Spring Security Ajax 登录在以下请求中成功验证 null
Posted
技术标签:
【中文标题】Spring Security Ajax 登录在以下请求中成功验证 null【英文标题】:Spring Security Ajax login succeeds authentication null in following requests 【发布时间】:2013-05-27 12:18:45 【问题描述】:我们有一个非常奇怪的问题。我们有一个使用 ajax 身份验证的 1 页 ajax 应用程序(想想 gmail-like)。在正常情况下,它工作得很好。但是,我们注意到您尝试登录,而对服务器的其他请求仍处于打开状态并正在运行。登录尝试成功,但是当您再次调用服务器以获取与用户相关的内容时,来自会话的对象的身份验证为空。
就像我说的,它总是在连接打开并在登录尝试之前运行时发生。如果登录是在一切按预期工作时发生的唯一请求。
这里是 spring-security.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd" default-lazy-init="true">
<context:component-scan base-package="com.myProject"/> <!-- need this? -->
<security:global-method-security secured-annotations="enabled" />
<security:http pattern="/css/**" security="none" />
<security:http pattern="/js/**" security="none" />
<security:http pattern="/tmpl/**" security="none" />
<security:http pattern="/**" use-expressions="true" entry-point-ref="authenticationEntryPoint">
<security:custom-filter before="FORM_LOGIN_FILTER" ref="legacyAuthenticationProcessingFilter" />
<security:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationProcessingFilter"/>
<security:logout logout-url="/logout" success-handler-ref="logoutSuccessHandler" />
<security:custom-filter before="LOGOUT_FILTER" ref="legacyLogoutFilter" />
<security:remember-me services-ref="#applicationProperties['security.rememberMeServices']" />
</security:http>
<security:authentication-manager alias="authenticationManager" erase-credentials="false">
<security:authentication-provider ref="activeDirectoryAuthenticationProvider" />
<security:authentication-provider ref="singleLogonAuthenticationProvider" />
<security:authentication-provider ref="serviceAuthenticationProvider" />
<security:authentication-provider ref="rememberMeAuthenticationProvider" />
</security:authentication-manager>
<!-- single logon remember me -->
<bean id="singleLogonRememberMeServices" class="com.myProject.security.singlelogon.SingleLogonRememberMeServices" c:userDetailsService-ref="userDao" c:key="#applicationProperties['security.rememberMeServices.key']" p:parameter="rememberMe" />
<!-- 'regular' remember me -->
<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices" c:userDetailsService-ref="userDao" c:key="#applicationProperties['security.rememberMeServices.key']" p:parameter="rememberMe" />
<bean id="activeDirectoryAuthenticationProvider" class="com.myProject.security.activedirectory.ActiveDirectoryAuthenticationProvider" />
<bean id="singleLogonAuthenticationProvider" class="com.myProject.security.singlelogon.SingleLogonAuthenticationProvider" />
<bean id="serviceAuthenticationProvider" class="com.myProject.security.ServiceAuthenticationProvider" />
<bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider" p:key="#applicationProperties['security.rememberMeServices.key']" />
<!-- custom authentication processing filter that accepts json credentials -->
<bean id="authenticationProcessingFilter" class="com.myProject.security.AuthenticationProcessingFilter">
<constructor-arg value="/login" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="rememberMeServices" ref="#applicationProperties['security.rememberMeServices']" />
<property name="authenticationSuccessHandler"><bean class="com.myProject.security.AuthenticationSuccessHandler" /></property>
<property name="authenticationFailureHandler"><bean class="com.myProject.security.AuthenticationFailureHandler" /></property>
</bean>
<!-- dummy implementation supplied to satisfy spring-security -->
<bean id="authenticationEntryPoint" class="com.myProject.security.AuthenticationEntryPoint" />
<bean id="logoutSuccessHandler" class="com.myProject.security.LogoutSuccessHandler" />
<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />
<!-- used by AuthenticationSuccess/FailureHandlers -->
<bean class="org.codehaus.jackson.map.ObjectMapper" />
<bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<property name="maxUploadSize" value="100000000"/>
</bean>
<bean id="legacyAuthenticationProcessingFilter" class="com.myProject.security.LegacyAuthenticationProcessingFilter">
<constructor-arg value="/j_security_check" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationSuccessHandler"><bean class="com.myProject.security.AuthenticationSuccessHandler" /></property>
<property name="authenticationFailureHandler"><bean class="com.myProject.security.AuthenticationFailureHandler" /></property>
</bean>
<bean id="legacyLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg ref="logoutSuccessHandler" />
<constructor-arg><bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" /></constructor-arg>
<property name="filterProcessesUrl" value="/Logout.html"></property>
</bean>
</beans>
更新
日志作为另一个答案附在下面,因为它太长了,不能放在这里。我们在开始时调用 sleep 来模仿处理另一个 ajax 请求的行为。通过在触发登录之前发出此请求,我们每次都能复制此登录错误。以下是应用流程的快速摘要
/sleep/15000
/blank - 这是一个发布请求,专门触发浏览器保存密码,因为它是一个 ajax 请求
/login - 实际登录脚本
/isauthenticated - 检查用户是否实际登录(特定于应用程序)
/account/summary - 获取用户摘要(特定于应用程序)
/currentuser - 获取当前用户(特定于应用程序)
/sleep/1500 然后将结束并清除会话。
【问题讨论】:
您使用的是什么版本的 Spring Security?我想知道您是否遇到jira.springsource.org/browse/SEC-1735 如果您还没有尝试升级到最新版本。如果这没有帮助,请启用调试日志记录并发布您的日志。 我们目前在 3.1.1.RELEASE。将尝试获取一些日志,但必须等到星期一 在尝试获取日志之前,请确保您使用的是最新版本 (3.1.4.RELASE)。此后修复了另一个可能与您的问题有关的错误。如果这样做没有帮助,请提供问题发生时间的日志,确保日志中包含线程名称(这将有助于确定原因)。 【参考方案1】:[application start]
[myapp] 04 Jun 2013 16:22:51,474 | INFO [main] SpringSecurityCoreVersion.<clinit>(33) | You are running with Spring Security Core 3.1.4.RELEASE
[myapp] 04 Jun 2013 16:22:51,478 | INFO [main] SecurityNamespaceHandler.<init>(59) | Spring Security 'config' module version is 3.1.4.RELEASE
[/sleep/15000] START
[myapp] 04 Jun 2013 16:27:00,767 | DEBUG [494291573@qtp-1995218271-0] AntPathRequestMatcher.matches(116) | Checking match of request : '/sleep/15000'; against '/css/**'
[myapp] 04 Jun 2013 16:27:00,780 | DEBUG [494291573@qtp-1995218271-0] AntPathRequestMatcher.matches(116) | Checking match of request : '/sleep/15000'; against '/js/**'
[myapp] 04 Jun 2013 16:27:00,781 | DEBUG [494291573@qtp-1995218271-0] AntPathRequestMatcher.matches(116) | Checking match of request : '/sleep/15000'; against '/tmpl/**'
[myapp] 04 Jun 2013 16:27:00,782 | DEBUG [494291573@qtp-1995218271-0] FilterChainProxy.doFilter(337) | /sleep/15000 at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[myapp] 04 Jun 2013 16:27:00,782 | DEBUG [494291573@qtp-1995218271-0] HttpSessionSecurityContextRepository.readSecurityContextFromSession(139) | HttpSession returned null object for SPRING_SECURITY_CONTEXT
[myapp] 04 Jun 2013 16:27:00,783 | DEBUG [494291573@qtp-1995218271-0] HttpSessionSecurityContextRepository.loadContext(85) | No SecurityContext was available from the HttpSession: org.mortbay.jetty.servlet.HashSessionManager$Session:1tqlu01iu4prct7j4tsirpkhx@863190940. A new one will be created.
[myapp] 04 Jun 2013 16:27:00,783 | DEBUG [494291573@qtp-1995218271-0] FilterChainProxy.doFilter(337) | /sleep/150000 at position 2 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
[myapp] 04 Jun 2013 16:27:00,783 | DEBUG [494291573@qtp-1995218271-0] FilterChainProxy.doFilter(337) | /sleep/15000 at position 3 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
[myapp] 04 Jun 2013 16:27:00,783 | DEBUG [494291573@qtp-1995218271-0] FilterChainProxy.doFilter(337) | /sleep/15000 at position 4 of 12 in additional filter chain; firing Filter: 'LegacyAuthenticationProcessingFilter'
[myapp] 04 Jun 2013 16:27:00,784 | DEBUG [494291573@qtp-1995218271-0] FilterChainProxy.doFilter(337) | /sleep/15000 at position 5 of 12 in additional filter chain; firing Filter: 'AuthenticationProcessingFilter'
[myapp] 04 Jun 2013 16:27:00,784 | DEBUG [494291573@qtp-1995218271-0] FilterChainProxy.doFilter(337) | /sleep/15000 at position 6 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[myapp] 04 Jun 2013 16:27:00,784 | DEBUG [494291573@qtp-1995218271-0] FilterChainProxy.doFilter(337) | /sleep/15000 at position 7 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[myapp] 04 Jun 2013 16:27:00,785 | DEBUG [494291573@qtp-1995218271-0] FilterChainProxy.doFilter(337) | /sleep/15000 at position 8 of 12 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
[myapp] 04 Jun 2013 16:27:00,785 | DEBUG [494291573@qtp-1995218271-0] FilterChainProxy.doFilter(337) | /sleep/15000 at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[myapp] 04 Jun 2013 16:27:00,786 | DEBUG [494291573@qtp-1995218271-0] AnonymousAuthenticationFilter.doFilter(102) | Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90545b24: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@12afc: RemoteIpAddress: 127.0.0.1; SessionId: 1tqlu01iu4prct7j4tsirpkhx; Granted Authorities: ROLE_ANONYMOUS'
[myapp] 04 Jun 2013 16:27:00,787 | DEBUG [494291573@qtp-1995218271-0] FilterChainProxy.doFilter(337) | /sleep/15000 at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
[myapp] 04 Jun 2013 16:27:00,787 | DEBUG [494291573@qtp-1995218271-0] FilterChainProxy.doFilter(337) | /sleep/15000 at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[myapp] 04 Jun 2013 16:27:00,787 | DEBUG [494291573@qtp-1995218271-0] FilterChainProxy.doFilter(337) | /sleep/15000 at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[myapp] 04 Jun 2013 16:27:00,788 | DEBUG [494291573@qtp-1995218271-0] FilterSecurityInterceptor.beforeInvocation(185) | Public object - authentication not attempted
[myapp] 04 Jun 2013 16:27:00,788 | DEBUG [494291573@qtp-1995218271-0] FilterChainProxy.doFilter(323) | /sleep/15000 reached end of additional filter chain; proceeding with original chain
[/BLANK] START
[myApp] 04 Jun 2013 16:27:05,937 | DEBUG [319749910@qtp-1995218271-4] AntPathRequestMatcher.matches(116) | Checking match of request : '/blank'; against '/css/**'
[myApp] 04 Jun 2013 16:27:05,937 | DEBUG [319749910@qtp-1995218271-4] AntPathRequestMatcher.matches(116) | Checking match of request : '/blank'; against '/js/**'
[myApp] 04 Jun 2013 16:27:05,938 | DEBUG [319749910@qtp-1995218271-4] AntPathRequestMatcher.matches(116) | Checking match of request : '/blank'; against '/tmpl/**'
[myApp] 04 Jun 2013 16:27:05,938 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /blank at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[myApp] 04 Jun 2013 16:27:05,939 | DEBUG [319749910@qtp-1995218271-4] HttpSessionSecurityContextRepository.readSecurityContextFromSession(139) | HttpSession returned null object for SPRING_SECURITY_CONTEXT
[myApp] 04 Jun 2013 16:27:05,940 | DEBUG [319749910@qtp-1995218271-4] HttpSessionSecurityContextRepository.loadContext(85) | No SecurityContext was available from the HttpSession: org.mortbay.jetty.servlet.HashSessionManager$Session:1tqlu01iu4prct7j4tsirpkhx@863190940. A new one will be created.
[myApp] 04 Jun 2013 16:27:05,941 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /blank at position 2 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
[myApp] 04 Jun 2013 16:27:05,942 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /blank at position 3 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
[myApp] 04 Jun 2013 16:27:05,943 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /blank at position 4 of 12 in additional filter chain; firing Filter: 'LegacyAuthenticationProcessingFilter'
[myApp] 04 Jun 2013 16:27:05,944 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /blank at position 5 of 12 in additional filter chain; firing Filter: 'AuthenticationProcessingFilter'
[myApp] 04 Jun 2013 16:27:05,945 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /blank at position 6 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[myApp] 04 Jun 2013 16:27:05,945 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /blank at position 7 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[myApp] 04 Jun 2013 16:27:05,945 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /blank at position 8 of 12 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
[myApp] 04 Jun 2013 16:27:05,946 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /blank at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[myApp] 04 Jun 2013 16:27:05,946 | DEBUG [319749910@qtp-1995218271-4] AnonymousAuthenticationFilter.doFilter(102) | Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90545b24: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@12afc: RemoteIpAddress: 127.0.0.1; SessionId: 1tqlu01iu4prct7j4tsirpkhx; Granted Authorities: ROLE_ANONYMOUS'
[myApp] 04 Jun 2013 16:27:05,947 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /blank at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
[myApp] 04 Jun 2013 16:27:05,947 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /blank at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[myApp] 04 Jun 2013 16:27:05,947 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /blank at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[myApp] 04 Jun 2013 16:27:05,948 | DEBUG [319749910@qtp-1995218271-4] FilterSecurityInterceptor.beforeInvocation(185) | Public object - authentication not attempted
[myApp] 04 Jun 2013 16:27:05,948 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(323) | /blank reached end of additional filter chain; proceeding with original chain
[myApp] 04 Jun 2013 16:27:06,160 | DEBUG [319749910@qtp-1995218271-4] HttpSessionSecurityContextRepository.saveContext(269) | SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
[myApp] 04 Jun 2013 16:27:06,162 | DEBUG [319749910@qtp-1995218271-4] ExceptionTranslationFilter.doFilter(115) | Chain processed normally
[myApp] 04 Jun 2013 16:27:06,162 | DEBUG [319749910@qtp-1995218271-4] SecurityContextPersistenceFilter.doFilter(97) | SecurityContextHolder now cleared, as request processing completed
[/LOGIN] START
[myApp] 04 Jun 2013 16:27:06,195 | DEBUG [319749910@qtp-1995218271-4] AntPathRequestMatcher.matches(116) | Checking match of request : '/login'; against '/css/**'
[myApp] 04 Jun 2013 16:27:06,196 | DEBUG [319749910@qtp-1995218271-4] AntPathRequestMatcher.matches(116) | Checking match of request : '/login'; against '/js/**'
[myApp] 04 Jun 2013 16:27:06,197 | DEBUG [319749910@qtp-1995218271-4] AntPathRequestMatcher.matches(116) | Checking match of request : '/login'; against '/tmpl/**'
[myApp] 04 Jun 2013 16:27:06,198 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /login?_=1370377626193 at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[myApp] 04 Jun 2013 16:27:06,271 | DEBUG [319749910@qtp-1995218271-4] HttpSessionSecurityContextRepository.readSecurityContextFromSession(139) | HttpSession returned null object for SPRING_SECURITY_CONTEXT
[myApp] 04 Jun 2013 16:27:06,272 | DEBUG [319749910@qtp-1995218271-4] HttpSessionSecurityContextRepository.loadContext(85) | No SecurityContext was available from the HttpSession: org.mortbay.jetty.servlet.HashSessionManager$Session:1tqlu01iu4prct7j4tsirpkhx@863190940. A new one will be created.
[myApp] 04 Jun 2013 16:27:06,272 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /login?_=1370377626193 at position 2 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
[myApp] 04 Jun 2013 16:27:06,272 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /login?_=1370377626193 at position 3 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
[myApp] 04 Jun 2013 16:27:06,273 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /login?_=1370377626193 at position 4 of 12 in additional filter chain; firing Filter: 'LegacyAuthenticationProcessingFilter'
[myApp] 04 Jun 2013 16:27:06,273 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /login?_=1370377626193 at position 5 of 12 in additional filter chain; firing Filter: 'AuthenticationProcessingFilter'
[myApp] 04 Jun 2013 16:27:06,293 | DEBUG [319749910@qtp-1995218271-4] ProviderManager.authenticate(152) | Authentication attempt using com.myproject.security.activedirectory.ActiveDirectoryAuthenticationProvider
[myApp] 04 Jun 2013 16:27:06,323 | DEBUG [319749910@qtp-1995218271-4] DefaultSpringSecurityContextSource.setupEnvironment(76) | Removing pooling flag for user admin@myproject.com
[myApp] 04 Jun 2013 16:27:06,500 | DEBUG [319749910@qtp-1995218271-4] ProviderManager.authenticate(152) | Authentication attempt using com.sun.proxy.$Proxy194
[myApp] 04 Jun 2013 16:27:06,503 | DEBUG [319749910@qtp-1995218271-4] ProviderManager.authenticate(152) | Authentication attempt using com.sun.proxy.$Proxy194
[myApp] 04 Jun 2013 16:27:11,513 | DEBUG [319749910@qtp-1995218271-4] TokenBasedRememberMeServices.rememberMeRequested(296) | Did not send remember-me cookie (principal did not set parameter 'rememberMe')
[myApp] 04 Jun 2013 16:27:11,514 | DEBUG [319749910@qtp-1995218271-4] TokenBasedRememberMeServices.loginSuccess(254) | Remember-me login not requested.
[myApp] 04 Jun 2013 16:27:11,531 | DEBUG [319749910@qtp-1995218271-4] HttpSessionSecurityContextRepository.saveContext(292) | SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@509b64dc: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@509b64dc: Principal: User[username=admin,enabled=true,accountExpired=false,credentialsExpired=false,accountLocked=false,Granted Authorities: Role(name=ROLE_ADMIN), Role(name=ROLE_USER)]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@12afc: RemoteIpAddress: 127.0.0.1; SessionId: 1tqlu01iu4prct7j4tsirpkhx; Granted Authorities: Role(name=ROLE_ADMIN), Role(name=ROLE_USER)'
[myApp] 04 Jun 2013 16:27:11,532 | DEBUG [319749910@qtp-1995218271-4] SecurityContextPersistenceFilter.doFilter(97) | SecurityContextHolder now cleared, as request processing completed
[/isauthenticated] START
[myApp] 04 Jun 2013 16:27:11,539 | DEBUG [319749910@qtp-1995218271-4] AntPathRequestMatcher.matches(116) | Checking match of request : '/isauthenticated'; against '/css/**'
[myApp] 04 Jun 2013 16:27:11,540 | DEBUG [319749910@qtp-1995218271-4] AntPathRequestMatcher.matches(116) | Checking match of request : '/isauthenticated'; against '/js/**'
[myApp] 04 Jun 2013 16:27:11,540 | DEBUG [319749910@qtp-1995218271-4] AntPathRequestMatcher.matches(116) | Checking match of request : '/isauthenticated'; against '/tmpl/**'
[myApp] 04 Jun 2013 16:27:11,540 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /isAuthenticated?_=1370377631538 at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[myApp] 04 Jun 2013 16:27:11,541 | DEBUG [319749910@qtp-1995218271-4] HttpSessionSecurityContextRepository.readSecurityContextFromSession(158) | Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@509b64dc: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@509b64dc: Principal: User[username=admin,enabled=true,accountExpired=false,credentialsExpired=false,accountLocked=false,Granted Authorities: Role(name=ROLE_ADMIN), Role(name=ROLE_USER)]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@12afc: RemoteIpAddress: 127.0.0.1; SessionId: 1tqlu01iu4prct7j4tsirpkhx; Granted Authorities: Role(name=ROLE_ADMIN), Role(name=ROLE_USER)'
[myApp] 04 Jun 2013 16:27:11,541 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /isAuthenticated?_=1370377631538 at position 2 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
[myApp] 04 Jun 2013 16:27:11,542 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /isAuthenticated?_=1370377631538 at position 3 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
[myApp] 04 Jun 2013 16:27:11,542 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /isAuthenticated?_=1370377631538 at position 4 of 12 in additional filter chain; firing Filter: 'LegacyAuthenticationProcessingFilter'
[myApp] 04 Jun 2013 16:27:11,542 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /isAuthenticated?_=1370377631538 at position 5 of 12 in additional filter chain; firing Filter: 'AuthenticationProcessingFilter'
[myApp] 04 Jun 2013 16:27:11,542 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /isAuthenticated?_=1370377631538 at position 6 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[myApp] 04 Jun 2013 16:27:11,543 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /isAuthenticated?_=1370377631538 at position 7 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[myApp] 04 Jun 2013 16:27:11,543 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /isAuthenticated?_=1370377631538 at position 8 of 12 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
[myApp] 04 Jun 2013 16:27:11,543 | DEBUG [319749910@qtp-1995218271-4] RememberMeAuthenticationFilter.doFilter(142) | SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@509b64dc: Principal: User[username=admin,enabled=true,accountExpired=false,credentialsExpired=false,accountLocked=false,Granted Authorities: Role(name=ROLE_ADMIN), Role(name=ROLE_USER)]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@12afc: RemoteIpAddress: 127.0.0.1; SessionId: 1tqlu01iu4prct7j4tsirpkhx; Granted Authorities: Role(name=ROLE_ADMIN), Role(name=ROLE_USER)'
[myApp] 04 Jun 2013 16:27:11,544 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /isAuthenticated?_=1370377631538 at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[myApp] 04 Jun 2013 16:27:11,544 | DEBUG [319749910@qtp-1995218271-4] AnonymousAuthenticationFilter.doFilter(107) | SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@509b64dc: Principal: User[username=admin,enabled=true,accountExpired=false,credentialsExpired=false,accountLocked=false,Granted Authorities: Role(name=ROLE_ADMIN), Role(name=ROLE_USER)]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@12afc: RemoteIpAddress: 127.0.0.1; SessionId: 1tqlu01iu4prct7j4tsirpkhx; Granted Authorities: Role(name=ROLE_ADMIN), Role(name=ROLE_USER)'
[myApp] 04 Jun 2013 16:27:11,545 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /isAuthenticated?_=1370377631538 at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
[myApp] 04 Jun 2013 16:27:11,545 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /isAuthenticated?_=1370377631538 at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[myApp] 04 Jun 2013 16:27:11,545 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /isAuthenticated?_=1370377631538 at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[myApp] 04 Jun 2013 16:27:11,546 | DEBUG [319749910@qtp-1995218271-4] FilterSecurityInterceptor.beforeInvocation(185) | Public object - authentication not attempted
[myApp] 04 Jun 2013 16:27:11,546 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(323) | /isAuthenticated?_=1370377631538 reached end of additional filter chain; proceeding with original chain
[myApp] 04 Jun 2013 16:27:11,573 | DEBUG [319749910@qtp-1995218271-4] ExceptionTranslationFilter.doFilter(115) | Chain processed normally
[myApp] 04 Jun 2013 16:27:11,574 | DEBUG [319749910@qtp-1995218271-4] SecurityContextPersistenceFilter.doFilter(97) | SecurityContextHolder now cleared, as request processing completed
[/account/summary] START
[removing this to save space, its redundant ]
[/currentuser] START
[myApp] 04 Jun 2013 16:27:11,949 | DEBUG [319749910@qtp-1995218271-4] AntPathRequestMatcher.matches(116) | Checking match of request : '/currentuser'; against '/css/**'
[myApp] 04 Jun 2013 16:27:11,950 | DEBUG [319749910@qtp-1995218271-4] AntPathRequestMatcher.matches(116) | Checking match of request : '/currentuser'; against '/js/**'
[myApp] 04 Jun 2013 16:27:11,950 | DEBUG [319749910@qtp-1995218271-4] AntPathRequestMatcher.matches(116) | Checking match of request : '/currentuser'; against '/tmpl/**'
[myApp] 04 Jun 2013 16:27:11,950 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /currentUser?_=1370377631948 at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[myApp] 04 Jun 2013 16:27:11,950 | DEBUG [319749910@qtp-1995218271-4] HttpSessionSecurityContextRepository.readSecurityContextFromSession(158) | Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@509b64dc: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@509b64dc: Principal: User[username=admin,enabled=true,accountExpired=false,credentialsExpired=false,accountLocked=false,Granted Authorities: Role(name=ROLE_ADMIN), Role(name=ROLE_USER)]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@12afc: RemoteIpAddress: 127.0.0.1; SessionId: 1tqlu01iu4prct7j4tsirpkhx; Granted Authorities: Role(name=ROLE_ADMIN), Role(name=ROLE_USER)'
[myApp] 04 Jun 2013 16:27:11,951 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /currentUser?_=1370377631948 at position 2 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
[myApp] 04 Jun 2013 16:27:11,951 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /currentUser?_=1370377631948 at position 3 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
[myApp] 04 Jun 2013 16:27:11,951 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /currentUser?_=1370377631948 at position 4 of 12 in additional filter chain; firing Filter: 'LegacyAuthenticationProcessingFilter'
[myApp] 04 Jun 2013 16:27:11,951 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /currentUser?_=1370377631948 at position 5 of 12 in additional filter chain; firing Filter: 'AuthenticationProcessingFilter'
[myApp] 04 Jun 2013 16:27:11,952 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /currentUser?_=1370377631948 at position 6 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[myApp] 04 Jun 2013 16:27:11,952 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /currentUser?_=1370377631948 at position 7 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[myApp] 04 Jun 2013 16:27:11,952 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /currentUser?_=1370377631948 at position 8 of 12 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
[myApp] 04 Jun 2013 16:27:11,953 | DEBUG [319749910@qtp-1995218271-4] RememberMeAuthenticationFilter.doFilter(142) | SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@509b64dc: Principal: User[username=admin,enabled=true,accountExpired=false,credentialsExpired=false,accountLocked=false,Granted Authorities: Role(name=ROLE_ADMIN), Role(name=ROLE_USER)]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@12afc: RemoteIpAddress: 127.0.0.1; SessionId: 1tqlu01iu4prct7j4tsirpkhx; Granted Authorities: Role(name=ROLE_ADMIN), Role(name=ROLE_USER)'
[myApp] 04 Jun 2013 16:27:11,953 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /currentUser?_=1370377631948 at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[myApp] 04 Jun 2013 16:27:11,953 | DEBUG [319749910@qtp-1995218271-4] AnonymousAuthenticationFilter.doFilter(107) | SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@509b64dc: Principal: User[username=admin,enabled=true,accountExpired=false,credentialsExpired=false,accountLocked=false,Granted Authorities: Role(name=ROLE_ADMIN), Role(name=ROLE_USER)]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@12afc: RemoteIpAddress: 127.0.0.1; SessionId: 1tqlu01iu4prct7j4tsirpkhx; Granted Authorities: Role(name=ROLE_CONFIG_ADMIN_ADMIN), Role(name=ROLE_USER)'
[myApp] 04 Jun 2013 16:27:11,954 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /currentUser?_=1370377631948 at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
[myApp] 04 Jun 2013 16:27:11,954 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /currentUser?_=1370377631948 at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[myApp] 04 Jun 2013 16:27:11,954 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(337) | /currentUser?_=1370377631948 at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[myApp] 04 Jun 2013 16:27:11,954 | DEBUG [319749910@qtp-1995218271-4] FilterSecurityInterceptor.beforeInvocation(185) | Public object - authentication not attempted
[myApp] 04 Jun 2013 16:27:11,955 | DEBUG [319749910@qtp-1995218271-4] FilterChainProxy.doFilter(323) | /currentUser?_=1370377631948 reached end of additional filter chain; proceeding with original chain
[myApp] 04 Jun 2013 16:27:12,016 | DEBUG [319749910@qtp-1995218271-4] ExceptionTranslationFilter.doFilter(115) | Chain processed normally
[myApp] 04 Jun 2013 16:27:12,018 | DEBUG [319749910@qtp-1995218271-4] SecurityContextPersistenceFilter.doFilter(97) | SecurityContextHolder now cleared, as request processing completed
[myApp] 04 Jun 2013 16:27:15,822 | DEBUG [494291573@qtp-1995218271-0] HttpSessionSecurityContextRepository.saveContext(269) | SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
[myApp] 04 Jun 2013 16:27:15,823 | DEBUG [494291573@qtp-1995218271-0] HttpSessionSecurityContextRepository.saveContext(269) | SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
[myApp] 04 Jun 2013 16:27:15,824 | DEBUG [494291573@qtp-1995218271-0] ExceptionTranslationFilter.doFilter(115) | Chain processed normally
[myApp] 04 Jun 2013 16:27:15,825 | DEBUG [494291573@qtp-1995218271-0] SecurityContextPersistenceFilter.doFilter(97) | SecurityContextHolder now cleared, as request processing completed
【讨论】:
这些日志是否说明了当前的问题?我问是因为唯一出现匿名的线程是在登录尝试之前启动的线程的延续。您的描述似乎暗示用户的其他呼叫也被视为匿名。 您会注意到只有在原始上下文不是匿名github.com/SpringSource/spring-security/blob/master/web/src/…时才会清除会话 这是我们的问题。在我们的应用程序的正常流程中,我们可以有一些长时间运行的请求,并且用户可以采取措施提示他们在原始过程中登录。发生的情况是长时间运行的请求完成,然后删除了登录用户的会话。 日志似乎没有说明会话被吹走了,因为登录后发生的唯一匿名身份验证是在登录之前启动的线程。如果这是一个问题,您将看到在登录请求完成后开始的请求,声称该请求是匿名的。您能否解释一下为什么您认为日志显示会话被吹走,或者您能否更新日志以演示该问题? 我也知道您正在使用 3.1.4.RELEASE 的日志状态,但这只是检查 spring-security-config jar。请确保所有弹簧安全罐都是 3.1.4.RELEASE。此外,如果您有可以演示问题的项目,请提交 JIRA 至 jira.springsource.org/browse/SEC 并附上项目以上是关于Spring Security Ajax 登录在以下请求中成功验证 null的主要内容,如果未能解决你的问题,请参考以下文章
如何在 Grails 和 AngularJS 上使用 Spring Security 进行 Ajax 登录
spring security 在使用 AJAX 登录时显示 403 错误