java - Spring Session, Spring Security 如何在无权限拦截的url不自动创建session?
本文介绍了java - Spring Session, Spring Security 如何在无权限拦截的url不自动创建session?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
问 题
我做了一个API服务器提供给手机端调用,用Spring Session连接Redis来做多台tomcat的session共享,用security来做API的权限拦截,并且使用了x-auth-token也就是header的token验证。现在遇到一个问题,有一些API是无权限验证的,但访问这些API时,spring会为每次request都创建session,返回一个新的x-auth-token,这样可能会导致session过多,请问如何配置才能让这种情况无需创建session呢?已经配置create-session="never",但不管用。以下是security配置
<http realm="Protected API" use-expressions="true" auto-config="false"
create-session="never" entry-point-ref="customAuthenticationEntryPoint">
<intercept-url pattern="/auth/login/phone" access="permitAll()" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<access-denied-handler ref="customAccessDeniedHandler" />
</http>spring session
<!-- 在HTTP的header中使用x-auth-token:來實現session -->
<bean class="org.springframework.session.web.http.HeaderHttpSessionStrategy" />
<!-- This is essential to make sure that the Spring Security session registry
is notified when the session is destroyed. -->
<bean
class="org.springframework.security.web.session.HttpSessionEventPublisher" />
<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration" scope="singleton">
<!-- session为60分钟过期 -->
<property name="maxInactiveIntervalInSeconds" value="${session.maxInactiveIntervalInSeconds}"></property>
</bean>
...
省略redis pool配置解决方案
找到原因了,首先打开log的trace,然后trace org.springframework,这个时候可以看到每次创建新session时都会有日志,spring会打印session的创建栈
java.lang.RuntimeException: For debugging purposes only (not an error)
at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:368)
at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:390)
at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:217)
at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:238)
at xxx.xxxxxxxx.LogFilter.doFilterInternal(LogFilter.java:52)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:167)
at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:80)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)其中可以找到xxx.xxxx这行,LogFilter第52行查看代码发现调用了req.getSession(),虽然create-session配置了never,但若有代码调用req.getSession(),spring仍然会创建一个全新的session。尽量不要在filter等全局拦截器里调用req.getSession(),否则会随时创建一个新的session
这篇关于java - Spring Session, Spring Security 如何在无权限拦截的url不自动创建session?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
