Spring 无法创建会话,因为已提交响应。无法存储SecurityContext 总结
我们已经在applicationContext.xml文件中配置了filterchain,如下所述Spring 无法创建会话,因为已提交响应。无法存储SecurityContext 总结,spring,spring-security,Spring,Spring Security,我们已经在applicationContext.xml文件中配置了filterchain,如下所述 <bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy"> <sec:filter-chain-map path-type="ant" > <sec:filter-chain pattern="/*
<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<sec:filter-chain-map path-type="ant" >
<sec:filter-chain pattern="/**" filters="requestContextFilter,securityContextFilter,exceptionTranslationFilter,userRoleProcessingFilter" />
</sec:filter-chain-map>
</bean>
<bean id="requestContextFilter" class="org.springframework.web.filter.RequestContextFilter"/>
<bean id="securityContextFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<property name="securityContextRepository">
<bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"></bean>
</property>
<property name="forceEagerSessionCreation" value="false"/>
</bean>
<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter" >
<property name="authenticationEntryPoint">
<bean class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
</property>
</bean>
<bean id="userRoleProcessingFilter"
class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="CC_USER" />
<property name="credentialsRequestHeader" value="CC_CRED" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="continueFilterChainOnUnsuccessfulAuthentication" value="false" />
<property name="exceptionIfHeaderMissing" value="false"></property>
<property name="checkForPrincipalChanges" value="true"></property>
</bean>
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager" >
<property name="providers" >
<list>
<ref local="authenticationProvider" />
</list>
</property>
</bean>
<bean id="authenticationProvider" class="com.powerup.common.authorization.spring.xxx.AuthenticationProvider" >
<property name="preAuthenticatedUserDetailsService">
<bean class="com.powerup.common.authorization.spring.xxx.UserDetailsService">
</bean>
</property>
</bean>
web.xml的配置如下所示
<web-app>
<!------->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>springSecurityFilterChain</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/remoting/*</url-pattern>
</filter-mapping>
</web-app>
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
塔吉特比纳姆
springSecurityFilterChain
springSecurityFilterChain
/远程处理/*
实际行为
Spring security应该在有成功的身份验证请求时持久化会话,但在我们的例子中,它有时无法持久化会话(此行为不一致),并导致创建新会话,最终导致我的应用程序再次进行实际身份验证。请注意,此行为不一致
我在spring安全日志文件中看到以下消息
2016-05-10 09:41:22042调试[org.springframework.security.web.FilterChainProxy]/remoting/ViewService,位于附加过滤器链的第1/4位;正在启动筛选器:“RequestContextFilter”
2016-05-10 09:41:22042调试[org.springframework.security.web.FilterChainProxy]/remoting/ViewService,位于附加过滤器链的第2/4位;正在启动筛选器:“SecurityContextPersistenceFilter”
2016-05-10 09:41:22042调试[org.springframework.security.web.context.HttpSessionSecurityContextRepository]当前不存在HttpSession
2016-05-10 09:41:22042调试[org.springframework.security.web.context.HttpSessionSecurityContextRepository]HttpSession中没有可用的SecurityContext:null。将创建一个新的。
2016-05-10 09:41:22042调试[org.springframework.security.web.FilterChainProxy]/remoting/ViewService,位于附加过滤器链的第3/4位;正在启动筛选器:“ExceptionTranslationFilter”
2016-05-10 09:41:22042调试[org.springframework.security.web.FilterChainProxy]/remoting/ViewService,位于附加过滤器链的第4位(共4位);正在启动筛选器:“RequestHeaderAuthenticationFilter”
2016-05-10 09:41:22042调试[org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter]检查安全上下文令牌:null
2016-05-10 09:41:22042调试[org.springframework.security.web.authentication.preauthentic.RequestHeaderAuthenticationFilter]PreAuthenticationdPrincipal=snme,正在尝试进行身份验证
2016-05-10 09:41:22064调试[org.springframework.security.web.authentication.preauthentication.preauthenticationdauthenticationprovider]预验证身份验证请求:org.springframework.security.web.authentication.preauthentication。PreAuthenticatedAuthenticationToken@6bc667b:校长:snme;凭据:[受保护];认证:假;详细信息:org.springframework.security.web.authentication。WebAuthenticationDetails@7798:RemoteIP地址:144.5.156.254;SessionId:null;没有授予任何权限
2016-05-10 09:41:22068调试[org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter]验证成功:org.springframework.security.web.authentication.preauthentication。PreAuthenticatedAuthenticationToken@e031ed5f:Principal:org.springframework.security.core.userdetails。User@35f133:用户名:snme;密码:[受保护];启用:真;AccountNoExpired:正确;无需证明的凭证:真实;AccountNonLocked:true;授予的权限:UIM用户;凭据:[受保护];认证:正确;详细信息:org.springframework.security.web.authentication。WebAuthenticationDetails@7798:RemoteIP地址:144.5.156.254;SessionId:null;授予的权限:UIM用户
2016-05-10 09:41:22068调试[org.springframework.security.web.FilterChainProxy]/remoting/ViewService到达附加过滤链的末尾;继续使用原始链
2016-05-10 09:41:22342调试[org.springframework.security.web.context.HttpSessionSecurityContextRepository]创建为SecurityContext的HttpSession是非默认的
2016-05-10 09:41:22342警告[org.springframework.security.web.context.HttpSessionSecurityContextRepository]无法创建会话,因为已提交响应。无法存储SecurityContext。
2016-05-10 09:41:22342调试[org.springframework.security.web.context.HttpSessionSecurityContextRepository]创建为SecurityContext的HttpSession是非默认的
2016-05-10 09:41:22342警告[org.springframework.security.web.context.HttpSessionSecurityContextRepository]无法创建会话,因为已提交响应。无法存储SecurityContext。
2016-05-10 09:41:22342调试[org.springframework.security.web.context.HttpSessionSecurityContextRepository]创建为SecurityContext的HttpSession是非默认的
2016-05-10 09:41:22342警告[org.springframework.security.web.context.HttpSessionSecurityContextRepository]无法创建会话,因为已提交响应。无法存储SecurityContext。
2016-05-10 09:41:22343调试[org.springframework.security.web.access.ExceptionTranslationFilter]链处理正常
2016-05-10 09:41:22343调试[org.springframework.security.web.context.SecurityContextPersistenceFilter]随着请求处理完成,SecurityContextHolder现在已清除
2016-05-10 09:41:23254调试[org.springframework.security.web.FilterChainProxy]/remoting/LockingService,位于附加过滤器链的第1/4位;正在启动筛选器:“RequestContextFilter”
2016-05-10 09:41:23254调试[org.springframework.security.web.FilterChainProxy]/remoting/LockingService,位于附加过滤器链的第2/4位;点火线圈