter-name>
<filter-class>ilog.rules.teamserver.web.security.SecurityCheckPointFilter</filter-class>
<init-param>
<param-name>ilog.rules.teamserver.check-referer</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>ilog.rules.teamserver.referer-check-url-exclusion-patterns</param-name>
<param-value/>
</init-param>
<init-param>
<param-name>ilog.rules.teamserver.check-cookie</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>ilog.rules.teamserver.url-form-check-inclusion-patterns</param-name>
<param-value>/action.jsp,/remoting/session</param-value>
</init-param>
<init-param>
<param-name>ilog.rules.teamserver.url-form-check-exclusion-patterns</param-name>
<param-value>/gwt*</param-value>
</init-param>
<init-param>
<param-name>ilog.rules.teamserver.security-check-exclusion-patterns</param-name>
<param-value>^https?:\/\/(.*)\/(.*)(\.js|\.css|\.ico|\.gif|\.png|\.jpg|\.rpc|\.html)$,^https?:\/\/(.*)\/(gwt)\/.*</param-value>
</init-param>
</filter>
阻碍开始讲的400 bad request的问题也正出在其中的securityCheckPointFilter。仔细查看其有参数
ilog.rules.teamserver.check-referer
,这正是是否校验http Request header的Referer属性的开关。将其值设置为false即可解决该问题。
上述filter的实现可以反编译odm teamserver应用的teamserver-web-core-8.8.0.0.jar进一步了解。而
两应用之间的sso也完全依赖WAS的ltpa机制即可完成。