Fatal编程技术网
  • spring/
  • Spring 无法创建会话,因为已提交响应。无法存储SecurityContext 总结

Spring 无法创建会话,因为已提交响应。无法存储SecurityContext 总结

spring spring-security

Spring 无法创建会话,因为已提交响应。无法存储SecurityContext 总结,spring,spring-security,Spring,Spring Security,我们已经在applicationContext.xml文件中配置了filterchain,如下所述 <bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy"> <sec:filter-chain-map path-type="ant" > <sec:filter-chain pattern="/*

我们已经在applicationContext.xml文件中配置了filterchain,如下所述

<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
        <sec:filter-chain-map path-type="ant" >
            <sec:filter-chain pattern="/**" filters="requestContextFilter,securityContextFilter,exceptionTranslationFilter,userRoleProcessingFilter" />
        </sec:filter-chain-map>
    </bean>

    <bean id="requestContextFilter" class="org.springframework.web.filter.RequestContextFilter"/>

    <bean id="securityContextFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
         <property name="securityContextRepository">
                <bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"></bean>
         </property>
         <property name="forceEagerSessionCreation" value="false"/>
    </bean>

    <bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter" >
        <property name="authenticationEntryPoint">
            <bean class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
        </property>
    </bean>
     <bean id="userRoleProcessingFilter"
                class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
                <property name="principalRequestHeader" value="CC_USER" />
                <property name="credentialsRequestHeader" value="CC_CRED" />
                <property name="authenticationManager" ref="authenticationManager" />
                <property name="continueFilterChainOnUnsuccessfulAuthentication" value="false" />
                <property name="exceptionIfHeaderMissing" value="false"></property>
                <property name="checkForPrincipalChanges" value="true"></property>
        </bean>
 <bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager" >
        <property name="providers" >
            <list>
                <ref local="authenticationProvider" />
            </list>
        </property>
    </bean>
<bean id="authenticationProvider" class="com.powerup.common.authorization.spring.xxx.AuthenticationProvider" >
        <property name="preAuthenticatedUserDetailsService">
            <bean class="com.powerup.common.authorization.spring.xxx.UserDetailsService">
            </bean>
        </property>
    </bean>
web.xml的配置如下所示

<web-app>
<!------->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        <init-param>
            <param-name>targetBeanName</param-name>
            <param-value>springSecurityFilterChain</param-value>
        </init-param>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/remoting/*</url-pattern>
    </filter-mapping>
</web-app>


springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
塔吉特比纳姆
springSecurityFilterChain
springSecurityFilterChain
/远程处理/*
实际行为 Spring security应该在有成功的身份验证请求时持久化会话,但在我们的例子中,它有时无法持久化会话(此行为不一致),并导致创建新会话,最终导致我的应用程序再次进行实际身份验证。请注意,此行为不一致

我在spring安全日志文件中看到以下消息

2016-05-10 09:41:22042调试[org.springframework.security.web.FilterChainProxy]/remoting/ViewService,位于附加过滤器链的第1/4位;正在启动筛选器:“RequestContextFilter” 2016-05-10 09:41:22042调试[org.springframework.security.web.FilterChainProxy]/remoting/ViewService,位于附加过滤器链的第2/4位;正在启动筛选器:“SecurityContextPersistenceFilter” 2016-05-10 09:41:22042调试[org.springframework.security.web.context.HttpSessionSecurityContextRepository]当前不存在HttpSession 2016-05-10 09:41:22042调试[org.springframework.security.web.context.HttpSessionSecurityContextRepository]HttpSession中没有可用的SecurityContext:null。将创建一个新的。 2016-05-10 09:41:22042调试[org.springframework.security.web.FilterChainProxy]/remoting/ViewService,位于附加过滤器链的第3/4位;正在启动筛选器:“ExceptionTranslationFilter” 2016-05-10 09:41:22042调试[org.springframework.security.web.FilterChainProxy]/remoting/ViewService,位于附加过滤器链的第4位(共4位);正在启动筛选器:“RequestHeaderAuthenticationFilter” 2016-05-10 09:41:22042调试[org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter]检查安全上下文令牌:null 2016-05-10 09:41:22042调试[org.springframework.security.web.authentication.preauthentic.RequestHeaderAuthenticationFilter]PreAuthenticationdPrincipal=snme,正在尝试进行身份验证 2016-05-10 09:41:22064调试[org.springframework.security.web.authentication.preauthentication.preauthenticationdauthenticationprovider]预验证身份验证请求:org.springframework.security.web.authentication.preauthentication。PreAuthenticatedAuthenticationToken@6bc667b:校长:snme;凭据:[受保护];认证:假;详细信息:org.springframework.security.web.authentication。WebAuthenticationDetails@7798:RemoteIP地址:144.5.156.254;SessionId:null;没有授予任何权限 2016-05-10 09:41:22068调试[org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter]验证成功:org.springframework.security.web.authentication.preauthentication。PreAuthenticatedAuthenticationToken@e031ed5f:Principal:org.springframework.security.core.userdetails。User@35f133:用户名:snme;密码:[受保护];启用:真;AccountNoExpired:正确;无需证明的凭证:真实;AccountNonLocked:true;授予的权限:UIM用户;凭据:[受保护];认证:正确;详细信息:org.springframework.security.web.authentication。WebAuthenticationDetails@7798:RemoteIP地址:144.5.156.254;SessionId:null;授予的权限:UIM用户 2016-05-10 09:41:22068调试[org.springframework.security.web.FilterChainProxy]/remoting/ViewService到达附加过滤链的末尾;继续使用原始链 2016-05-10 09:41:22342调试[org.springframework.security.web.context.HttpSessionSecurityContextRepository]创建为SecurityContext的HttpSession是非默认的 2016-05-10 09:41:22342警告[org.springframework.security.web.context.HttpSessionSecurityContextRepository]无法创建会话,因为已提交响应。无法存储SecurityContext。 2016-05-10 09:41:22342调试[org.springframework.security.web.context.HttpSessionSecurityContextRepository]创建为SecurityContext的HttpSession是非默认的 2016-05-10 09:41:22342警告[org.springframework.security.web.context.HttpSessionSecurityContextRepository]无法创建会话,因为已提交响应。无法存储SecurityContext。 2016-05-10 09:41:22342调试[org.springframework.security.web.context.HttpSessionSecurityContextRepository]创建为SecurityContext的HttpSession是非默认的 2016-05-10 09:41:22342警告[org.springframework.security.web.context.HttpSessionSecurityContextRepository]无法创建会话,因为已提交响应。无法存储SecurityContext。 2016-05-10 09:41:22343调试[org.springframework.security.web.access.ExceptionTranslationFilter]链处理正常 2016-05-10 09:41:22343调试[org.springframework.security.web.context.SecurityContextPersistenceFilter]随着请求处理完成,SecurityContextHolder现在已清除 2016-05-10 09:41:23254调试[org.springframework.security.web.FilterChainProxy]/remoting/LockingService,位于附加过滤器链的第1/4位;正在启动筛选器:“RequestContextFilter” 2016-05-10 09:41:23254调试[org.springframework.security.web.FilterChainProxy]/remoting/LockingService,位于附加过滤器链的第2/4位;点火线圈