Table of Contents
Question content
Solution
Home Java Does spring-security filter get session information from redis?

Does spring-security filter get session information from redis?

Feb 09, 2024 pm 10:30 PM
spring security

php editor Zimo is here to answer the question about whether the Spring Security filter obtains session information from Redis. Spring Security is a powerful security framework that provides a complete set of authentication and authorization mechanisms. By default, Spring Security uses HttpSession to manage user session information. However, with configuration, we can store session information in external storage such as Redis. The advantage of this is that it can realize distributed session management and improve the scalability of the system. Therefore, Spring Security filters can obtain session information from Redis.

Question content

I am trying to use spring-boot, spring-security and spring-session to implement the login system, and use redis as the storage of the session.

My configuration:

@enablewebsecurity
@enablemethodsecurity
@configuration
@requiredargsconstructor
public class securityconfig {


    private final userdetailsservice detailsservice;

    @bean
    public passwordencoder passwordencoder() {
        return new bcryptpasswordencoder();
    }

    @bean
    public authenticationprovider authenticationprovider(passwordencoder passwordencoder) {
        daoauthenticationprovider provider = new daoauthenticationprovider();
        provider.setpasswordencoder(passwordencoder);
        provider.setuserdetailsservice(this.detailsservice);
        return provider;
    }

    @bean
    public authenticationmanager authenticationmanager(authenticationprovider authenticationprovider) {
        return new providermanager(authenticationprovider);
    }

    @bean
    public securityfilterchain filterchain(httpsecurity http) throws exception {
        return http
                .csrf().disable()
                .cors(customizer.withdefaults())
                .authorizehttprequests(auth -> {
                    auth.requestmatchers("/api/v1/auth/register/**", "/api/v1/auth/login").permitall();
                    auth.anyrequest().authenticated();
                })
                .sessionmanagement(sessionmanagement -> sessionmanagement
                        .sessioncreationpolicy(if_required) //
                        .sessionfixation(sessionmanagementconfigurer.sessionfixationconfigurer::newsession) //
                        .maximumsessions(100000) //
                        //.sessionregistry(sessionregistry())
                )
                //.exceptionhandling((ex) -> ex.authenticationentrypoint(this.authentrypoint))
                .logout(out -> out
                        .logouturl("/api/v1/auth/logout")
                        .invalidatehttpsession(true) // invalidate all sessions after logout
                        .deletecookies("jsessionid")
                        .logoutsuccesshandler((request, response, authentication) ->
                                securitycontextholder.clearcontext()
                        )
                )
                .build();
    }

    @bean
    public securitycontextrepository securitycontextrepository() {
        return new httpsessionsecuritycontextrepository();
    }
}
Copy after login

My login controller:

@postmapping("/login")
public void login(@requestbody loginform form, httpservletrequest request, httpservletresponse response) {
    string ip = httprequestutil.getip(request);
    string device = httprequestutil.getdevice(request);

    loginformwrapper loginformwrapper = new loginformwrapper(form.email(), form.password(), ip, device);

    authenticationservice.login(loginformwrapper, request, response);
}
Copy after login

and authentication service:

@override
public void login(loginformwrapper form, httpservletrequest request, httpservletresponse response) {
    authentication authentication = authenticationmanager.authenticate(usernamepasswordauthenticationtoken.unauthenticated(
            form.email().trim(), form.password()));

    // create a new context
    securitycontext context = securitycontextholder.createemptycontext();
    context.setauthentication(authentication);

    // update securitycontextholder and strategy
    this.securitycontextholderstrategy.setcontext(context);
    this.securitycontextrepository.savecontext(context, request, response);
}
Copy after login

If I understand correctly

this.securitycontextholderstrategy.setcontext(context); Authentication should be kept in the application's memory, e.g. in a threadlocal context

and

`this.securitycontextrepository.savecontext(context, request, response);`
Copy after login

Session information should be saved to redis.

Now when I log in I see the data has been saved to redis:

However, when inspecting what is returned by my login request, I see:

Completely different session id.

My first question is: Why don't these ids match? How does spring know which key to look for?

Another question is: what filter to get data from redis? I try to debug all filters in the filter chain:

[org.springframework.security.web.session.DisableEncodeUrlFilter@2fedae96,
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@4945cd1f,
org.springframework.security.web.context.SecurityContextHolderFilter@72499396,
org.springframework.security.web.header.HeaderWriterFilter@7048d039,
org.springframework.web.filter.CorsFilter@2dbfcbe4,
org.springframework.security.web.authentication.logout.LogoutFilter@5d5a77de,
org.springframework.security.web.session.ConcurrentSessionFilter@1f8e1096,
org.springframework.security.web.savedrequest.RequestCacheAwareFilter@651bec9a,
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@76d4e1af,
org.springframework.security.web.authentication.AnonymousAuthenticationFilter@6f13ed1,
org.springframework.security.web.session.SessionManagementFilter@642693c2,
org.springframework.security.web.access.ExceptionTranslationFilter@2199e1a4,
org.springframework.security.web.access.intercept.AuthorizationFilter@48c584c]
Copy after login

But it seems to read the session information from the httpserletrequest somehow - however, if I remove the key from redis, the authentication fails for the endpoint that requires it.

Did I miss something? Do I retrieve the session information from redis and store it in httpservlerrequest before my fitler starts? Or how does it read redis data?

thanks for your help.

Solution

The value in the session cookie is base64 encoded:

echo '3c048eae-9f73-4df5-a009-bdf802ae37ca' | openssl base64
m2mwndhlywutowy3my00zgy1lwewmdktymrmodayywuzn2nhcg==
Copy after login
echo 'M2MwNDhlYWUtOWY3My00ZGY1LWEwMDktYmRmODAyYWUzN2NhCg==' | openssl base64 -d
3c048eae-9f73-4df5-a009-bdf802ae37ca
Copy after login

So when base64 decoded, the session id of the cookie matches the session id stored in redis.

If you haven't read it yet, I would recommend this document: https://www.php.cn/link/e27c71957d1e6c223e0d48a165da2ee1

Especially the "Understanding Components of Session Management" section: https://www.php.cn/link/e27c71957d1e6c223e0d48a165da2ee1#understanding-session-management-components

You didn't mention which version of spring security you are using, but I'm guessing you are using spring security 6. In this section, there is such a sentence related to sessionauthentication:

The above is the detailed content of Does spring-security filter get session information from redis?. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
1 months ago By 尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Spring Security 6: cors() is deprecated and marked for removal Spring Security 6: cors() is deprecated and marked for removal Feb 10, 2024 pm 11:45 PM

I have the following code: publicSecurityFilterChainsecurityFilterChain(HttpSecurityhttp)throwsException{returnhttp.httpBasic().disable().cors().and().csrf().disable().authorizeHttpRequests().requestMatchers("

How to develop a Spring Security SAML-based single sign-on system using Java How to develop a Spring Security SAML-based single sign-on system using Java Sep 22, 2023 am 08:49 AM

How to use Java to develop a single sign-on system based on SpringSecuritySAML Introduction: With the rapid development of the Internet, more and more applications are developed. In these applications, user login is one of the most common features. However, for enterprise-level applications, users need to log in in multiple systems, which will lead to a very poor user login experience. In order to solve this problem, the single sign-on system (SingleSign-On, referred to as SSO) came into being. simple

GO authenticate access token (keycloak) GO authenticate access token (keycloak) Feb 09, 2024 am 09:30 AM

I'm trying to implement access token validation using GO. But the examples I've seen online seem to just use TOKEN_SECRET to verify it. But I'm used to programming in Javaspring and don't need to use TOKEN_SECRET. I just provide the jwk-set-uri and it checks for validity (auto-security filters etc.) and I know it talks to the oauth server and does this validation. Is there no library in Go to check if the token is valid by making a request to the oauth server? I know I know I can do this manually by making a request to the oauth server's userinfo endpoint: http://localh

Spring Security permission control framework usage guide Spring Security permission control framework usage guide Feb 18, 2024 pm 05:00 PM

In back-end management systems, access permission control is usually required to limit different users' ability to access interfaces. If a user lacks specific permissions, he or she cannot access certain interfaces. This article will use the waynboot-mall project as an example to introduce how common back-end management systems introduce the permission control framework SpringSecurity. The outline is as follows: waynboot-mall project address: https://github.com/wayn111/waynboot-mall 1. What is SpringSecurity? SpringSecurity is an open source project based on the Spring framework, aiming to provide powerful and flexible security for Java applications.

How to use Java to develop a single sign-on system based on Spring Security OAuth2 How to use Java to develop a single sign-on system based on Spring Security OAuth2 Sep 20, 2023 pm 01:06 PM

How to use Java to develop a single sign-on system based on SpringSecurityOAuth2 Introduction: With the rapid development of the Internet, more and more websites and applications require users to log in, but users do not want to remember for each website or application. An account number and password. The single sign-on system (SingleSign-On, referred to as SSO) can solve this problem, allowing users to access multiple websites and applications without repeated authentication after logging in once. This article will introduce

Spring Security gets user information for authenticated and unauthenticated users in remaining services Spring Security gets user information for authenticated and unauthenticated users in remaining services Feb 08, 2024 pm 11:00 PM

I have a springrest service and I want to use it for both authenticated and unauthenticated users. If the user is authenticated, I want to get the user information from securitycontextholder.getcontext().getauthentication(). If I use .antmatchers("/app/rest/question/useroperation/list/**").permitall() in the ouath2 configuration as shown below, then I can get the user information of the authenticated user, but not Authenticated users will appear 40

The Java RESTful API cookbook: Building the perfect service for every application The Java RESTful API cookbook: Building the perfect service for every application Mar 27, 2024 pm 12:11 PM

Introduction In today's interconnected world, RESTful APIs have become a key mechanism for communication between applications. With Java, a powerful programming language, you can build efficient, scalable, and well-maintained RESTful APIs. Chapter 1: RESTfulAPI Basics Principles and Best Practices of RESTful Architecture Http methods, status codes and response headers Data formats such as JSON and XML Chapter 2: Design and Modeling RESTfulAPI RESTfulAPI Design Principles Resource Modeling and URI Design Version Control and HATEOAS Chapter 3: Using SpringBoot to build RESTful API SpringBoot introduction and getting started building and

Using Spring Security OAuth for secure authorization in Java API development Using Spring Security OAuth for secure authorization in Java API development Jun 18, 2023 am 08:01 AM

A common requirement in JavaAPI development is to implement user authentication and authorization functions. In order to provide more secure and reliable API services, the authorization function has become particularly important. SpringSecurityOAuth is an excellent open source framework that can help us implement authorization functions in Java API. This article will introduce how to use SpringSecurityOAuth for secure authorization. What is SpringSecurity