问题:
具有Spring会话和安全性的Spring boot。RMI未能通过401
庞安晏
我使用Spring boot和Spring security,以及Spring Session和redis进行身份验证和授权。有两个独立的项目正在运行,我想通过HTTPRMI隧道将它们连接起来。尽管自从第二个服务抛出401之后,我在HttpInvokerProxyFactoryBean中使用了setRemoteInvocationFactory。我收到内部服务器错误。解决办法是什么?
我在头文件中传递会话id为x-auth-Token。我应该通过服务调用程序传递相同的信息吗?
这是密码
@Configuration
@EnableAutoConfiguration
public class ServiceExporter {
@Bean(name = "/rmi")
HttpInvokerServiceExporter accountService(@Autowired rmiimpl rmi) {
HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();
exporter.setServiceInterface(rmiinterface.class);
exporter.setService(rmi);
return exporter;
}
}
@Configuration
@EnableAutoConfiguration
public class test {
@Bean
public HttpInvokerProxyFactoryBean invoker() {
HttpInvokerProxyFactoryBean invoker = new HttpInvokerProxyFactoryBean();
String serviceURL = "http://localhost:8081/rmi";
invoker.setServiceUrl(serviceURL);
invoker.setServiceInterface(rmiinterface.class);
invoker.setRemoteInvocationFactory(remoteinvocation());
return invoker;
}
@Bean
RemoteInvocationFactory remoteinvocation() {
return new ContextPropagatingRemoteInvocationFactory();
}
}
@Configuration
@EnableWebSecurity
public class SessionSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public HttpSessionStrategy httpSessionStrategy() {
return new HeaderHttpSessionStrategy();
}
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("admin").password("adminPass").roles("ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// https://www.baeldung.com/spring-security-session
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
http.csrf().disable().authorizeRequests() //
.antMatchers("/auth/*").fullyAuthenticated() //
.and().requestCache() //
.requestCache(new NullRequestCache()) //
.and().httpBasic();
}
}
java.io.IOException: Did not receive successful HTTP response: status code = 401, status message = [null]
at org.springframework.remoting.httpinvoker.SimpleHttpInvokerRequestExecutor.validateResponse(SimpleHttpInvokerRequestExecutor.java:188) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.remoting.httpinvoker.SimpleHttpInvokerRequestExecutor.doExecuteRequest(SimpleHttpInvokerRequestExecutor.java:92) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.remoting.httpinvoker.AbstractHttpInvokerRequestExecutor.executeRequest(AbstractHttpInvokerRequestExecutor.java:137) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor.executeRequest(HttpInvokerClientInterceptor.java:202) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor.executeRequest(HttpInvokerClientInterceptor.java:184) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor.invoke(HttpInvokerClientInterceptor.java:150) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) ~[spring-aop-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213) ~[spring-aop-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at com.sun.proxy.$Proxy66.rmitext(Unknown Source) ~[na:na]
at com.example.controller.AuthController.test(AuthController.java:27) ~[classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_191]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_191]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_191]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_191]
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:97) ~[spring-webmvc-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:854) ~[spring-webmvc-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:765) ~[spring-webmvc-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85) ~[spring-webmvc-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967) ~[spring-webmvc-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901) ~[spring-webmvc-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) ~[spring-webmvc-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861) ~[spring-webmvc-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:635) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) ~[spring-webmvc-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) ~[tomcat-embed-websocket-8.5.39.jar:8.5.39]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) ~[spring-security-web-4.2.12.RELEASE.jar:4.2.12.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:171) ~[spring-session-1.3.5.RELEASE.jar:na]
at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:80) ~[spring-session-1.3.5.RELEASE.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.23.RELEASE.jar:4.3.23.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) ~[tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) [tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137) [tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798) [tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806) [tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) [tomcat-embed-core-8.5.39.jar:8.5.39]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.39.jar:8.5.39]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_191]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_191]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.39.jar:8.5.39]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_191]
不知道少了什么。
共有1个答案
佘京
终于想通了。
众所周知,Spring Security默认情况下会从cookie中读取会话Id。在本例中,由于我使用了@Bean public-HttpSessionStrategy,它从headerx-auth-token读取。
每当HttpInvokerProxyFactoryBean尝试连接时,身份验证上下文就会被传播,但是由于它是一个HTTP调用,默认的Spring会话过滤器会尝试读取会话ID并验证相同的上下文。因为这里没有传输会话ID,所以它会抛出401。
为了修复它。我需要在HTTP invoker中设置头。如果使用了cookie,则同样适用。因为HttpInvokerProxyFactoryBean使用SimpleHttpInvokerRequestExecutor。我通过扩展创建了一个新类,并通过重写prepareConnection添加了标题。我在invoker中使用了setHttpInvokerRequestExecutor,设置执行器来调用新类。
这是代码。
@Configuration
@EnableAutoConfiguration
public class test {
@Bean
public HttpInvokerProxyFactoryBean invoker() {
HttpInvokerProxyFactoryBean invoker = new HttpInvokerProxyFactoryBean();
String serviceURL = "http://localhost:8081/rmi";
invoker.setServiceUrl(serviceURL);
invoker.setServiceInterface(rmiinterface.class);
invoker.setHttpInvokerRequestExecutor(httpInvokerRequestExecutor()); //call to the bean
return invoker;
}
@Bean
public SimpleHttpInvokerRequestExecutor httpInvokerRequestExecutor() {
return new CustomHttpInvokerRequestExecutor();
}
}
class CustomHttpInvokerRequestExecutor extends SimpleHttpInvokerRequestExecutor {
@Autowired
HttpSession session;
@Override
protected void prepareConnection(HttpURLConnection connection, int contentLength) throws IOException {
// adding header.
connection.addRequestProperty("x-auth-token", session.getId());
super.prepareConnection(connection, contentLength);
}
}
现在它开始工作了。
类似资料:
-
问题内容: 有没有办法在Jersey中以编程方式获得会话管理或安全性,例如Web应用程序会话管理?还是事务,会话和安全性都由部署Jersey应用程序的容器处理? 问题答案: 会话管理是部署Jersey的容器的权限。在大多数生产情况下,它将部署在执行会话管理的容器中。 下面的代码是jersey资源的简单示例,该资源获取会话对象并在会话中存储值,并在后续调用中检索它们。
-
问题内容: 我正在尝试确定基于ajax的登录表单进行身份验证和设置客户端cookie的最安全方法。 和 http://www.codinghorror.com/blog/archives/001167.html 所以,我想我的核心问题是… 1)使用纯Ajax设置cookie是否安全,如果是,最安全的方法是什么(httpOnly + SSL +加密值等)? 2)纯ajax方法是否涉及设置cookie
-
问题内容: 我正在开发仅需要一些基本安全功能的仅Intranet的Web应用程序(J2EE)。该站点的授权用户将相对较少,但是我仍然需要实现某种安全的会话。 我正在查看的基本流程是访问站点=>登录=>使用站点=>完成后注销(或在关闭浏览器时自动注销)。一点也不花哨,登录时甚至没有“记住我”选项。身份验证的大部分工作已经完成- 该站点只能通过https访问,并且我有一个存储用户名和(加密)密码的数据
-
我没有使用Spring Security性,但它要求我进行身份验证。 URL例外(http://localhost:8080/SpringJob/ExecuteJob): application-dev.xml build.gradle片段 控制器
-
问题内容: 已锁定 。该问题及其答案被锁定,因为该问题是题外话,但具有历史意义。它目前不接受新的答案或互动。 用PHP维护负责的会话安全性有哪些准则?网络上到处都有信息,现在是时候将它们全部集中在一个地方了! 问题答案: 为了确保会话安全,需要执行以下几项操作: 对用户进行身份验证或执行敏感操作时,请使用SSL。 只要安全级别发生更改(例如登录),就重新生成会话ID。如果愿意,您甚至可以为每个请求
-
问题内容: 我有一个登录脚本,可以根据“用户”表中的数据验证用户名/密码。此外,我有一个“角色”表,用于指定给定用户的访问级别。假设我使用的是安全的登录脚本,那么在成功登录后仅对“角色”表执行附加查询以发现用户的授权级别并将其存储到会话变量中,是否存在安全漏洞?这样的想法是,在具有混合权限的任何页面上,我都可以简单地查询会话变量以发现已登录用户的授权级别。 谢谢。 问题答案: 会话比cookie更