时间戳

首页 > 解决方案 > Spring Security 重新创建 HttpSession

java - Spring Security 重新创建 HttpSession

问题描述

我尝试配置 Spring Security,但我遇到了一个问题。

这是我的 SessionAuthenticationFilter:

public class SessionAuthenticationFilter extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
            throws ServletException, IOException {

        HttpSession session = request.getSession();
        User user = (User) session.getAttribute("user");

        if (nonNull(user)) {
            SimpleGrantedAuthority authority = new SimpleGrantedAuthority(user.getRole());
            Authentication authentication = new UsernamePasswordAuthenticationToken(user.getName(), null, singletonList(authority));

            SecurityContextHolder.getContext().setAuthentication(authentication);
        }

        filterChain.doFilter(request, response);
    }

}

这是我的安全配置:

@Configuration
@EnableWebSecurity
@EnableJdbcHttpSession
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public SessionAuthenticationFilter sessionFilter() {
        return new SessionAuthenticationFilter();
    }

    @Bean
    public HttpSessionIdResolver httpSessionIdResolver() {
        return HeaderHttpSessionIdResolver.xAuthToken();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
                .csrf().disable()
                .formLogin().disable()
                .cors()
                .and()
                .httpBasic()
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .addFilterBefore(sessionFilter(), SessionManagementFilter.class)
                .authorizeRequests()
                .antMatchers(
                        "/login"
                )
                .permitAll()
                .anyRequest()
                .authenticated();
    }

}

这是我的索引控制器:

@RestController
public class IndexController {

    @RequestMapping(value = "/index", method = RequestMethod.GET)
    public ResponseEntity<?> index(HttpSession session) {

        System.out.println(session.getId());

        return new ResponseEntity<>(HttpStatus.OK);
    }

}

里面的 SessionAuthenticationFilter HttpSession 是正确的,但是当我尝试获取这个会话时,我会得到其他会话。为什么?我知道这是由 Spring Security 创建的。它是如何固定的?

标签: javaspringspring-securityspring-session

解决方案

您的问题可能与此有关:.sessionCreationPolicy(SessionCreationPolicy.STATELESS)

因此,在 Spring Security Docs 中,Spring Security 永远不会创建HttpSession并且永远不会使用它来获取SecurityContext会话创建策略设置为的时间STATELESS

尝试将政策更改为SessionCreationPolicy.ALWAYS

请参阅 枚举 SessionCreationPolicy

推荐阅读