Spring Security 和 Tomcat 8 JSessionId 响应不匹配
Posted
技术标签:
【中文标题】Spring Security 和 Tomcat 8 JSessionId 响应不匹配【英文标题】:Spring Security and Tomcat 8 JSessionId response mismatch 【发布时间】:2017-03-02 16:26:38 【问题描述】:我有 webapp,它实现了 Java 安全性来区分用户和管理员。在前端,我使用 Wicket 为我的页面实现不同的操作和视图。整个登录系统运行良好,除了一件事。如果我将我的应用程序部署到远程 Tomcat(与本地环境中的版本相同)并尝试使用相同的用户名/密码组合像往常一样登录,spring security 将重定向到我的登录页面。我尝试检查日志,正如我所观察到的,在远程 Tomcat 端,我的身份验证方法工作正常,Spring 成功识别了我的凭据,并以适当的权限授权我为“ROLE_USER”,但不知何故会话 ID 或对象,或者有些东西丢失了,Spring 用匿名权限创建一个新的,然后重定向回登录。正如我所注意到的,当我请求表单提交,然后是 /user/home 页面时,我的本地主机中的 JSessionID 是相同的,而在远程,这两个请求的 ID 是不同的。这是否意味着 Tomcat 或 Apache 不支持 Spring 安全性的某些功能,或者我错过了我的应用程序中的一些配置标签?
更新
在我认识的谷歌开发者控制台中,首先在表单提交发送到服务器的请求后。应用程序成功验证用户身份,发送回一个带有 http 302 状态码的 JSessionID cookie。此后,浏览器向正确的 /user/home url 发送了一个 GET 请求,但标头中没有任何 cookie,所以这就是 spring security 创建一个新的,并发送回 /login 页面的原因?
解决方案
问题在于域请求转发。我的域例如。 test.com 将我的请求转发到 test.com/myapp,然后它使用正确的 cookie 发回响应,但路径为:“/myapp”。然后浏览器无法识别请求的 URL,并且不会将其发送回服务器。 Spring Security 没有找到合适的 JSessionID,然后创建一个新的,无法从 SecurityContextHolder 中获取。 Zildyan 的回答是解决问题的最佳方法,所以我会接受。
我的 Web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<display-name>GAReporter</display-name>
<session-config>
<session-timeout>5000</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml,/WEB-INF/spring-security.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter>
<filter-name>wicket.wicket-spring</filter-name>
<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
<init-param>
<param-name>applicationClassName</param-name>
<param-value>com.carusselgroup.application.GAApplication</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>wicket.wicket-spring</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
</web-app>
春季安全
<?xml version="1.0" encoding="windows-1252"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xml
ns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.1.xsd">
<http auto-config="true" use-expressions="true" create-session="ifRequired">
<access-denied-handler error-page="/403" />
<form-login login-page="/login" log
in-processing-url="/j_spring_security_check" />
<intercept-url pattern="/user**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />
<csrf disabled="true" />
</ht
tp>
<authentication-manager alias="
authenticationManager ">
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT username,password ,user_role.enabled
FROM public.user
INNER JOIN user_role
ON public.user.user_id=user_role.user_id
where public.user.username=?"
authorities-by-username-query="SELECT username,user_role.role
FROM public.user
INNER JOIN user_role
ON public.user.user_id=user_role.user_id
where public.user.username=?" />
</authentication-provider>
</authentication-manager>
</beans:beans>
LoginPage.java:
public class LoginPage extends WebPage
private static final long serialVersionUID = 6820791987770181938L;
private String username;
private String password;
private static final Logger logger = LoggerFactory.getLogger(HomePage.class);
@Override
protected void onInitialize()
super.onInitialize();
FeedbackPanel fbPanel = new FeedbackPanel("feedback");
add(fbPanel);
StatelessForm<Void> form = new StatelessForm<Void>("form")
private static final long serialVersionUID = -8390180201075042069L;
@Override
protected void onSubmit()
SpringWicketWebSession session = SpringWicketWebSession.getSpringWicketWebSession();
logger.info("Trying to login with: " + username + "\\" + password);
if (session.signIn(username, password))
logger.info("Login username/password authentication success: " + username + "\\" + password);
setResponsePage(HomePage.class);
else
logger.info("Login username/password authentication failed: " + username + "\\" + password);
error("Sign in failed, Incorrect username or password");
;
form.setDefaultModel(new CompoundPropertyModel(this));
form.add(new TextField<String>("username").setRequired(true));
form.add(new PasswordTextField("password").setRequired(true));
add(form);
AuthenticatedWebSession 类:
public class SpringWicketWebSession extends AuthenticatedWebSession
private static final long serialVersionUID = 779910029564267643L;
private static final Logger logger = Logger.getLogger(SpringWicketWebSession.class);
@SpringBean(name = "authenticationManager")
private AuthenticationManager authenticationManager;
private HttpSession httpSession;
Authentication authentication = null;
public SpringWicketWebSession(Request request)
super(request);
Injector.get().inject(this);
ensureDependenciesNotNull();
public static SpringWicketWebSession getSpringWicketWebSession()
return (SpringWicketWebSession) Session.get();
private void ensureDependenciesNotNull()
if (authenticationManager == null)
throw new IllegalStateException("Requires an authentication");
@Override
public boolean authenticate(String username, String password)
logger.info("authentication starting...");
boolean authenticated = false;
try
authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
SecurityContextHolder.getContext().setAuthentication(authentication);
authenticated = authentication.isAuthenticated();
catch (AuthenticationException e)
logger.error("Authentication failed with");
logger.error("Exception: " + e);
authenticated = false;
return authenticated;
@Override
public Roles getRoles()
Roles roles = new Roles();
getRolesIfSignedIn(roles);
return roles;
private void getRolesIfSignedIn(Roles roles)
if (isSignedIn())
addRolesFromAuthentication(roles, authentication);
private void addRolesFromAuthentication(Roles roles, Authentication authentication)
for (GrantedAuthority authority : authentication.getAuthorities())
roles.add(authority.getAuthority());
和 tomcat-spring 日志:
2016-10-20 15:45:38,352 9380 [http-nio-10467-exec-3] INFO com.carusselgroup.page.HomePage - Trying to login with: test\test
2016-10-20 15:45:38,352 9380 [http-nio-10467-exec-3] INFO c.c.config.SpringWicketWebSession - authentication starting...
2016-10-20 15:45:38,352 9380 [http-nio-10467-exec-3] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'org.springframework.security.authenticationManager'
2016-10-20 15:45:38,352 9380 [http-nio-10467-exec-3] DEBUG o.s.s.a.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2016-10-20 15:45:38,358 9386 [http-nio-10467-exec-3] DEBUG o.s.jdbc.core.JdbcTemplate - Executing prepared SQL query
2016-10-20 15:45:38,359 9387 [http-nio-10467-exec-3] DEBUG o.s.jdbc.core.JdbcTemplate - Executing prepared SQL statement [SELECT username,password ,user_role.enabled FROM public.user INNER JOIN user_role ON public.user.user_id=user_role.user_id where public.user.username=?]
2016-10-20 15:45:38,360 9388 [http-nio-10467-exec-3] DEBUG o.s.jdbc.datasource.DataSourceUtils - Fetching JDBC Connection from DataSource
2016-10-20 15:45:38,360 9388 [http-nio-10467-exec-3] DEBUG o.s.j.d.DriverManagerDataSource - Creating new JDBC DriverManager Connection to [jdbc:postgresql://localhost:5432/common__gareporter]
2016-10-20 15:45:38,375 9403 [http-nio-10467-exec-3] DEBUG o.s.jdbc.datasource.DataSourceUtils - Returning JDBC Connection to DataSource
2016-10-20 15:45:38,376 9404 [http-nio-10467-exec-3] DEBUG o.s.jdbc.core.JdbcTemplate - Executing prepared SQL query
2016-10-20 15:45:38,376 9404 [http-nio-10467-exec-3] DEBUG o.s.jdbc.core.JdbcTemplate - Executing prepared SQL statement [SELECT username,user_role.role FROM public.user INNER JOIN user_role ON public.user.user_id=user_role.user_id where public.user.username=?]
2016-10-20 15:45:38,376 9404 [http-nio-10467-exec-3] DEBUG o.s.jdbc.datasource.DataSourceUtils - Fetching JDBC Connection from DataSource
2016-10-20 15:45:38,376 9404 [http-nio-10467-exec-3] DEBUG o.s.j.d.DriverManagerDataSource - Creating new JDBC DriverManager Connection to [jdbc:postgresql://localhost:5432/common__gareporter]
2016-10-20 15:45:38,383 9411 [http-nio-10467-exec-3] DEBUG o.s.jdbc.datasource.DataSourceUtils - Returning JDBC Connection to DataSource
2016-10-20 15:45:38,390 9418 [http-nio-10467-exec-3] INFO com.carusselgroup.page.HomePage - Login username/password authentication success: test\test
2016-10-20 15:45:38,391 9419 [http-nio-10467-exec-3] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,393 9421 [http-nio-10467-exec-3] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,394 9422 [http-nio-10467-exec-3] DEBUG org.apache.wicket.Page - ending request for page [Page class = com.carusselgroup.page.LoginPage, id = 0, render count = 0], request org.apache.wicket.protocol.http.servlet.ServletWebRequest@4fcc406b
2016-10-20 15:45:38,394 9422 [http-nio-10467-exec-3] DEBUG o.a.w.page.PageAccessSynchronizer - 'http-nio-10467-exec-3' released lock to page with id '0'
2016-10-20 15:45:38,394 9422 [http-nio-10467-exec-3] DEBUG o.a.w.page.PageAccessSynchronizer - 'http-nio-10467-exec-3' notifying blocked threads
2016-10-20 15:45:38,395 9423 [http-nio-10467-exec-3] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,395 9423 [http-nio-10467-exec-3] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,395 9423 [http-nio-10467-exec-3] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,395 9423 [http-nio-10467-exec-3] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,396 9424 [http-nio-10467-exec-3] DEBUG o.s.s.w.h.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@5776b12c
2016-10-20 15:45:38,396 9424 [http-nio-10467-exec-3] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@442b46a2: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@442b46a2: Principal: org.springframework.security.core.userdetails.User@364492: Username: test; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER' stored to HttpSession: 'org.apache.catalina.session.StandardSessionFacade@3af765a
2016-10-20 15:45:38,396 9424 [http-nio-10467-exec-3] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
2016-10-20 15:45:38,397 9425 [http-nio-10467-exec-3] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No HttpSession currently exists
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 2 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/user/home'; against '/logout'
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /user/home' doesn't match 'POST /j_spring_security_check
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 6 of 12 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-10-20 15:45:38,408 9436 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-10-20 15:45:38,408 9436 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faa93c2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffffe21a: RemoteIpAddress: 10.1.0.45; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/user/home'; against '/user**'
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/user/home'; against '/admin**'
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Public object - authentication not attempted
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home reached end of additional filter chain; proceeding with original chain
2016-10-20 15:45:38,413 9441 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,413 9441 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,413 9441 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,413 9441 [http-nio-10467-exec-4] DEBUG o.a.w.r.m.CompoundRequestMapper - One compatible mapper found for URL 'user/home' -> 'Mapper: org.apache.wicket.core.request.mapper.MountedMapper; Score: 4'
2016-10-20 15:45:38,413 9441 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,422 9450 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,423 9451 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,423 9451 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,423 9451 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,423 9451 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,424 9452 [http-nio-10467-exec-4] DEBUG o.s.s.w.h.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@5776b12c
2016-10-20 15:45:38,424 9452 [http-nio-10467-exec-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2016-10-20 15:45:38,424 9452 [http-nio-10467-exec-4] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
2016-10-20 15:45:38,424 9452 [http-nio-10467-exec-4] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2016-10-20 15:45:38,440 9468 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-10-20 15:45:38,440 9468 [http-nio-10467-exec-5] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No HttpSession currently exists
2016-10-20 15:45:38,440 9468 [http-nio-10467-exec-5] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 2 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login'; against '/logout'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /login' doesn't match 'POST /j_spring_security_check
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 6 of 12 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faa93c2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffffe21a: RemoteIpAddress: 10.1.0.45; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login'; against '/user**'
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login'; against '/admin**'
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Public object - authentication not attempted
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login reached end of additional filter chain; proceeding with original chain
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.a.w.r.m.CompoundRequestMapper - One compatible mapper found for URL 'login' -> 'Mapper: org.apache.wicket.core.request.mapper.MountedMapper; Score: 2'
2016-10-20 15:45:38,443 9471 [http-nio-10467-exec-5] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,444 9472 [http-nio-10467-exec-5] DEBUG o.a.w.page.PageAccessSynchronizer - 'http-nio-10467-exec-5' attempting to acquire lock to page with id '0'
2016-10-20 15:45:38,444 9472 [http-nio-10467-exec-5] DEBUG o.a.w.page.PageAccessSynchronizer - http-nio-10467-exec-5 acquired lock to page 0
【问题讨论】:
【参考方案1】:我遇到了这个问题。问题是我的 cookie 只能通过 https 发送。
下一个案例是我在系统重新启动/重新部署后尝试重新建立用户会话。 Tomcat序列化所有活动用户会话并写下所有属性并在系统重新启动时反序列化它们,并将jsessionid与cookie中的进行比较,但我错过了secureAuthId,因为tomcat不记得它。
【讨论】:
以上是关于Spring Security 和 Tomcat 8 JSessionId 响应不匹配的主要内容,如果未能解决你的问题,请参考以下文章
Tomcat 8 和 Spring Security Cors
Spring:HttpSession在集群Tomcat故障转移中为SPRING_SECURITY_CONTEXT返回了空对象
Tomcat 和 spring-security 中的 Web 应用程序和 REST 服务 SSO
Tomcat CORS 过滤器和 Spring Security