search

Home  >  Q&A  >  body text

java - Spring Session, Spring Security How to not automatically create a session on a URL that is intercepted without permission?

I made an API server for mobile calls, used Spring Session to connect Redis to share sessions with multiple tomcats, used security to intercept API permissions, and used x-auth-token, which is the header. Token verification. Now I am encountering a problem. Some APIs are not authorized for verification. However, when accessing these APIs, spring will create a session for each request and return a new x-auth-token. This may lead to too many sessions. Please tell me. How to configure it so that this situation does not require creating a session? Create-session="never" has been configured, but it doesn't work. The following is the security configuration

<http realm="Protected API" use-expressions="true" auto-config="false"
        create-session="never" entry-point-ref="customAuthenticationEntryPoint">
        <intercept-url pattern="/auth/login/phone" access="permitAll()" />
        <intercept-url pattern="/**" access="isAuthenticated()" />
        <access-denied-handler ref="customAccessDeniedHandler" />
    </http>

spring session

<!-- 在HTTP的header中使用x-auth-token:來實現session -->
    <bean class="org.springframework.session.web.http.HeaderHttpSessionStrategy" />

<!-- This is essential to make sure that the Spring Security session registry
        is notified when the session is destroyed. -->
    <bean
        class="org.springframework.security.web.session.HttpSessionEventPublisher" />

    <bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration" scope="singleton">
        <!-- session为60分钟过期 -->
        <property name="maxInactiveIntervalInSeconds" value="${session.maxInactiveIntervalInSeconds}"></property>
    </bean>

...
省略redis pool配置
typechotypecho2707 days ago1189

reply all(1)I'll reply

  • 漂亮男人

    漂亮男人2017-06-28 09:25:34

    I found the reason. First open the trace of the log, and then trace org.springframework. At this time, you can see that there will be a log every time a new session is created, and spring will print the session creation stack

    java.lang.RuntimeException: For debugging purposes only (not an error)
        at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:368)
        at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:390)
        at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:217)
        at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:238)
        at xxx.xxxxxxxx.LogFilter.doFilterInternal(LogFilter.java:52)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:167)
        at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:80)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)

    You can find the line xxx.xxxx in it. Check the code in LogFilter line 52 and find that req.getSession() is called. Although create-session is configured with never, if there is code that calls req.getSession(), spring will still create a new one. session. Try not to call req.getSession() in global interceptors such as filters, otherwise a new session will be created at any time

    reply
    0
  • Cancelreply