即使在 Spring Security 中禁用了会话,谷歌应用引擎也会检测到会话管理
Posted
技术标签:
【中文标题】即使在 Spring Security 中禁用了会话,谷歌应用引擎也会检测到会话管理【英文标题】:google app engine detects sessionmanagement even if sessions are disables in spring security 【发布时间】:2020-01-10 11:34:33 【问题描述】:我目前无法使用 spring security 对我在 spring boot 中实现的 rest api 进行任何调用。我收到以下消息:
"timestamp": "2019-09-08T10:24:35.020+0000",
"status": 500,
"error": "Internal Server Error",
"message": "Session support is not enabled in appengine-web.xml. To enable sessions, put <sessions-enabled>true</sessions-enabled> in that file. Without it, getSession() is allowed, but manipulation of sessionattributes is not.",
"path": "/login"
我在安全配置中明确声明不使用会话(如*** question 中所述)。我还需要做什么才能在没有会话的情况下使用应用引擎?:
安全配置:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter
@Autowired
WebTokenAuthenticationService webTokenAuthenticationService;
protected void configure(HttpSecurity httpSecurity) throws Exception
httpSecurity.csrf().disable();
httpSecurity.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers(LOGIN_ROUTE).permitAll()
.antMatchers(DATA).hasAnyAuthority(Authority.admin.toString())
.and()
.addFilterBefore(new AuthenticationTokenFilter(webTokenAuthenticationService), UsernamePasswordAuthenticationFilter.class)
;
httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
authentificationTokenFilter
public class AuthenticationTokenFilter extends GenericFilterBean
private WebTokenAuthenticationService webTokenAuthenticationService;
public AuthenticationTokenFilter(WebTokenAuthenticationService webTokenAuthenticationService)
this.webTokenAuthenticationService = webTokenAuthenticationService;
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException
HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
Authentication authentication = webTokenAuthenticationService.authenticate(httpRequest);
SecurityContextHolder.getContext().setAuthentication(authentication);
filterChain.doFilter(servletRequest, servletResponse);
SecurityContextHolder.getContext().setAuthentication(null);
【问题讨论】:
【参考方案1】:我想通了。问题出在 pom.xml 文件中:
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>appengine-maven-plugin</artifactId>
<version>1.3.2</version>
<configuration>
<!--stage.enableJarClasses>true</stage.enableJarClasses-->
</configuration>
</plugin>
如果您将 enableJarClasses 设置为 true,则会发生错误。如果你不启用 jar 类,它就可以工作。
【讨论】:
以上是关于即使在 Spring Security 中禁用了会话,谷歌应用引擎也会检测到会话管理的主要内容,如果未能解决你的问题,请参考以下文章
在 Spring Boot 中禁用 @WebMvcTest 的 Spring Security 配置类
如何使用xml在spring security中禁用注销确认?
如何在 Spring Web App 中临时禁用 Spring Security