java - Spring Session, Spring Security 如何在無權限攔截的url不自動建立session?
typecho
typecho 2017-06-28 09:23:34
0
1
1192

我做了一個API伺服器提供給手機端調用,用Spring Session連接Redis來做多台tomcat的session共享,用security來做API的權限攔截,並且使用了x-auth-token也就是header的token驗證。現在遇到一個問題,有些API是無權限驗證的,但當存取這些API時,spring會為每次request都建立session,傳回一個新的x-auth-token,這可能會導致session過多,請問如何配置才能讓這種情況無需創建session呢?已經配置create-session="never",但不管用。以下是security設定

<http realm="Protected API" use-expressions="true" auto-config="false"
        create-session="never" entry-point-ref="customAuthenticationEntryPoint">
        <intercept-url pattern="/auth/login/phone" access="permitAll()" />
        <intercept-url pattern="/**" access="isAuthenticated()" />
        <access-denied-handler ref="customAccessDeniedHandler" />
    </http>

spring session

<!-- 在HTTP的header中使用x-auth-token:來實現session -->
    <bean class="org.springframework.session.web.http.HeaderHttpSessionStrategy" />

<!-- This is essential to make sure that the Spring Security session registry
        is notified when the session is destroyed. -->
    <bean
        class="org.springframework.security.web.session.HttpSessionEventPublisher" />

    <bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration" scope="singleton">
        <!-- session为60分钟过期 -->
        <property name="maxInactiveIntervalInSeconds" value="${session.maxInactiveIntervalInSeconds}"></property>
    </bean>

...
省略redis pool配置
typecho
typecho

Following the voice in heart.

全部回覆(1)
漂亮男人

找到原因了,首先打開log的trace,然後trace org.springframework,這個時候可以看到每次創建新session時都會有日誌,spring會打印session的創建棧

java.lang.RuntimeException: For debugging purposes only (not an error)
    at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:368)
    at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:390)
    at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:217)
    at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:238)
    at xxx.xxxxxxxx.LogFilter.doFilterInternal(LogFilter.java:52)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:167)
    at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:80)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

其中可以找到xxx.xxxx這行,LogFilter第52行查看程式碼發現呼叫了req.getSession(),雖然create-session配置了never,但若有程式碼呼叫req.getSession(),spring仍然會建立一個全新的session。盡量不要在filter等全域攔截器裡呼叫req.getSession(),否則會隨時建立一個新的session

熱門教學
更多>
最新下載
更多>
網站特效
網站源碼
網站素材
前端模板