Does spring-security filter get session information from redis?
php editor Zimo is here to answer the question about whether the Spring Security filter obtains session information from Redis. Spring Security is a powerful security framework that provides a complete set of authentication and authorization mechanisms. By default, Spring Security uses HttpSession to manage user session information. However, with configuration, we can store session information in external storage such as Redis. The advantage of this is that it can realize distributed session management and improve the scalability of the system. Therefore, Spring Security filters can obtain session information from Redis.
Question content
I am trying to use spring-boot, spring-security and spring-session to implement the login system, and use redis as the storage of the session.
My configuration:
@enablewebsecurity
@enablemethodsecurity
@configuration
@requiredargsconstructor
public class securityconfig {
private final userdetailsservice detailsservice;
@bean
public passwordencoder passwordencoder() {
return new bcryptpasswordencoder();
}
@bean
public authenticationprovider authenticationprovider(passwordencoder passwordencoder) {
daoauthenticationprovider provider = new daoauthenticationprovider();
provider.setpasswordencoder(passwordencoder);
provider.setuserdetailsservice(this.detailsservice);
return provider;
}
@bean
public authenticationmanager authenticationmanager(authenticationprovider authenticationprovider) {
return new providermanager(authenticationprovider);
}
@bean
public securityfilterchain filterchain(httpsecurity http) throws exception {
return http
.csrf().disable()
.cors(customizer.withdefaults())
.authorizehttprequests(auth -> {
auth.requestmatchers("/api/v1/auth/register/**", "/api/v1/auth/login").permitall();
auth.anyrequest().authenticated();
})
.sessionmanagement(sessionmanagement -> sessionmanagement
.sessioncreationpolicy(if_required) //
.sessionfixation(sessionmanagementconfigurer.sessionfixationconfigurer::newsession) //
.maximumsessions(100000) //
//.sessionregistry(sessionregistry())
)
//.exceptionhandling((ex) -> ex.authenticationentrypoint(this.authentrypoint))
.logout(out -> out
.logouturl("/api/v1/auth/logout")
.invalidatehttpsession(true) // invalidate all sessions after logout
.deletecookies("jsessionid")
.logoutsuccesshandler((request, response, authentication) ->
securitycontextholder.clearcontext()
)
)
.build();
}
@bean
public securitycontextrepository securitycontextrepository() {
return new httpsessionsecuritycontextrepository();
}
}My login controller:
@postmapping("/login")
public void login(@requestbody loginform form, httpservletrequest request, httpservletresponse response) {
string ip = httprequestutil.getip(request);
string device = httprequestutil.getdevice(request);
loginformwrapper loginformwrapper = new loginformwrapper(form.email(), form.password(), ip, device);
authenticationservice.login(loginformwrapper, request, response);
}and authentication service:
@override
public void login(loginformwrapper form, httpservletrequest request, httpservletresponse response) {
authentication authentication = authenticationmanager.authenticate(usernamepasswordauthenticationtoken.unauthenticated(
form.email().trim(), form.password()));
// create a new context
securitycontext context = securitycontextholder.createemptycontext();
context.setauthentication(authentication);
// update securitycontextholder and strategy
this.securitycontextholderstrategy.setcontext(context);
this.securitycontextrepository.savecontext(context, request, response);
}If I understand correctly
this.securitycontextholderstrategy.setcontext(context); Authentication should be kept in the application's memory, e.g. in a threadlocal context
and
`this.securitycontextrepository.savecontext(context, request, response);`
Session information should be saved to redis.
Now when I log in I see the data has been saved to redis:
However, when inspecting what is returned by my login request, I see:
Completely different session id.
My first question is: Why don't these ids match? How does spring know which key to look for?
Another question is: what filter to get data from redis? I try to debug all filters in the filter chain:
[org.springframework.security.web.session.DisableEncodeUrlFilter@2fedae96, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@4945cd1f, org.springframework.security.web.context.SecurityContextHolderFilter@72499396, org.springframework.security.web.header.HeaderWriterFilter@7048d039, org.springframework.web.filter.CorsFilter@2dbfcbe4, org.springframework.security.web.authentication.logout.LogoutFilter@5d5a77de, org.springframework.security.web.session.ConcurrentSessionFilter@1f8e1096, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@651bec9a, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@76d4e1af, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@6f13ed1, org.springframework.security.web.session.SessionManagementFilter@642693c2, org.springframework.security.web.access.ExceptionTranslationFilter@2199e1a4, org.springframework.security.web.access.intercept.AuthorizationFilter@48c584c]
But it seems to read the session information from the httpserletrequest somehow - however, if I remove the key from redis, the authentication fails for the endpoint that requires it.
Did I miss something? Do I retrieve the session information from redis and store it in httpservlerrequest before my fitler starts? Or how does it read redis data?
thanks for your help.
Solution
The value in the session cookie is base64 encoded:
echo '3c048eae-9f73-4df5-a009-bdf802ae37ca' | openssl base64 m2mwndhlywutowy3my00zgy1lwewmdktymrmodayywuzn2nhcg==
echo 'M2MwNDhlYWUtOWY3My00ZGY1LWEwMDktYmRmODAyYWUzN2NhCg==' | openssl base64 -d 3c048eae-9f73-4df5-a009-bdf802ae37ca
So when base64 decoded, the session id of the cookie matches the session id stored in redis.
If you haven't read it yet, I would recommend this document: https://www.php.cn/link/e27c71957d1e6c223e0d48a165da2ee1
Especially the "Understanding Components of Session Management" section: https://www.php.cn/link/e27c71957d1e6c223e0d48a165da2ee1#understanding-session-management-components
You didn't mention which version of spring security you are using, but I'm guessing you are using spring security 6. In this section, there is such a sentence related to sessionauthentication:
The above is the detailed content of Does spring-security filter get session information from redis?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Spring Security 6: cors() is deprecated and marked for removal
Feb 10, 2024 pm 11:45 PM
I have the following code: publicSecurityFilterChainsecurityFilterChain(HttpSecurityhttp)throwsException{returnhttp.httpBasic().disable().cors().and().csrf().disable().authorizeHttpRequests().requestMatchers("
How to develop a Spring Security SAML-based single sign-on system using Java
Sep 22, 2023 am 08:49 AM
How to use Java to develop a single sign-on system based on SpringSecuritySAML Introduction: With the rapid development of the Internet, more and more applications are developed. In these applications, user login is one of the most common features. However, for enterprise-level applications, users need to log in in multiple systems, which will lead to a very poor user login experience. In order to solve this problem, the single sign-on system (SingleSign-On, referred to as SSO) came into being. simple
GO authenticate access token (keycloak)
Feb 09, 2024 am 09:30 AM
I'm trying to implement access token validation using GO. But the examples I've seen online seem to just use TOKEN_SECRET to verify it. But I'm used to programming in Javaspring and don't need to use TOKEN_SECRET. I just provide the jwk-set-uri and it checks for validity (auto-security filters etc.) and I know it talks to the oauth server and does this validation. Is there no library in Go to check if the token is valid by making a request to the oauth server? I know I know I can do this manually by making a request to the oauth server's userinfo endpoint: http://localh
Spring Security permission control framework usage guide
Feb 18, 2024 pm 05:00 PM
In back-end management systems, access permission control is usually required to limit different users' ability to access interfaces. If a user lacks specific permissions, he or she cannot access certain interfaces. This article will use the waynboot-mall project as an example to introduce how common back-end management systems introduce the permission control framework SpringSecurity. The outline is as follows: waynboot-mall project address: https://github.com/wayn111/waynboot-mall 1. What is SpringSecurity? SpringSecurity is an open source project based on the Spring framework, aiming to provide powerful and flexible security for Java applications.
How to use Java to develop a single sign-on system based on Spring Security OAuth2
Sep 20, 2023 pm 01:06 PM
How to use Java to develop a single sign-on system based on SpringSecurityOAuth2 Introduction: With the rapid development of the Internet, more and more websites and applications require users to log in, but users do not want to remember for each website or application. An account number and password. The single sign-on system (SingleSign-On, referred to as SSO) can solve this problem, allowing users to access multiple websites and applications without repeated authentication after logging in once. This article will introduce
Spring Security gets user information for authenticated and unauthenticated users in remaining services
Feb 08, 2024 pm 11:00 PM
I have a springrest service and I want to use it for both authenticated and unauthenticated users. If the user is authenticated, I want to get the user information from securitycontextholder.getcontext().getauthentication(). If I use .antmatchers("/app/rest/question/useroperation/list/**").permitall() in the ouath2 configuration as shown below, then I can get the user information of the authenticated user, but not Authenticated users will appear 40
The Java RESTful API cookbook: Building the perfect service for every application
Mar 27, 2024 pm 12:11 PM
Introduction In today's interconnected world, RESTful APIs have become a key mechanism for communication between applications. With Java, a powerful programming language, you can build efficient, scalable, and well-maintained RESTful APIs. Chapter 1: RESTfulAPI Basics Principles and Best Practices of RESTful Architecture Http methods, status codes and response headers Data formats such as JSON and XML Chapter 2: Design and Modeling RESTfulAPI RESTfulAPI Design Principles Resource Modeling and URI Design Version Control and HATEOAS Chapter 3: Using SpringBoot to build RESTful API SpringBoot introduction and getting started building and
Using Spring Security OAuth for secure authorization in Java API development
Jun 18, 2023 am 08:01 AM
A common requirement in JavaAPI development is to implement user authentication and authorization functions. In order to provide more secure and reliable API services, the authorization function has become particularly important. SpringSecurityOAuth is an excellent open source framework that can help us implement authorization functions in Java API. This article will introduce how to use SpringSecurityOAuth for secure authorization. What is SpringSecurity