即使在 Spring Security 中禁用了会话,谷歌应用引擎也会检测到会话管理

Posted

技术标签:

【中文标题】即使在 Spring Security 中禁用了会话,谷歌应用引擎也会检测到会话管理【英文标题】:google app engine detects sessionmanagement even if sessions are disables in spring security 【发布时间】:2020-01-10 11:34:33 【问题描述】:

我目前无法使用 spring security 对我在 spring boot 中实现的 rest api 进行任何调用。我收到以下消息:


    "timestamp": "2019-09-08T10:24:35.020+0000",
    "status": 500,
    "error": "Internal Server Error",
    "message": "Session support is not enabled in appengine-web.xml.  To enable sessions, put <sessions-enabled>true</sessions-enabled> in that file.  Without it, getSession() is allowed, but manipulation of sessionattributes is not.",
    "path": "/login"

我在安全配置中明确声明不使用会话(如*** question 中所述)。我还需要做什么才能在没有会话的情况下使用应用引擎?:

安全配置:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter 

    @Autowired
    WebTokenAuthenticationService webTokenAuthenticationService;

    protected void configure(HttpSecurity httpSecurity) throws Exception 
        httpSecurity.csrf().disable();
        httpSecurity.authorizeRequests()
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                .antMatchers(LOGIN_ROUTE).permitAll()
                .antMatchers(DATA).hasAnyAuthority(Authority.admin.toString())
            .and()
                .addFilterBefore(new AuthenticationTokenFilter(webTokenAuthenticationService), UsernamePasswordAuthenticationFilter.class)
        ;  
       httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    


authentificationTokenFilter

public class AuthenticationTokenFilter extends GenericFilterBean 
    private WebTokenAuthenticationService webTokenAuthenticationService;

    public AuthenticationTokenFilter(WebTokenAuthenticationService webTokenAuthenticationService) 
        this.webTokenAuthenticationService = webTokenAuthenticationService;
    

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException 
        HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
        Authentication authentication = webTokenAuthenticationService.authenticate(httpRequest);
        SecurityContextHolder.getContext().setAuthentication(authentication);
        filterChain.doFilter(servletRequest, servletResponse);
        SecurityContextHolder.getContext().setAuthentication(null);
    

【问题讨论】:

【参考方案1】:

我想通了。问题出在 pom.xml 文件中:

<plugin>
  <groupId>com.google.cloud.tools</groupId>
  <artifactId>appengine-maven-plugin</artifactId>
  <version>1.3.2</version>
  <configuration>
    <!--stage.enableJarClasses>true</stage.enableJarClasses-->
  </configuration>
</plugin>

如果您将 enableJarClasses 设置为 true,则会发生错误。如果你不启用 jar 类,它就可以工作。

【讨论】:

以上是关于即使在 Spring Security 中禁用了会话,谷歌应用引擎也会检测到会话管理的主要内容,如果未能解决你的问题,请参考以下文章

在 Spring Boot 中禁用 @WebMvcTest 的 Spring Security 配置类

如何使用xml在spring security中禁用注销确认?

如何在 Spring Web App 中临时禁用 Spring Security

如何通过 XML 配置仅针对特定 URL 模式在 Spring Security 4 中禁用 CSRF?

如何禁用 spring-security 登录屏幕?

如何在 Grails/Spring Security 插件中禁用 /login/auth