Fatal编程技术网
  • spring/
  • Spring HttpSession现在为null,但在请求开始时不是null;会话已无效,因此不要创建新会话

Spring HttpSession现在为null,但在请求开始时不是null;会话已无效,因此不要创建新会话

spring spring-mvc spring-security

Spring HttpSession现在为null,但在请求开始时不是null;会话已无效,因此不要创建新会话,spring,spring-mvc,spring-security,Spring,Spring Mvc,Spring Security,重置用户密码后,应将用户重定向到安全问题页面(/PP/enduser/securityQuestions.do?clear=true),而用户将获得AccessDeniedException,因为会话无效,并且用户将获得匿名用户身份验证。我尝试了其他类似问题的解决方案,但该解决方案对我不起作用 <!-- As the default value of roleVoter is "ROLE_", overriding the value to empty string --> <

重置用户密码后,应将用户重定向到安全问题页面(/PP/enduser/securityQuestions.do?clear=true),而用户将获得AccessDeniedException,因为会话无效,并且用户将获得匿名用户身份验证。我尝试了其他类似问题的解决方案,但该解决方案对我不起作用

<!-- As the default value of roleVoter is "ROLE_", overriding the value to empty string -->
<beans:bean id="roleVoter" class="o.s.s.access.vote.RoleVoter">
    <beans:property name="rolePrefix" value="" />
</beans:bean>   

<beans:bean id="loginUrlAuthenticationEntryPoint" 
    class="o.s.s.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:constructor-arg type="java.lang.String" value="/index.do"></beans:constructor-arg>       
</beans:bean>

<beans:bean id="http403ForbiddenEntryPoint" 
    class="o.s.s.web.authentication.Http403ForbiddenEntryPoint">        
</beans:bean>

<beans:bean id="saltSource" class="o.s.s.authentication.dao.SystemWideSaltSource">
    <beans:property name="systemWideSalt" value="dcRules!"/>
</beans:bean>

<beans:bean id="passwordEncoder" class="o.s.s.authentication.encoding.ShaPasswordEncoder"/>

<beans:bean id="daoAuthenticationProvider"
    class="o.s.s.authentication.dao.DaoAuthenticationProvider">     
    <beans:property name="saltSource" ref="saltSource"/>
    <beans:property name="passwordEncoder" ref="passwordEncoder"/>
    <beans:property name="userDetailsService" ref="userDetailsService"/>
    <beans:property name="preAuthenticationChecks" ref="DCPreAuthenticationChecks" />
    <beans:property name="postAuthenticationChecks" ref="DCPostAuthenticationChecks" />
</beans:bean>   

<beans:bean id="userInfo" class="com.dc.core.security.model.impl.User" scope="session">
    <aop:scoped-proxy/>
</beans:bean>

<beans:bean id="userDetailsService" class="com.dc.core.security.authentication.impl.DCUserDetailsService">
</beans:bean>

<beans:bean id="securityLoggerListener" class="o.s.s.access.event.LoggerListener"></beans:bean>

<!-- JMX Mbeans:beans configuration -->

<beans:bean id="registry" class="org.springframework.remoting.rmi.RmiRegistryFactoryBean">
    <beans:property name="port" value="${security.jmx.remote.port}" />
</beans:bean>

<beans:bean id="exporter" class="org.springframework.jmx.export.MBeanExporter">
    <beans:property name="assembler" ref="assembler" />
    <beans:property name="namingStrategy" ref="namingStrategy" />
    <beans:property name="autodetect" value="true" />
</beans:bean>

<beans:bean id="jmxAttributeSource"
    class="org.springframework.jmx.export.annotation.AnnotationJmxAttributeSource" />

<beans:bean id="assembler"
    class="org.springframework.jmx.export.assembler.MetadataMBeanInfoAssembler">
    <beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>

<beans:bean id="namingStrategy"
    class="org.springframework.jmx.export.naming.MetadataNamingStrategy">
    <beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>

<beans:bean id="serverConnector"
    class="org.springframework.jmx.support.ConnectorServerFactoryBean">
    <beans:property name="objectName" value="connector:name=rmi" />
    <beans:property name="serviceUrl"
        value="${security.jmx.remote.url}"  /> 
</beans:bean>

<beans:bean id="clientConnector"
    class="org.springframework.jmx.support.MBeanServerConnectionFactoryBean">
     <beans:property name="serviceUrl"
        value="${security.jmx.remote.url}" /> 
</beans:bean>
AM使用jdk7、spring-security-web-3.1.4.RELEASE、spring-security-core-3.1.4.RELEASE和tomcat7 下面是我的身份验证成功处理程序

@Component
@Primary
public class CPAuthenticationSuccessHandler extends DCAuthenticationSuccessHandler {
@Autowired
private CollaborationSecurityService      collabSecurityService;

@Autowired
private AuthenticationFilterConfiguration authenticationConfiguration;

@Autowired
private FailedLoginsLock                  failedLoginsLock;

private static final String               SECURITY_QUESTIONS_URL = "/enduser/securityQuestions.do?clear=true";

private static final Logger               LOGGER                 = Logger.getInstance("dc.auth");

@Override
public void onApplicationEvent(ApplicationEvent event) {
    if (event instanceof AuthenticationSuccessEvent)
        try {
            AuthenticationSuccessEvent authenticationSuccessEvent = (AuthenticationSuccessEvent) event;
            SecurityContext ctx = SecurityContextHolder.createEmptyContext();
            SecurityContextHolder.setContext(ctx);
            ctx.setAuthentication(authenticationSuccessEvent.getAuthentication());
         } finally {
            SecurityContextHolder.clearContext();
        }
    super.onApplicationEvent(event);
}

@Override
public void onAuthenticationSuccess(final HttpServletRequest request, HttpServletResponse response,
        Authentication authentication) throws IOException, ServletException {
    new DefaultRedirectStrategy().sendRedirect(request, response,
            this.onCPAuthenticationSuccessUrl(request, response, authentication));
}

public String onCPAuthenticationSuccessUrl(final HttpServletRequest request, HttpServletResponse response,
        Authentication authentication) throws IOException, ServletException {
    LOGGER.log(Level.INFO, "Successful Authentication Principal--> " + authentication.getPrincipal());
    boolean isNewSession = false;
    Session session = null;

    try {
        if (!sessionHandler.sessionAlreadyBound(sessionFactory)) {
            session = sessionHandler.initiateSession(sessionFactory);
            sessionHandler.beginTransaction(session);
            isNewSession = true;
        }

        if (!SecurityHelper.isCurrentUserAnonymous()
                && collabSecurityService.needSecurityQuestionSetup(authentication.getName()))
            return SECURITY_QUESTIONS_URL;
        else

        return super.onAuthenticationSuccessUrl(request, response, authentication);

    } finally {
        if (isNewSession) {
            sessionHandler.endTransaction(false, sessionFactory);
        }
    }
}

public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
    super.setApplicationContext(applicationContext);
}

<!-- As the default value of roleVoter is "ROLE_", overriding the value to empty string -->
<beans:bean id="roleVoter" class="o.s.s.access.vote.RoleVoter">
    <beans:property name="rolePrefix" value="" />
</beans:bean>   

<beans:bean id="loginUrlAuthenticationEntryPoint" 
    class="o.s.s.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:constructor-arg type="java.lang.String" value="/index.do"></beans:constructor-arg>       
</beans:bean>

<beans:bean id="http403ForbiddenEntryPoint" 
    class="o.s.s.web.authentication.Http403ForbiddenEntryPoint">        
</beans:bean>

<beans:bean id="saltSource" class="o.s.s.authentication.dao.SystemWideSaltSource">
    <beans:property name="systemWideSalt" value="dcRules!"/>
</beans:bean>

<beans:bean id="passwordEncoder" class="o.s.s.authentication.encoding.ShaPasswordEncoder"/>

<beans:bean id="daoAuthenticationProvider"
    class="o.s.s.authentication.dao.DaoAuthenticationProvider">     
    <beans:property name="saltSource" ref="saltSource"/>
    <beans:property name="passwordEncoder" ref="passwordEncoder"/>
    <beans:property name="userDetailsService" ref="userDetailsService"/>
    <beans:property name="preAuthenticationChecks" ref="DCPreAuthenticationChecks" />
    <beans:property name="postAuthenticationChecks" ref="DCPostAuthenticationChecks" />
</beans:bean>   

<beans:bean id="userInfo" class="com.dc.core.security.model.impl.User" scope="session">
    <aop:scoped-proxy/>
</beans:bean>

<beans:bean id="userDetailsService" class="com.dc.core.security.authentication.impl.DCUserDetailsService">
</beans:bean>

<beans:bean id="securityLoggerListener" class="o.s.s.access.event.LoggerListener"></beans:bean>

<!-- JMX Mbeans:beans configuration -->

<beans:bean id="registry" class="org.springframework.remoting.rmi.RmiRegistryFactoryBean">
    <beans:property name="port" value="${security.jmx.remote.port}" />
</beans:bean>

<beans:bean id="exporter" class="org.springframework.jmx.export.MBeanExporter">
    <beans:property name="assembler" ref="assembler" />
    <beans:property name="namingStrategy" ref="namingStrategy" />
    <beans:property name="autodetect" value="true" />
</beans:bean>

<beans:bean id="jmxAttributeSource"
    class="org.springframework.jmx.export.annotation.AnnotationJmxAttributeSource" />

<beans:bean id="assembler"
    class="org.springframework.jmx.export.assembler.MetadataMBeanInfoAssembler">
    <beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>

<beans:bean id="namingStrategy"
    class="org.springframework.jmx.export.naming.MetadataNamingStrategy">
    <beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>

<beans:bean id="serverConnector"
    class="org.springframework.jmx.support.ConnectorServerFactoryBean">
    <beans:property name="objectName" value="connector:name=rmi" />
    <beans:property name="serviceUrl"
        value="${security.jmx.remote.url}"  /> 
</beans:bean>

<beans:bean id="clientConnector"
    class="org.springframework.jmx.support.MBeanServerConnectionFactoryBean">
     <beans:property name="serviceUrl"
        value="${security.jmx.remote.url}" /> 
</beans:bean>
}

<!-- As the default value of roleVoter is "ROLE_", overriding the value to empty string -->
<beans:bean id="roleVoter" class="o.s.s.access.vote.RoleVoter">
    <beans:property name="rolePrefix" value="" />
</beans:bean>   

<beans:bean id="loginUrlAuthenticationEntryPoint" 
    class="o.s.s.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:constructor-arg type="java.lang.String" value="/index.do"></beans:constructor-arg>       
</beans:bean>

<beans:bean id="http403ForbiddenEntryPoint" 
    class="o.s.s.web.authentication.Http403ForbiddenEntryPoint">        
</beans:bean>

<beans:bean id="saltSource" class="o.s.s.authentication.dao.SystemWideSaltSource">
    <beans:property name="systemWideSalt" value="dcRules!"/>
</beans:bean>

<beans:bean id="passwordEncoder" class="o.s.s.authentication.encoding.ShaPasswordEncoder"/>

<beans:bean id="daoAuthenticationProvider"
    class="o.s.s.authentication.dao.DaoAuthenticationProvider">     
    <beans:property name="saltSource" ref="saltSource"/>
    <beans:property name="passwordEncoder" ref="passwordEncoder"/>
    <beans:property name="userDetailsService" ref="userDetailsService"/>
    <beans:property name="preAuthenticationChecks" ref="DCPreAuthenticationChecks" />
    <beans:property name="postAuthenticationChecks" ref="DCPostAuthenticationChecks" />
</beans:bean>   

<beans:bean id="userInfo" class="com.dc.core.security.model.impl.User" scope="session">
    <aop:scoped-proxy/>
</beans:bean>

<beans:bean id="userDetailsService" class="com.dc.core.security.authentication.impl.DCUserDetailsService">
</beans:bean>

<beans:bean id="securityLoggerListener" class="o.s.s.access.event.LoggerListener"></beans:bean>

<!-- JMX Mbeans:beans configuration -->

<beans:bean id="registry" class="org.springframework.remoting.rmi.RmiRegistryFactoryBean">
    <beans:property name="port" value="${security.jmx.remote.port}" />
</beans:bean>

<beans:bean id="exporter" class="org.springframework.jmx.export.MBeanExporter">
    <beans:property name="assembler" ref="assembler" />
    <beans:property name="namingStrategy" ref="namingStrategy" />
    <beans:property name="autodetect" value="true" />
</beans:bean>

<beans:bean id="jmxAttributeSource"
    class="org.springframework.jmx.export.annotation.AnnotationJmxAttributeSource" />

<beans:bean id="assembler"
    class="org.springframework.jmx.export.assembler.MetadataMBeanInfoAssembler">
    <beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>

<beans:bean id="namingStrategy"
    class="org.springframework.jmx.export.naming.MetadataNamingStrategy">
    <beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>

<beans:bean id="serverConnector"
    class="org.springframework.jmx.support.ConnectorServerFactoryBean">
    <beans:property name="objectName" value="connector:name=rmi" />
    <beans:property name="serviceUrl"
        value="${security.jmx.remote.url}"  /> 
</beans:bean>

<beans:bean id="clientConnector"
    class="org.springframework.jmx.support.MBeanServerConnectionFactoryBean">
     <beans:property name="serviceUrl"
        value="${security.jmx.remote.url}" /> 
</beans:bean>
security-applicationContext.xml 

<!-- As the default value of roleVoter is "ROLE_", overriding the value to empty string -->
<beans:bean id="roleVoter" class="o.s.s.access.vote.RoleVoter">
    <beans:property name="rolePrefix" value="" />
</beans:bean>   

<beans:bean id="loginUrlAuthenticationEntryPoint" 
    class="o.s.s.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:constructor-arg type="java.lang.String" value="/index.do"></beans:constructor-arg>       
</beans:bean>

<beans:bean id="http403ForbiddenEntryPoint" 
    class="o.s.s.web.authentication.Http403ForbiddenEntryPoint">        
</beans:bean>

<beans:bean id="saltSource" class="o.s.s.authentication.dao.SystemWideSaltSource">
    <beans:property name="systemWideSalt" value="dcRules!"/>
</beans:bean>

<beans:bean id="passwordEncoder" class="o.s.s.authentication.encoding.ShaPasswordEncoder"/>

<beans:bean id="daoAuthenticationProvider"
    class="o.s.s.authentication.dao.DaoAuthenticationProvider">     
    <beans:property name="saltSource" ref="saltSource"/>
    <beans:property name="passwordEncoder" ref="passwordEncoder"/>
    <beans:property name="userDetailsService" ref="userDetailsService"/>
    <beans:property name="preAuthenticationChecks" ref="DCPreAuthenticationChecks" />
    <beans:property name="postAuthenticationChecks" ref="DCPostAuthenticationChecks" />
</beans:bean>   

<beans:bean id="userInfo" class="com.dc.core.security.model.impl.User" scope="session">
    <aop:scoped-proxy/>
</beans:bean>

<beans:bean id="userDetailsService" class="com.dc.core.security.authentication.impl.DCUserDetailsService">
</beans:bean>

<beans:bean id="securityLoggerListener" class="o.s.s.access.event.LoggerListener"></beans:bean>

<!-- JMX Mbeans:beans configuration -->

<beans:bean id="registry" class="org.springframework.remoting.rmi.RmiRegistryFactoryBean">
    <beans:property name="port" value="${security.jmx.remote.port}" />
</beans:bean>

<beans:bean id="exporter" class="org.springframework.jmx.export.MBeanExporter">
    <beans:property name="assembler" ref="assembler" />
    <beans:property name="namingStrategy" ref="namingStrategy" />
    <beans:property name="autodetect" value="true" />
</beans:bean>

<beans:bean id="jmxAttributeSource"
    class="org.springframework.jmx.export.annotation.AnnotationJmxAttributeSource" />

<beans:bean id="assembler"
    class="org.springframework.jmx.export.assembler.MetadataMBeanInfoAssembler">
    <beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>

<beans:bean id="namingStrategy"
    class="org.springframework.jmx.export.naming.MetadataNamingStrategy">
    <beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>

<beans:bean id="serverConnector"
    class="org.springframework.jmx.support.ConnectorServerFactoryBean">
    <beans:property name="objectName" value="connector:name=rmi" />
    <beans:property name="serviceUrl"
        value="${security.jmx.remote.url}"  /> 
</beans:bean>

<beans:bean id="clientConnector"
    class="org.springframework.jmx.support.MBeanServerConnectionFactoryBean">
     <beans:property name="serviceUrl"
        value="${security.jmx.remote.url}" /> 
</beans:bean>
持续尝试几分钟后,用户被重定向到securityQuestion页面,下面是成功从index.do重定向到securityquestions.do的日志

<!-- As the default value of roleVoter is "ROLE_", overriding the value to empty string -->
<beans:bean id="roleVoter" class="o.s.s.access.vote.RoleVoter">
    <beans:property name="rolePrefix" value="" />
</beans:bean>   

<beans:bean id="loginUrlAuthenticationEntryPoint" 
    class="o.s.s.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:constructor-arg type="java.lang.String" value="/index.do"></beans:constructor-arg>       
</beans:bean>

<beans:bean id="http403ForbiddenEntryPoint" 
    class="o.s.s.web.authentication.Http403ForbiddenEntryPoint">        
</beans:bean>

<beans:bean id="saltSource" class="o.s.s.authentication.dao.SystemWideSaltSource">
    <beans:property name="systemWideSalt" value="dcRules!"/>
</beans:bean>

<beans:bean id="passwordEncoder" class="o.s.s.authentication.encoding.ShaPasswordEncoder"/>

<beans:bean id="daoAuthenticationProvider"
    class="o.s.s.authentication.dao.DaoAuthenticationProvider">     
    <beans:property name="saltSource" ref="saltSource"/>
    <beans:property name="passwordEncoder" ref="passwordEncoder"/>
    <beans:property name="userDetailsService" ref="userDetailsService"/>
    <beans:property name="preAuthenticationChecks" ref="DCPreAuthenticationChecks" />
    <beans:property name="postAuthenticationChecks" ref="DCPostAuthenticationChecks" />
</beans:bean>   

<beans:bean id="userInfo" class="com.dc.core.security.model.impl.User" scope="session">
    <aop:scoped-proxy/>
</beans:bean>

<beans:bean id="userDetailsService" class="com.dc.core.security.authentication.impl.DCUserDetailsService">
</beans:bean>

<beans:bean id="securityLoggerListener" class="o.s.s.access.event.LoggerListener"></beans:bean>

<!-- JMX Mbeans:beans configuration -->

<beans:bean id="registry" class="org.springframework.remoting.rmi.RmiRegistryFactoryBean">
    <beans:property name="port" value="${security.jmx.remote.port}" />
</beans:bean>

<beans:bean id="exporter" class="org.springframework.jmx.export.MBeanExporter">
    <beans:property name="assembler" ref="assembler" />
    <beans:property name="namingStrategy" ref="namingStrategy" />
    <beans:property name="autodetect" value="true" />
</beans:bean>

<beans:bean id="jmxAttributeSource"
    class="org.springframework.jmx.export.annotation.AnnotationJmxAttributeSource" />

<beans:bean id="assembler"
    class="org.springframework.jmx.export.assembler.MetadataMBeanInfoAssembler">
    <beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>

<beans:bean id="namingStrategy"
    class="org.springframework.jmx.export.naming.MetadataNamingStrategy">
    <beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>

<beans:bean id="serverConnector"
    class="org.springframework.jmx.support.ConnectorServerFactoryBean">
    <beans:property name="objectName" value="connector:name=rmi" />
    <beans:property name="serviceUrl"
        value="${security.jmx.remote.url}"  /> 
</beans:bean>

<beans:bean id="clientConnector"
    class="org.springframework.jmx.support.MBeanServerConnectionFactoryBean">
     <beans:property name="serviceUrl"
        value="${security.jmx.remote.url}" /> 
</beans:bean>

2014-09-09 22:29:32,006 DEBUG | o.s.s.w.FilterChainProxy |  | cPZ5kp4XKw3e | /j_spring_security_check at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2014-09-09 22:29:32,007 DEBUG | o.s.s.w.authentication.UsernamePasswordAuthenticationFilter |  | cPZ5kp4XKw3e | Request is to process authentication
2014-09-09 22:29:32,007 DEBUG | o.s.s.authentication.ProviderManager |  | cPZ5kp4XKw3e | Authentication attempt using com.dc.apps.collaborationportal.security.service.CPDaoAuthenticationProvider
2014-09-09 22:29:32,078 DEBUG | o.s.s.w.authentication.UsernamePasswordAuthenticationFilter |  | cPZ5kp4XKw3e | Authentication success. Updating SecurityContextHolder to contain: o.s.s.authentication.UsernamePasswordAuthenticationToken@79692524: Principal: o.s.s.core.userdetails.User@49520377: Username: test1@dc.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.w.authentication.WebAuthenticationDetails@12afc:  SessionId: 8822A6A448B6B75C997DF69C9B474DE6; Not granted any authorities
2014-09-09 22:29:32,296 DEBUG | o.s.s.w.DefaultRedirectStrategy | test1@dc.com | cPZ5kp4XKw3e | Redirecting to '/PP/enduser/securityQuestions.do?clear=true'
2014-09-09 22:29:32,297 DEBUG | o.s.s.w.context.HttpSessionSecurityContextRepository | test1@dc.com | cPZ5kp4XKw3e | SecurityContext stored to HttpSession: 'o.s.s.core.context.SecurityContextImpl@79692524: Authentication: o.s.s.authentication.UsernamePasswordAuthenticationToken@79692524: Principal: o.s.s.core.userdetails.User@49520377: Username: test1@dc.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.w.authentication.WebAuthenticationDetails@12afc:  SessionId: 8822A6A448B6B75C997DF69C9B474DE6; Not granted any authorities'
2014-09-09 22:29:32,298 DEBUG | o.s.s.w.context.SecurityContextPersistenceFilter |  | cPZ5kp4XKw3e | SecurityContextHolder now cleared, as request processing completed
2014-09-09 22:29:33,309 DEBUG | o.s.s.w.FilterChainProxy |  | 91U89hqS96LB | /enduser/securityQuestions.do?clear=true at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-09-09 22:29:33,309 DEBUG | o.s.s.w.context.HttpSessionSecurityContextRepository |  | 91U89hqS96LB | Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'o.s.s.core.context.SecurityContextImpl@79692524: Authentication: o.s.s.authentication.UsernamePasswordAuthenticationToken@79692524: Principal: o.s.s.core.userdetails.User@49520377: Username: test1@dc.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.w.authentication.WebAuthenticationDetails@12afc:  SessionId: 8822A6A448B6B75C997DF69C9B474DE6; Not granted any authorities'
2014-09-09 22:29:33,310 DEBUG | o.s.s.w.FilterChainProxy | test1@dc.com | 91U89hqS96LB | /enduser/securityQuestions.do?clear=true at position 2 of 12 in additional filter chain; firing Filter: 'WelcomePageRedirectFilter'
创建了一个新过滤器,如下所示,该过滤器覆盖默认的Tomcat JSESSIONID行为

<!-- As the default value of roleVoter is "ROLE_", overriding the value to empty string -->
<beans:bean id="roleVoter" class="o.s.s.access.vote.RoleVoter">
    <beans:property name="rolePrefix" value="" />
</beans:bean>   

<beans:bean id="loginUrlAuthenticationEntryPoint" 
    class="o.s.s.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:constructor-arg type="java.lang.String" value="/index.do"></beans:constructor-arg>       
</beans:bean>

<beans:bean id="http403ForbiddenEntryPoint" 
    class="o.s.s.web.authentication.Http403ForbiddenEntryPoint">        
</beans:bean>

<beans:bean id="saltSource" class="o.s.s.authentication.dao.SystemWideSaltSource">
    <beans:property name="systemWideSalt" value="dcRules!"/>
</beans:bean>

<beans:bean id="passwordEncoder" class="o.s.s.authentication.encoding.ShaPasswordEncoder"/>

<beans:bean id="daoAuthenticationProvider"
    class="o.s.s.authentication.dao.DaoAuthenticationProvider">     
    <beans:property name="saltSource" ref="saltSource"/>
    <beans:property name="passwordEncoder" ref="passwordEncoder"/>
    <beans:property name="userDetailsService" ref="userDetailsService"/>
    <beans:property name="preAuthenticationChecks" ref="DCPreAuthenticationChecks" />
    <beans:property name="postAuthenticationChecks" ref="DCPostAuthenticationChecks" />
</beans:bean>   

<beans:bean id="userInfo" class="com.dc.core.security.model.impl.User" scope="session">
    <aop:scoped-proxy/>
</beans:bean>

<beans:bean id="userDetailsService" class="com.dc.core.security.authentication.impl.DCUserDetailsService">
</beans:bean>

<beans:bean id="securityLoggerListener" class="o.s.s.access.event.LoggerListener"></beans:bean>

<!-- JMX Mbeans:beans configuration -->

<beans:bean id="registry" class="org.springframework.remoting.rmi.RmiRegistryFactoryBean">
    <beans:property name="port" value="${security.jmx.remote.port}" />
</beans:bean>

<beans:bean id="exporter" class="org.springframework.jmx.export.MBeanExporter">
    <beans:property name="assembler" ref="assembler" />
    <beans:property name="namingStrategy" ref="namingStrategy" />
    <beans:property name="autodetect" value="true" />
</beans:bean>

<beans:bean id="jmxAttributeSource"
    class="org.springframework.jmx.export.annotation.AnnotationJmxAttributeSource" />

<beans:bean id="assembler"
    class="org.springframework.jmx.export.assembler.MetadataMBeanInfoAssembler">
    <beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>

<beans:bean id="namingStrategy"
    class="org.springframework.jmx.export.naming.MetadataNamingStrategy">
    <beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>

<beans:bean id="serverConnector"
    class="org.springframework.jmx.support.ConnectorServerFactoryBean">
    <beans:property name="objectName" value="connector:name=rmi" />
    <beans:property name="serviceUrl"
        value="${security.jmx.remote.url}"  /> 
</beans:bean>

<beans:bean id="clientConnector"
    class="org.springframework.jmx.support.MBeanServerConnectionFactoryBean">
     <beans:property name="serviceUrl"
        value="${security.jmx.remote.url}" /> 
</beans:bean>

public class HttpsCookieFilter implements Filter {
private static final Logger LOGGER = Logger.getInstance(HttpsCookieFilter.class);

@Override
public void destroy() {
}

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws  IOException,
         ServletException {

    final HttpServletRequest httpRequest = (HttpServletRequest) request;
    final HttpServletResponse httpResponse = (HttpServletResponse) response;
    final HttpSession session = httpRequest.getSession(false);

    if (session != null) {
        final Cookie sessionCookie = new Cookie("JSESSIONID", session.getId());
        sessionCookie.setMaxAge(readCookieTimeoutfromProperties());
        sessionCookie.setSecure(false);
        sessionCookie.setPath(httpRequest.getContextPath());
        httpResponse.addCookie(sessionCookie);
        LOGGER.log(Level.DEBUG, "Session not null and setting SessionCookie --> " + sessionCookie.getValue()
                + "; SessionCookie Age --> " + sessionCookie.getMaxAge());
    }

    chain.doFilter(request, response);
}

@Override
public void init(FilterConfig arg0) throws ServletException {
}

private int readCookieTimeoutfromProperties() {
    ResourceBundleMessageSource bean = new ResourceBundleMessageSource();
    bean.setBasename("application-messages");
    String tmeout = bean.getMessage("security.cookie.timeout", null, Locale.getDefault());
    return Integer.parseInt(tmeout);
}

}
并在web.xml中的springSecurityFilterChain之前调用此筛选器
我认为
super.onApplicationEvent(事件)
应该在
ctx.setAuthentication(authenticationSuccessEvent.getAuthentication())之后的try块中这就是super方法在ApplicationEvent(ApplicationEvent事件)上@Override public void{if(GroovyBeanAddedEvent的事件实例){GroovyBeanAddedEvent=(GroovyBeanAddedEvent)事件;addedBeans.add(groovyEvent.getBeanName();}}我不认为super.onApplicationEvent是(事件);是一个问题可能您可以解释问题是什么以及为什么会修复它?同时将cookie设置为非安全是一个坏主意,因为如果您正在进行身份验证,它应该通过HTTPS使用。它还应该避免脚本访问。