Spring HttpSession现在为null,但在请求开始时不是null;会话已无效,因此不要创建新会话
重置用户密码后,应将用户重定向到安全问题页面(/PP/enduser/securityQuestions.do?clear=true),而用户将获得AccessDeniedException,因为会话无效,并且用户将获得匿名用户身份验证。我尝试了其他类似问题的解决方案,但该解决方案对我不起作用Spring HttpSession现在为null,但在请求开始时不是null;会话已无效,因此不要创建新会话,spring,spring-mvc,spring-security,Spring,Spring Mvc,Spring Security,重置用户密码后,应将用户重定向到安全问题页面(/PP/enduser/securityQuestions.do?clear=true),而用户将获得AccessDeniedException,因为会话无效,并且用户将获得匿名用户身份验证。我尝试了其他类似问题的解决方案,但该解决方案对我不起作用 <!-- As the default value of roleVoter is "ROLE_", overriding the value to empty string --> <
<!-- As the default value of roleVoter is "ROLE_", overriding the value to empty string -->
<beans:bean id="roleVoter" class="o.s.s.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="" />
</beans:bean>
<beans:bean id="loginUrlAuthenticationEntryPoint"
class="o.s.s.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg type="java.lang.String" value="/index.do"></beans:constructor-arg>
</beans:bean>
<beans:bean id="http403ForbiddenEntryPoint"
class="o.s.s.web.authentication.Http403ForbiddenEntryPoint">
</beans:bean>
<beans:bean id="saltSource" class="o.s.s.authentication.dao.SystemWideSaltSource">
<beans:property name="systemWideSalt" value="dcRules!"/>
</beans:bean>
<beans:bean id="passwordEncoder" class="o.s.s.authentication.encoding.ShaPasswordEncoder"/>
<beans:bean id="daoAuthenticationProvider"
class="o.s.s.authentication.dao.DaoAuthenticationProvider">
<beans:property name="saltSource" ref="saltSource"/>
<beans:property name="passwordEncoder" ref="passwordEncoder"/>
<beans:property name="userDetailsService" ref="userDetailsService"/>
<beans:property name="preAuthenticationChecks" ref="DCPreAuthenticationChecks" />
<beans:property name="postAuthenticationChecks" ref="DCPostAuthenticationChecks" />
</beans:bean>
<beans:bean id="userInfo" class="com.dc.core.security.model.impl.User" scope="session">
<aop:scoped-proxy/>
</beans:bean>
<beans:bean id="userDetailsService" class="com.dc.core.security.authentication.impl.DCUserDetailsService">
</beans:bean>
<beans:bean id="securityLoggerListener" class="o.s.s.access.event.LoggerListener"></beans:bean>
<!-- JMX Mbeans:beans configuration -->
<beans:bean id="registry" class="org.springframework.remoting.rmi.RmiRegistryFactoryBean">
<beans:property name="port" value="${security.jmx.remote.port}" />
</beans:bean>
<beans:bean id="exporter" class="org.springframework.jmx.export.MBeanExporter">
<beans:property name="assembler" ref="assembler" />
<beans:property name="namingStrategy" ref="namingStrategy" />
<beans:property name="autodetect" value="true" />
</beans:bean>
<beans:bean id="jmxAttributeSource"
class="org.springframework.jmx.export.annotation.AnnotationJmxAttributeSource" />
<beans:bean id="assembler"
class="org.springframework.jmx.export.assembler.MetadataMBeanInfoAssembler">
<beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>
<beans:bean id="namingStrategy"
class="org.springframework.jmx.export.naming.MetadataNamingStrategy">
<beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>
<beans:bean id="serverConnector"
class="org.springframework.jmx.support.ConnectorServerFactoryBean">
<beans:property name="objectName" value="connector:name=rmi" />
<beans:property name="serviceUrl"
value="${security.jmx.remote.url}" />
</beans:bean>
<beans:bean id="clientConnector"
class="org.springframework.jmx.support.MBeanServerConnectionFactoryBean">
<beans:property name="serviceUrl"
value="${security.jmx.remote.url}" />
</beans:bean>
AM使用jdk7、spring-security-web-3.1.4.RELEASE、spring-security-core-3.1.4.RELEASE和tomcat7
下面是我的身份验证成功处理程序
@Component
@Primary
public class CPAuthenticationSuccessHandler extends DCAuthenticationSuccessHandler {
@Autowired
private CollaborationSecurityService collabSecurityService;
@Autowired
private AuthenticationFilterConfiguration authenticationConfiguration;
@Autowired
private FailedLoginsLock failedLoginsLock;
private static final String SECURITY_QUESTIONS_URL = "/enduser/securityQuestions.do?clear=true";
private static final Logger LOGGER = Logger.getInstance("dc.auth");
@Override
public void onApplicationEvent(ApplicationEvent event) {
if (event instanceof AuthenticationSuccessEvent)
try {
AuthenticationSuccessEvent authenticationSuccessEvent = (AuthenticationSuccessEvent) event;
SecurityContext ctx = SecurityContextHolder.createEmptyContext();
SecurityContextHolder.setContext(ctx);
ctx.setAuthentication(authenticationSuccessEvent.getAuthentication());
} finally {
SecurityContextHolder.clearContext();
}
super.onApplicationEvent(event);
}
@Override
public void onAuthenticationSuccess(final HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
new DefaultRedirectStrategy().sendRedirect(request, response,
this.onCPAuthenticationSuccessUrl(request, response, authentication));
}
public String onCPAuthenticationSuccessUrl(final HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
LOGGER.log(Level.INFO, "Successful Authentication Principal--> " + authentication.getPrincipal());
boolean isNewSession = false;
Session session = null;
try {
if (!sessionHandler.sessionAlreadyBound(sessionFactory)) {
session = sessionHandler.initiateSession(sessionFactory);
sessionHandler.beginTransaction(session);
isNewSession = true;
}
if (!SecurityHelper.isCurrentUserAnonymous()
&& collabSecurityService.needSecurityQuestionSetup(authentication.getName()))
return SECURITY_QUESTIONS_URL;
else
return super.onAuthenticationSuccessUrl(request, response, authentication);
} finally {
if (isNewSession) {
sessionHandler.endTransaction(false, sessionFactory);
}
}
}
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
super.setApplicationContext(applicationContext);
}
<!-- As the default value of roleVoter is "ROLE_", overriding the value to empty string -->
<beans:bean id="roleVoter" class="o.s.s.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="" />
</beans:bean>
<beans:bean id="loginUrlAuthenticationEntryPoint"
class="o.s.s.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg type="java.lang.String" value="/index.do"></beans:constructor-arg>
</beans:bean>
<beans:bean id="http403ForbiddenEntryPoint"
class="o.s.s.web.authentication.Http403ForbiddenEntryPoint">
</beans:bean>
<beans:bean id="saltSource" class="o.s.s.authentication.dao.SystemWideSaltSource">
<beans:property name="systemWideSalt" value="dcRules!"/>
</beans:bean>
<beans:bean id="passwordEncoder" class="o.s.s.authentication.encoding.ShaPasswordEncoder"/>
<beans:bean id="daoAuthenticationProvider"
class="o.s.s.authentication.dao.DaoAuthenticationProvider">
<beans:property name="saltSource" ref="saltSource"/>
<beans:property name="passwordEncoder" ref="passwordEncoder"/>
<beans:property name="userDetailsService" ref="userDetailsService"/>
<beans:property name="preAuthenticationChecks" ref="DCPreAuthenticationChecks" />
<beans:property name="postAuthenticationChecks" ref="DCPostAuthenticationChecks" />
</beans:bean>
<beans:bean id="userInfo" class="com.dc.core.security.model.impl.User" scope="session">
<aop:scoped-proxy/>
</beans:bean>
<beans:bean id="userDetailsService" class="com.dc.core.security.authentication.impl.DCUserDetailsService">
</beans:bean>
<beans:bean id="securityLoggerListener" class="o.s.s.access.event.LoggerListener"></beans:bean>
<!-- JMX Mbeans:beans configuration -->
<beans:bean id="registry" class="org.springframework.remoting.rmi.RmiRegistryFactoryBean">
<beans:property name="port" value="${security.jmx.remote.port}" />
</beans:bean>
<beans:bean id="exporter" class="org.springframework.jmx.export.MBeanExporter">
<beans:property name="assembler" ref="assembler" />
<beans:property name="namingStrategy" ref="namingStrategy" />
<beans:property name="autodetect" value="true" />
</beans:bean>
<beans:bean id="jmxAttributeSource"
class="org.springframework.jmx.export.annotation.AnnotationJmxAttributeSource" />
<beans:bean id="assembler"
class="org.springframework.jmx.export.assembler.MetadataMBeanInfoAssembler">
<beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>
<beans:bean id="namingStrategy"
class="org.springframework.jmx.export.naming.MetadataNamingStrategy">
<beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>
<beans:bean id="serverConnector"
class="org.springframework.jmx.support.ConnectorServerFactoryBean">
<beans:property name="objectName" value="connector:name=rmi" />
<beans:property name="serviceUrl"
value="${security.jmx.remote.url}" />
</beans:bean>
<beans:bean id="clientConnector"
class="org.springframework.jmx.support.MBeanServerConnectionFactoryBean">
<beans:property name="serviceUrl"
value="${security.jmx.remote.url}" />
</beans:bean>
}
<!-- As the default value of roleVoter is "ROLE_", overriding the value to empty string -->
<beans:bean id="roleVoter" class="o.s.s.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="" />
</beans:bean>
<beans:bean id="loginUrlAuthenticationEntryPoint"
class="o.s.s.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg type="java.lang.String" value="/index.do"></beans:constructor-arg>
</beans:bean>
<beans:bean id="http403ForbiddenEntryPoint"
class="o.s.s.web.authentication.Http403ForbiddenEntryPoint">
</beans:bean>
<beans:bean id="saltSource" class="o.s.s.authentication.dao.SystemWideSaltSource">
<beans:property name="systemWideSalt" value="dcRules!"/>
</beans:bean>
<beans:bean id="passwordEncoder" class="o.s.s.authentication.encoding.ShaPasswordEncoder"/>
<beans:bean id="daoAuthenticationProvider"
class="o.s.s.authentication.dao.DaoAuthenticationProvider">
<beans:property name="saltSource" ref="saltSource"/>
<beans:property name="passwordEncoder" ref="passwordEncoder"/>
<beans:property name="userDetailsService" ref="userDetailsService"/>
<beans:property name="preAuthenticationChecks" ref="DCPreAuthenticationChecks" />
<beans:property name="postAuthenticationChecks" ref="DCPostAuthenticationChecks" />
</beans:bean>
<beans:bean id="userInfo" class="com.dc.core.security.model.impl.User" scope="session">
<aop:scoped-proxy/>
</beans:bean>
<beans:bean id="userDetailsService" class="com.dc.core.security.authentication.impl.DCUserDetailsService">
</beans:bean>
<beans:bean id="securityLoggerListener" class="o.s.s.access.event.LoggerListener"></beans:bean>
<!-- JMX Mbeans:beans configuration -->
<beans:bean id="registry" class="org.springframework.remoting.rmi.RmiRegistryFactoryBean">
<beans:property name="port" value="${security.jmx.remote.port}" />
</beans:bean>
<beans:bean id="exporter" class="org.springframework.jmx.export.MBeanExporter">
<beans:property name="assembler" ref="assembler" />
<beans:property name="namingStrategy" ref="namingStrategy" />
<beans:property name="autodetect" value="true" />
</beans:bean>
<beans:bean id="jmxAttributeSource"
class="org.springframework.jmx.export.annotation.AnnotationJmxAttributeSource" />
<beans:bean id="assembler"
class="org.springframework.jmx.export.assembler.MetadataMBeanInfoAssembler">
<beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>
<beans:bean id="namingStrategy"
class="org.springframework.jmx.export.naming.MetadataNamingStrategy">
<beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>
<beans:bean id="serverConnector"
class="org.springframework.jmx.support.ConnectorServerFactoryBean">
<beans:property name="objectName" value="connector:name=rmi" />
<beans:property name="serviceUrl"
value="${security.jmx.remote.url}" />
</beans:bean>
<beans:bean id="clientConnector"
class="org.springframework.jmx.support.MBeanServerConnectionFactoryBean">
<beans:property name="serviceUrl"
value="${security.jmx.remote.url}" />
</beans:bean>
security-applicationContext.xml
<!-- As the default value of roleVoter is "ROLE_", overriding the value to empty string -->
<beans:bean id="roleVoter" class="o.s.s.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="" />
</beans:bean>
<beans:bean id="loginUrlAuthenticationEntryPoint"
class="o.s.s.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg type="java.lang.String" value="/index.do"></beans:constructor-arg>
</beans:bean>
<beans:bean id="http403ForbiddenEntryPoint"
class="o.s.s.web.authentication.Http403ForbiddenEntryPoint">
</beans:bean>
<beans:bean id="saltSource" class="o.s.s.authentication.dao.SystemWideSaltSource">
<beans:property name="systemWideSalt" value="dcRules!"/>
</beans:bean>
<beans:bean id="passwordEncoder" class="o.s.s.authentication.encoding.ShaPasswordEncoder"/>
<beans:bean id="daoAuthenticationProvider"
class="o.s.s.authentication.dao.DaoAuthenticationProvider">
<beans:property name="saltSource" ref="saltSource"/>
<beans:property name="passwordEncoder" ref="passwordEncoder"/>
<beans:property name="userDetailsService" ref="userDetailsService"/>
<beans:property name="preAuthenticationChecks" ref="DCPreAuthenticationChecks" />
<beans:property name="postAuthenticationChecks" ref="DCPostAuthenticationChecks" />
</beans:bean>
<beans:bean id="userInfo" class="com.dc.core.security.model.impl.User" scope="session">
<aop:scoped-proxy/>
</beans:bean>
<beans:bean id="userDetailsService" class="com.dc.core.security.authentication.impl.DCUserDetailsService">
</beans:bean>
<beans:bean id="securityLoggerListener" class="o.s.s.access.event.LoggerListener"></beans:bean>
<!-- JMX Mbeans:beans configuration -->
<beans:bean id="registry" class="org.springframework.remoting.rmi.RmiRegistryFactoryBean">
<beans:property name="port" value="${security.jmx.remote.port}" />
</beans:bean>
<beans:bean id="exporter" class="org.springframework.jmx.export.MBeanExporter">
<beans:property name="assembler" ref="assembler" />
<beans:property name="namingStrategy" ref="namingStrategy" />
<beans:property name="autodetect" value="true" />
</beans:bean>
<beans:bean id="jmxAttributeSource"
class="org.springframework.jmx.export.annotation.AnnotationJmxAttributeSource" />
<beans:bean id="assembler"
class="org.springframework.jmx.export.assembler.MetadataMBeanInfoAssembler">
<beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>
<beans:bean id="namingStrategy"
class="org.springframework.jmx.export.naming.MetadataNamingStrategy">
<beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>
<beans:bean id="serverConnector"
class="org.springframework.jmx.support.ConnectorServerFactoryBean">
<beans:property name="objectName" value="connector:name=rmi" />
<beans:property name="serviceUrl"
value="${security.jmx.remote.url}" />
</beans:bean>
<beans:bean id="clientConnector"
class="org.springframework.jmx.support.MBeanServerConnectionFactoryBean">
<beans:property name="serviceUrl"
value="${security.jmx.remote.url}" />
</beans:bean>
持续尝试几分钟后,用户被重定向到securityQuestion页面,下面是成功从index.do重定向到securityquestions.do的日志
<!-- As the default value of roleVoter is "ROLE_", overriding the value to empty string -->
<beans:bean id="roleVoter" class="o.s.s.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="" />
</beans:bean>
<beans:bean id="loginUrlAuthenticationEntryPoint"
class="o.s.s.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg type="java.lang.String" value="/index.do"></beans:constructor-arg>
</beans:bean>
<beans:bean id="http403ForbiddenEntryPoint"
class="o.s.s.web.authentication.Http403ForbiddenEntryPoint">
</beans:bean>
<beans:bean id="saltSource" class="o.s.s.authentication.dao.SystemWideSaltSource">
<beans:property name="systemWideSalt" value="dcRules!"/>
</beans:bean>
<beans:bean id="passwordEncoder" class="o.s.s.authentication.encoding.ShaPasswordEncoder"/>
<beans:bean id="daoAuthenticationProvider"
class="o.s.s.authentication.dao.DaoAuthenticationProvider">
<beans:property name="saltSource" ref="saltSource"/>
<beans:property name="passwordEncoder" ref="passwordEncoder"/>
<beans:property name="userDetailsService" ref="userDetailsService"/>
<beans:property name="preAuthenticationChecks" ref="DCPreAuthenticationChecks" />
<beans:property name="postAuthenticationChecks" ref="DCPostAuthenticationChecks" />
</beans:bean>
<beans:bean id="userInfo" class="com.dc.core.security.model.impl.User" scope="session">
<aop:scoped-proxy/>
</beans:bean>
<beans:bean id="userDetailsService" class="com.dc.core.security.authentication.impl.DCUserDetailsService">
</beans:bean>
<beans:bean id="securityLoggerListener" class="o.s.s.access.event.LoggerListener"></beans:bean>
<!-- JMX Mbeans:beans configuration -->
<beans:bean id="registry" class="org.springframework.remoting.rmi.RmiRegistryFactoryBean">
<beans:property name="port" value="${security.jmx.remote.port}" />
</beans:bean>
<beans:bean id="exporter" class="org.springframework.jmx.export.MBeanExporter">
<beans:property name="assembler" ref="assembler" />
<beans:property name="namingStrategy" ref="namingStrategy" />
<beans:property name="autodetect" value="true" />
</beans:bean>
<beans:bean id="jmxAttributeSource"
class="org.springframework.jmx.export.annotation.AnnotationJmxAttributeSource" />
<beans:bean id="assembler"
class="org.springframework.jmx.export.assembler.MetadataMBeanInfoAssembler">
<beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>
<beans:bean id="namingStrategy"
class="org.springframework.jmx.export.naming.MetadataNamingStrategy">
<beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>
<beans:bean id="serverConnector"
class="org.springframework.jmx.support.ConnectorServerFactoryBean">
<beans:property name="objectName" value="connector:name=rmi" />
<beans:property name="serviceUrl"
value="${security.jmx.remote.url}" />
</beans:bean>
<beans:bean id="clientConnector"
class="org.springframework.jmx.support.MBeanServerConnectionFactoryBean">
<beans:property name="serviceUrl"
value="${security.jmx.remote.url}" />
</beans:bean>
2014-09-09 22:29:32,006 DEBUG | o.s.s.w.FilterChainProxy | | cPZ5kp4XKw3e | /j_spring_security_check at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2014-09-09 22:29:32,007 DEBUG | o.s.s.w.authentication.UsernamePasswordAuthenticationFilter | | cPZ5kp4XKw3e | Request is to process authentication
2014-09-09 22:29:32,007 DEBUG | o.s.s.authentication.ProviderManager | | cPZ5kp4XKw3e | Authentication attempt using com.dc.apps.collaborationportal.security.service.CPDaoAuthenticationProvider
2014-09-09 22:29:32,078 DEBUG | o.s.s.w.authentication.UsernamePasswordAuthenticationFilter | | cPZ5kp4XKw3e | Authentication success. Updating SecurityContextHolder to contain: o.s.s.authentication.UsernamePasswordAuthenticationToken@79692524: Principal: o.s.s.core.userdetails.User@49520377: Username: test1@dc.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.w.authentication.WebAuthenticationDetails@12afc: SessionId: 8822A6A448B6B75C997DF69C9B474DE6; Not granted any authorities
2014-09-09 22:29:32,296 DEBUG | o.s.s.w.DefaultRedirectStrategy | test1@dc.com | cPZ5kp4XKw3e | Redirecting to '/PP/enduser/securityQuestions.do?clear=true'
2014-09-09 22:29:32,297 DEBUG | o.s.s.w.context.HttpSessionSecurityContextRepository | test1@dc.com | cPZ5kp4XKw3e | SecurityContext stored to HttpSession: 'o.s.s.core.context.SecurityContextImpl@79692524: Authentication: o.s.s.authentication.UsernamePasswordAuthenticationToken@79692524: Principal: o.s.s.core.userdetails.User@49520377: Username: test1@dc.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.w.authentication.WebAuthenticationDetails@12afc: SessionId: 8822A6A448B6B75C997DF69C9B474DE6; Not granted any authorities'
2014-09-09 22:29:32,298 DEBUG | o.s.s.w.context.SecurityContextPersistenceFilter | | cPZ5kp4XKw3e | SecurityContextHolder now cleared, as request processing completed
2014-09-09 22:29:33,309 DEBUG | o.s.s.w.FilterChainProxy | | 91U89hqS96LB | /enduser/securityQuestions.do?clear=true at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-09-09 22:29:33,309 DEBUG | o.s.s.w.context.HttpSessionSecurityContextRepository | | 91U89hqS96LB | Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'o.s.s.core.context.SecurityContextImpl@79692524: Authentication: o.s.s.authentication.UsernamePasswordAuthenticationToken@79692524: Principal: o.s.s.core.userdetails.User@49520377: Username: test1@dc.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.w.authentication.WebAuthenticationDetails@12afc: SessionId: 8822A6A448B6B75C997DF69C9B474DE6; Not granted any authorities'
2014-09-09 22:29:33,310 DEBUG | o.s.s.w.FilterChainProxy | test1@dc.com | 91U89hqS96LB | /enduser/securityQuestions.do?clear=true at position 2 of 12 in additional filter chain; firing Filter: 'WelcomePageRedirectFilter'
创建了一个新过滤器,如下所示,该过滤器覆盖默认的Tomcat JSESSIONID行为
<!-- As the default value of roleVoter is "ROLE_", overriding the value to empty string -->
<beans:bean id="roleVoter" class="o.s.s.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="" />
</beans:bean>
<beans:bean id="loginUrlAuthenticationEntryPoint"
class="o.s.s.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg type="java.lang.String" value="/index.do"></beans:constructor-arg>
</beans:bean>
<beans:bean id="http403ForbiddenEntryPoint"
class="o.s.s.web.authentication.Http403ForbiddenEntryPoint">
</beans:bean>
<beans:bean id="saltSource" class="o.s.s.authentication.dao.SystemWideSaltSource">
<beans:property name="systemWideSalt" value="dcRules!"/>
</beans:bean>
<beans:bean id="passwordEncoder" class="o.s.s.authentication.encoding.ShaPasswordEncoder"/>
<beans:bean id="daoAuthenticationProvider"
class="o.s.s.authentication.dao.DaoAuthenticationProvider">
<beans:property name="saltSource" ref="saltSource"/>
<beans:property name="passwordEncoder" ref="passwordEncoder"/>
<beans:property name="userDetailsService" ref="userDetailsService"/>
<beans:property name="preAuthenticationChecks" ref="DCPreAuthenticationChecks" />
<beans:property name="postAuthenticationChecks" ref="DCPostAuthenticationChecks" />
</beans:bean>
<beans:bean id="userInfo" class="com.dc.core.security.model.impl.User" scope="session">
<aop:scoped-proxy/>
</beans:bean>
<beans:bean id="userDetailsService" class="com.dc.core.security.authentication.impl.DCUserDetailsService">
</beans:bean>
<beans:bean id="securityLoggerListener" class="o.s.s.access.event.LoggerListener"></beans:bean>
<!-- JMX Mbeans:beans configuration -->
<beans:bean id="registry" class="org.springframework.remoting.rmi.RmiRegistryFactoryBean">
<beans:property name="port" value="${security.jmx.remote.port}" />
</beans:bean>
<beans:bean id="exporter" class="org.springframework.jmx.export.MBeanExporter">
<beans:property name="assembler" ref="assembler" />
<beans:property name="namingStrategy" ref="namingStrategy" />
<beans:property name="autodetect" value="true" />
</beans:bean>
<beans:bean id="jmxAttributeSource"
class="org.springframework.jmx.export.annotation.AnnotationJmxAttributeSource" />
<beans:bean id="assembler"
class="org.springframework.jmx.export.assembler.MetadataMBeanInfoAssembler">
<beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>
<beans:bean id="namingStrategy"
class="org.springframework.jmx.export.naming.MetadataNamingStrategy">
<beans:property name="attributeSource" ref="jmxAttributeSource" />
</beans:bean>
<beans:bean id="serverConnector"
class="org.springframework.jmx.support.ConnectorServerFactoryBean">
<beans:property name="objectName" value="connector:name=rmi" />
<beans:property name="serviceUrl"
value="${security.jmx.remote.url}" />
</beans:bean>
<beans:bean id="clientConnector"
class="org.springframework.jmx.support.MBeanServerConnectionFactoryBean">
<beans:property name="serviceUrl"
value="${security.jmx.remote.url}" />
</beans:bean>
public class HttpsCookieFilter implements Filter {
private static final Logger LOGGER = Logger.getInstance(HttpsCookieFilter.class);
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
ServletException {
final HttpServletRequest httpRequest = (HttpServletRequest) request;
final HttpServletResponse httpResponse = (HttpServletResponse) response;
final HttpSession session = httpRequest.getSession(false);
if (session != null) {
final Cookie sessionCookie = new Cookie("JSESSIONID", session.getId());
sessionCookie.setMaxAge(readCookieTimeoutfromProperties());
sessionCookie.setSecure(false);
sessionCookie.setPath(httpRequest.getContextPath());
httpResponse.addCookie(sessionCookie);
LOGGER.log(Level.DEBUG, "Session not null and setting SessionCookie --> " + sessionCookie.getValue()
+ "; SessionCookie Age --> " + sessionCookie.getMaxAge());
}
chain.doFilter(request, response);
}
@Override
public void init(FilterConfig arg0) throws ServletException {
}
private int readCookieTimeoutfromProperties() {
ResourceBundleMessageSource bean = new ResourceBundleMessageSource();
bean.setBasename("application-messages");
String tmeout = bean.getMessage("security.cookie.timeout", null, Locale.getDefault());
return Integer.parseInt(tmeout);
}
}
并在web.xml中的springSecurityFilterChain之前调用此筛选器
我认为
super.onApplicationEvent(事件)
应该在ctx.setAuthentication(authenticationSuccessEvent.getAuthentication())之后的try块中代码>这就是super方法在ApplicationEvent(ApplicationEvent事件)上@Override public void{if(GroovyBeanAddedEvent的事件实例){GroovyBeanAddedEvent=(GroovyBeanAddedEvent)事件;addedBeans.add(groovyEvent.getBeanName();}}我不认为super.onApplicationEvent是(事件);是一个问题可能您可以解释问题是什么以及为什么会修复它?同时将cookie设置为非安全是一个坏主意,因为如果您正在进行身份验证,它应该通过HTTPS使用。它还应该避免脚本访问。