Spring Security和Tomcat 8 JSessionId响应不匹配
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Spring Security和Tomcat 8 JSessionId响应不匹配相关的知识,希望对你有一定的参考价值。
我有webapp,它实现Java安全性以区分用户和管理员。在前端,我使用Wicket为我的页面实现不同的操作和视图。整个登录系统运行良好,除了一件事。如果我将我的应用程序部署到远程Tomcat(与我的本地环境中的版本相同)并尝试使用相同的用户名/密码组合照常登录,则spring security会重定向到我的登录页面。我尝试检查日志,正如我所观察到的,在远程Tomcat方面,我的身份验证方法工作正常,Spring成功识别我的凭据,并使用适当的权限授予我“ROLE_USER”,但不知何故会话ID或对象,或者丢失的东西,Spring创建一个具有匿名权限的新的,然后重定向回登录。正如我注意到的,当我请求表单提交时,我的localhost中的JSessionID是相同的,然后是/ user / home页面,而在远程中,两个请求的ID是不同的。这是否意味着Tomcat或Apache不支持某些Spring安全功能,或者我错过了我的应用程序中的一些配置标签?
UPDATE
在谷歌开发者控制台中,我认识到,首先是表单提交发送到服务器的请求。应用程序成功验证用户身份,发回带有http 302状态代码的JSessionID cookie。此后,浏览器向正确的/ user / home url发送了一个GET请求,但标题中没有任何cookie,这就是为什么spring security创建一个新的,然后发送回/ login页面?
解
问题在于域请求转发。我的域名,例如。 test.com将我的请求转发给test.com/myapp,然后使用正确的cookie发回响应,但路径为:“/ myapp”。然后浏览器无法识别请求的URL,也不会将其发送回服务器。 Spring安全性没有找到合适的JSessionID,然后它创建了一个新的,无法从SecurityContextHolder获取。 Zildyan回答是解决方案的最佳方法,所以我会接受。
我的Web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<display-name>GAReporter</display-name>
<session-config>
<session-timeout>5000</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml,/WEB-INF/spring-security.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter>
<filter-name>wicket.wicket-spring</filter-name>
<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
<init-param>
<param-name>applicationClassName</param-name>
<param-value>com.carusselgroup.application.GAApplication</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>wicket.wicket-spring</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
</web-app>
春天的安全
<?xml version="1.0" encoding="windows-1252"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xml
ns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.1.xsd">
<http auto-config="true" use-expressions="true" create-session="ifRequired">
<access-denied-handler error-page="/403" />
<form-login login-page="/login" log
in-processing-url="/j_spring_security_check" />
<intercept-url pattern="/user**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />
<csrf disabled="true" />
</ht
tp>
<authentication-manager alias="
authenticationManager ">
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT username,password ,user_role.enabled
FROM public.user
INNER JOIN user_role
ON public.user.user_id=user_role.user_id
where public.user.username=?"
authorities-by-username-query="SELECT username,user_role.role
FROM public.user
INNER JOIN user_role
ON public.user.user_id=user_role.user_id
where public.user.username=?" />
</authentication-provider>
</authentication-manager>
</beans:beans>
login Page.Java:
public class LoginPage extends WebPage
{
private static final long serialVersionUID = 6820791987770181938L;
private String username;
private String password;
private static final Logger logger = LoggerFactory.getLogger(HomePage.class);
@Override
protected void onInitialize()
{
super.onInitialize();
FeedbackPanel fbPanel = new FeedbackPanel("feedback");
add(fbPanel);
StatelessForm<Void> form = new StatelessForm<Void>("form")
{
private static final long serialVersionUID = -8390180201075042069L;
@Override
protected void onSubmit()
{
SpringWicketWebSession session = SpringWicketWebSession.getSpringWicketWebSession();
logger.info("Trying to login with: " + username + "\" + password);
if (session.signIn(username, password))
{
logger.info("Login username/password authentication success: " + username + "\" + password);
setResponsePage(HomePage.class);
} else
{
logger.info("Login username/password authentication failed: " + username + "\" + password);
error("Sign in failed, Incorrect username or password");
}
}
};
form.setDefaultModel(new CompoundPropertyModel(this));
form.add(new TextField<String>("username").setRequired(true));
form.add(new PasswordTextField("password").setRequired(true));
add(form);
}
}
经过身份验证的Web会话类:
public class SpringWicketWebSession extends AuthenticatedWebSession
{
private static final long serialVersionUID = 779910029564267643L;
private static final Logger logger = Logger.getLogger(SpringWicketWebSession.class);
@SpringBean(name = "authenticationManager")
private AuthenticationManager authenticationManager;
private HttpSession httpSession;
Authentication authentication = null;
public SpringWicketWebSession(Request request)
{
super(request);
Injector.get().inject(this);
ensureDependenciesNotNull();
}
public static SpringWicketWebSession getSpringWicketWebSession()
{
return (SpringWicketWebSession) Session.get();
}
private void ensureDependenciesNotNull()
{
if (authenticationManager == null)
{
throw new IllegalStateException("Requires an authentication");
}
}
@Override
public boolean authenticate(String username, String password)
{
logger.info("authentication starting...");
boolean authenticated = false;
try
{
authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
SecurityContextHolder.getContext().setAuthentication(authentication);
authenticated = authentication.isAuthenticated();
} catch (AuthenticationException e)
{
logger.error("Authentication failed with");
logger.error("Exception: " + e);
authenticated = false;
}
return authenticated;
}
@Override
public Roles getRoles()
{
Roles roles = new Roles();
getRolesIfSignedIn(roles);
return roles;
}
private void getRolesIfSignedIn(Roles roles)
{
if (isSignedIn())
{
addRolesFromAuthentication(roles, authentication);
}
}
private void addRolesFromAuthentication(Roles roles, Authentication authentication)
{
for (GrantedAuthority authority : authentication.getAuthorities())
{
roles.add(authority.getAuthority());
}
}
}
和tomcat-spring日志:
2016-10-20 15:45:38,352 9380 [http-nio-10467-exec-3] INFO com.carusselgroup.page.HomePage - Trying to login with: test est
2016-10-20 15:45:38,352 9380 [http-nio-10467-exec-3] INFO c.c.config.SpringWicketWebSession - authentication starting...
2016-10-20 15:45:38,352 9380 [http-nio-10467-exec-3] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'org.springframework.security.authenticationManager'
2016-10-20 15:45:38,352 9380 [http-nio-10467-exec-3] DEBUG o.s.s.a.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2016-10-20 15:45:38,358 9386 [http-nio-10467-exec-3] DEBUG o.s.jdbc.core.JdbcTemplate - Executing prepared SQL query
2016-10-20 15:45:38,359 9387 [http-nio-10467-exec-3] DEBUG o.s.jdbc.core.JdbcTemplate - Executing prepared SQL statement [SELECT username,password ,user_role.enabled FROM public.user INNER JOIN user_role ON public.user.user_id=user_role.user_id where public.user.username=?]
2016-10-20 15:45:38,360 9388 [http-nio-10467-exec-3] DEBUG o.s.jdbc.datasource.DataSourceUtils - Fetching JDBC Connection from DataSource
2016-10-20 15:45:38,360 9388 [http-nio-10467-exec-3] DEBUG o.s.j.d.DriverManagerDataSource - Creating new JDBC DriverManager Connection to [jdbc:postgresql://localhost:5432/common__gareporter]
2016-10-20 15:45:38,375 9403 [http-nio-10467-exec-3] DEBUG o.s.jdbc.datasource.DataSourceUtils - Returning JDBC Connection to DataSource
2016-10-20 15:45:38,376 9404 [http-nio-10467-exec-3] DEBUG o.s.jdbc.core.JdbcTemplate - Executing prepared SQL query
2016-10-20 15:45:38,376 9404 [http-nio-10467-exec-3] DEBUG o.s.jdbc.core.JdbcTemplate - Executing prepared SQL statement [SELECT username,user_role.role FROM public.user INNER JOIN user_role ON public.user.user_id=user_role.user_id where public.user.username=?]
2016-10-20 15:45:38,376 9404 [http-nio-10467-exec-3] DEBUG o.s.jdbc.datasource.DataSourceUtils - Fetching JDBC Connection from DataSource
2016-10-20 15:45:38,376 9404 [http-nio-10467-exec-3] DEBUG o.s.j.d.DriverManagerDataSource - Creating new JDBC DriverManager Connection to [jdbc:postgresql://localhost:5432/common__gareporter]
2016-10-20 15:45:38,383 9411 [http-nio-10467-exec-3] DEBUG o.s.jdbc.datasource.DataSourceUtils - Returning JDBC Connection to DataSource
2016-10-20 15:45:38,390 9418 [http-nio-10467-exec-3] INFO com.carusselgroup.page.HomePage - Login username/password authentication success: test est
2016-10-20 15:45:38,391 9419 [http-nio-10467-exec-3] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,393 9421 [http-nio-10467-exec-3] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,394 9422 [http-nio-10467-exec-3] DEBUG org.apache.wicket.Page - ending request for page [Page class = com.carusselgroup.page.LoginPage, id = 0, render count = 0], request org.apache.wicket.protocol.http.servlet.ServletWebRequest@4fcc406b
2016-10-20 15:45:38,394 9422 [http-nio-10467-exec-3] DEBUG o.a.w.page.PageAccessSynchronizer - 'http-nio-10467-exec-3' released lock to page with id '0'
2016-10-20 15:45:38,394 9422 [http-nio-10467-exec-3] DEBUG o.a.w.page.PageAccessSynchronizer - 'http-nio-10467-exec-3' notifying blocked threads
2016-10-20 15:45:38,395 9423 [http-nio-10467-exec-3] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,395 9423 [http-nio-10467-exec-3] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,395 9423 [http-nio-10467-exec-3] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,395 9423 [http-nio-10467-exec-3] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,396 9424 [http-nio-10467-exec-3] DEBUG o.s.s.w.h.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@5776b12c
2016-10-20 15:45:38,396 9424 [http-nio-10467-exec-3] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@442b46a2: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@442b46a2: Principal: org.springframework.security.core.userdetails.User@364492: Username: test; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER' stored to HttpSession: 'org.apache.catalina.session.StandardSessionFacade@3af765a
2016-10-20 15:45:38,396 9424 [http-nio-10467-exec-3] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
2016-10-20 15:45:38,397 9425 [http-nio-10467-exec-3] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No HttpSession currently exists
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 2 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/user/home'; against '/logout'
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /user/home' doesn't match 'POST /j_spring_security_check
2016-10-20 15:45:38,407 9435 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 6 of 12 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-10-20 15:45:38,408 9436 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-10-20 15:45:38,408 9436 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faa93c2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffffe21a: RemoteIpAddress: 10.1.0.45; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/user/home'; against '/user**'
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/user/home'; against '/admin**'
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Public object - authentication not attempted
2016-10-20 15:45:38,412 9440 [http-nio-10467-exec-4] DEBUG o.s.security.web.FilterChainProxy - /user/home reached end of additional filter chain; proceeding with original chain
2016-10-20 15:45:38,413 9441 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,413 9441 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,413 9441 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,413 9441 [http-nio-10467-exec-4] DEBUG o.a.w.r.m.CompoundRequestMapper - One compatible mapper found for URL 'user/home' -> 'Mapper: org.apache.wicket.core.request.mapper.MountedMapper; Score: 4'
2016-10-20 15:45:38,413 9441 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,422 9450 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,423 9451 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,423 9451 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,423 9451 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,423 9451 [http-nio-10467-exec-4] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/user/home'
2016-10-20 15:45:38,424 9452 [http-nio-10467-exec-4] DEBUG o.s.s.w.h.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@5776b12c
2016-10-20 15:45:38,424 9452 [http-nio-10467-exec-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2016-10-20 15:45:38,424 9452 [http-nio-10467-exec-4] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
2016-10-20 15:45:38,424 9452 [http-nio-10467-exec-4] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2016-10-20 15:45:38,440 9468 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-10-20 15:45:38,440 9468 [http-nio-10467-exec-5] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No HttpSession currently exists
2016-10-20 15:45:38,440 9468 [http-nio-10467-exec-5] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 2 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login'; against '/logout'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /login' doesn't match 'POST /j_spring_security_check
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 6 of 12 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faa93c2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffffe21a: RemoteIpAddress: 10.1.0.45; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-10-20 15:45:38,441 9469 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login'; against '/user**'
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login'; against '/admin**'
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Public object - authentication not attempted
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.s.security.web.FilterChainProxy - /login reached end of additional filter chain; proceeding with original chain
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,442 9470 [http-nio-10467-exec-5] DEBUG o.a.w.r.m.CompoundRequestMapper - One compatible mapper found for URL 'login' -> 'Mapper: org.apache.wicket.core.request.mapper.MountedMapper; Score: 2'
2016-10-20 15:45:38,443 9471 [http-nio-10467-exec-5] DEBUG o.a.w.p.h.servlet.ServletWebRequest - Calculating context relative path from: context path '/GAReporter-1.0', filterPrefix '', uri '/GAReporter-1.0/login'
2016-10-20 15:45:38,444 9472 [http-nio-10467-exec-5] DEBUG o.a.w.page.PageAccessSynchronizer - 'http-nio-10467-exec-5' attempting to acquire lock to page with id '0'
2016-10-20 15:45:38,444 9472 [http-nio-10467-exec-5] DEBUG o.a.w.page.PageAccessSynchronizer - http-nio-10467-exec-5 acquired lock to page 0
答案
- 我正面临着这个问题。事情是我的情况下的cookie只能通过https发送。
- 下一个案例是我尝试在系统重启/重新部署后重新建立用户会话。 Tomcat序列化所有活动用户会话并写下所有属性,并在系统重新启动时反序列化它们,并将jsessionid与cookie中的那个进行比较,但我缺少secureAuthId,因为tomcat不记得它。
以上是关于Spring Security和Tomcat 8 JSessionId响应不匹配的主要内容,如果未能解决你的问题,请参考以下文章
Grails 3 Spring Security LDAP 插件和 Tomcat 8
Spring Security和Tomcat 8 JSessionId响应不匹配
Spring-security、Tomcat 和 SPNEGO - 最佳方法
Spring:HttpSession在集群Tomcat故障转移中为SPRING_SECURITY_CONTEXT返回了空对象