Java PersistentTokenRepository：还记得我和AJAX吗_Java_Spring_Spring Security

Java PersistentTokenRepository：还记得我和AJAX吗

java spring spring-security

Java PersistentTokenRepository：还记得我和AJAX吗,java,spring,spring-security,Java,Spring,Spring Security,我认为persistentTokenRepository存在问题，检测到“cookie盗窃攻击”，它检测到假阳性事实上，有时我会遇到这样的错误： Etat HTTP 500 - Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack. org.springframework.security.web.authentication.rememberme.CookieTheft

我认为persistentTokenRepository存在问题，检测到“cookie盗窃攻击”，它检测到假阳性

事实上，有时我会遇到这样的错误：

Etat HTTP 500 - Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
 org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:102)
org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices.autoLogin(AbstractRememberMeServices.java:115)
org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:97)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:57)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)

经过一番调查，我明白了这个问题！我的webapp在第一次加载时使用了大量ajax请求，因此我们可以在同一时间有多个线程尝试获取同一会话的安全令牌，因为完成会话身份验证的第一个线程执行更新，而其他线程无法执行更新，因为原始令牌（这些线程持有）已更新，并启动异常

问题并非每次都会发生，因为RememberAuthenticationFilter会检查是否设置了RememberAuth（doFilter），因此使用异步请求时问题会更频繁

您认为有解决此问题的方法吗？

对此有任何更新吗？我也有同样的问题，但即使没有Ajax，我也有这个问题。很难复制，所以我不知道该怎么做。但人们却在抱怨出错。