我将spring-session与hazelcast和spring-security一起使用。我正面临spring security无法从HttpSession加载安全上下文的问题。在身份验证期间,我可以看到以下代码将安全上下文设置为会话:
if (contextChanged(context)|| httpSession.getAttribute(springSecurityContextKey) == null) {
httpSession.setAttribute(springSecurityContextKey, context);
if (logger.isDebugEnabled()) {
logger.debug("SecurityContext '" + context
+ "' stored to HttpSession: '" + httpSession);
}
}
但在spring重定向到目标url时进行身份验证后,它无法从会话中获取安全上下文,代码如下:
Object contextFromSession = httpSession.getAttribute(springSecurityContextKey);
if (contextFromSession == null) {
if (debug) {
logger.debug("HttpSession returned null object for SPRING_SECURITY_CONTEXT");
}
return null;
}
知道这里有什么问题吗?安全调试日志-
w.a.s.SessionFixationProtectionStrategy : Started new session: 2192be54-aee1-4249-98ba-01a65a401830
c.i.i.w.s.LoggingSecurityEventListener : event=SessionFixationProtectionEvent username=cgrant remoteAddress=0:0:0:0:0:0:0:1 sessionId=c7363d39-28ff-44e3-83a9-d463f2f371e5
w.a.UsernamePasswordAuthenticationFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@5e87c6c5: Principal: org.springframework.security.core.userdetails.
c.i.i.w.s.LoggingSecurityEventListener : event=InteractiveAuthenticationSuccessEvent username=cgrant remoteAddress=0:0:0:0:0:0:0:1 sessionId=c7363d39-28ff-44e3-83a9-d463f2f371e5
RequestAwareAuthenticationSuccessHandler : Using default Url: /
o.s.s.web.DefaultRedirectStrategy : Redirecting to '/myapp/'
w.c.HttpSessionSecurityContextRepository : SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@5e87c6c5: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@5e87c6c5: Principal: org.springframework.security.core.userdetails.User@fb03e089: Username: cgrant; .......... stored to HttpSession: 'org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper$HttpSessionWrapper@5d2baa59
s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
o.s.s.w.s.HttpSessionEventPublisher : Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.springframework.session.web.http.ExpiringSessionHttpSession@287a471f]
.....
.....
o.s.security.web.FilterChainProxy : / at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
o.s.security.web.FilterChainProxy : / at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper$HttpSessionWrapper@8d3c315. A new one will be created.
o.s.security.web.FilterChainProxy : / at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@57f4e063
o.s.security.web.FilterChainProxy : / at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/logout'
o.s.security.web.FilterChainProxy : / at position 5 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /' doesn't match 'POST /login/auth
o.s.security.web.FilterChainProxy : / at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
o.s.security.web.FilterChainProxy : / at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
o.s.security.web.FilterChainProxy : / at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa843a8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd3270: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 2192be54-aee1-4249-98ba-01a65a401830; Granted Authorities: ROLE_ANONYMOUS'
o.s.security.web.FilterChainProxy : / at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
o.s.security.web.FilterChainProxy : / at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
o.s.security.web.FilterChainProxy : / at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
.....
.....
o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /; Attributes: [authenticated]
o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa843a8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd3270: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 2192be54-aee1-4249-98ba-01a65a401830; Granted Authorities: ROLE_ANONYMOUS
o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@1023c8f1, returned: -1
o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
我找到了这个问题的真正原因。我使用的是Spring-Session-1.2.2和HazelCast-3.5.4。Spring-session无法在迁移后保存会话。我不知道是hazelcast问题还是spring-session问题。只是出于测试的目的,我使用了MapSessionRepository和@EnablesPringTtpSession,所有工作都很好。在调试spring-session库时,这是一段痛苦的经历,根据我的经验,我建议在使用任何存储进行会话复制之前,首先使用MapSessionRepository进行测试,这将确保您的应用程序配置与spring-session一起工作,然后再使用第三方会话存储库。
在spring security 4中,并发会话不重定向到过期的url,而是重定向到失败的身份验证url。下面是java配置代码片段。 过期url的行为不一致,有时起作用,有时不起作用。会有什么问题?
问题内容: 我有一个使用spring和hibernate的java stuts2 Web应用程序。 我越来越。 SpringBean.xml hibernate.cfg.xml CustomerServiceImpl.java CustomerDaoImpl.java CustomerAction.java 我得到的例外 问题答案: 您在Spring配置中指定了一个事务管理器,但是没有关于何时或何
我正在尝试创建无状态安全性,从而将JWT令牌存储在Cookie而不是SESSION中。 问题是,如果没有会话,就不知道原始请求(在身份验证页面弹出之前)。所以在第77行这里savedRequest是空的。 这看起来很奇怪,我想我做错了什么。如何允许页面重定向到登录无状态会话后请求的原始URL? > 我禁用会话 然后,我创建了一个自定义的AuthenticationSuccessHandler,它扩
问题内容: 如何解决在PHP中重定向后丢失会话的问题? 最近,我遇到了一个非常常见的问题,即在重定向后丢失会话。在搜索该网站后,我仍然找不到任何解决方案(尽管这是最接近的解决方案)。 更新资料 我找到了答案,我想将它发布在这里,以帮助遇到同样问题的任何人。 问题答案: 首先,执行以下常规检查: 确保在任何会话被调用之前被调用。因此,一个安全的选择就是将其放在页面的开头,紧接着在开始声明之后,再放在
我在spring Boot1.2.3 web应用程序中使用spring security 4.0.1(也使用Spring-Session1.0.1,但这与本案无关)。 每当登录的用户会话过期时,Spring就会检测到无效的会话,并将用户重定向到“.invalidsessionURL(”/session/error/invalid“)” 然而,我只想被重定向,如果目标链接在私人区域内,也不是公共区域
我在global.asax中尝试了以下代码,但不起作用,并导致Application_Error(“响应在此上下文中不可用。”)。