您的位置:首页技术文章
文章详情页

java - Spring Session, Spring Security 如何在无权限拦截的url不自动创建session?

浏览:54日期:2023-10-24 09:08:00

问题描述

我做了一个API服务器提供给手机端调用,用Spring Session连接Redis来做多台tomcat的session共享,用security来做API的权限拦截,并且使用了x-auth-token也就是header的token验证。现在遇到一个问题,有一些API是无权限验证的,但访问这些API时,spring会为每次request都创建session,返回一个新的x-auth-token,这样可能会导致session过多,请问如何配置才能让这种情况无需创建session呢?已经配置create-session='never',但不管用。以下是security配置

<http realm='Protected API' use-expressions='true' auto-config='false'create-session='never' entry-point-ref='customAuthenticationEntryPoint'><intercept-url pattern='/auth/login/phone' access='permitAll()' /><intercept-url pattern='/**' access='isAuthenticated()' /><access-denied-handler ref='customAccessDeniedHandler' /> </http>

spring session

<!-- 在HTTP的header中使用x-auth-token:來實現session --> <bean /><!-- This is essential to make sure that the Spring Security session registryis notified when the session is destroyed. --> <bean /> <bean scope='singleton'><!-- session为60分钟过期 --><property name='maxInactiveIntervalInSeconds' value='${session.maxInactiveIntervalInSeconds}'></property> </bean>...省略redis pool配置

问题解答

回答1:

找到原因了,首先打开log的trace,然后trace org.springframework,这个时候可以看到每次创建新session时都会有日志,spring会打印session的创建栈

java.lang.RuntimeException: For debugging purposes only (not an error) at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:368) at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:390) at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:217) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:238) at xxx.xxxxxxxx.LogFilter.doFilterInternal(LogFilter.java:52) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:167) at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:80) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)

其中可以找到xxx.xxxx这行,LogFilter第52行查看代码发现调用了req.getSession(),虽然create-session配置了never,但若有代码调用req.getSession(),spring仍然会创建一个全新的session。尽量不要在filter等全局拦截器里调用req.getSession(),否则会随时创建一个新的session

标签: java
上一条:javascript - 网站登录一段时间后,无操作超时退出实现原理,前端和后端分别怎么处理?下一条:java - 使用均值hash算法 生成图像指纹 多次调用 返回的信息居然不一致
排行榜
Docker for Mac 创建的dnsmasq容器连不上/不工作的问题
Docker for Mac 创建的dnsmasq容器连不上/不工作的问题
1. 在windows下安装docker Toolbox 启动Docker Quickstart Terminal 失败!
2. dockerfile - [docker build image失败- npm install]
3. javascript - 前端如何通过ajax和node.js交互?
4. python 字符串匹配问题
5. java如何高效读写10G以上大文件
6. css3 隱藏文本
7. javascript - vue-router怎么不能实现跳转呢
8. 关docker hub上有些镜像的tag被标记““This image has vulnerabilities””
9. docker不显示端口映射呢?
10. dockerfile - 我用docker build的时候出现下边问题 麻烦帮我看一下
热门标签