我们正在将spring boot应用程序从2.4.4更新到2.5.2,遇到了一个问题 .getSessionId() 从 WebAuthenticationDetails 对象在新版本中返回null。但是,会话id从 RequestContextHolder.currentRequestAttributes().getSessionId() 未返回会话id(在这两种情况下)。
我们有一个前端sso,所以我们使用 RequestHeaderAuthenticationFilter() .
我们查阅了这些文件,但没有找到变化的来源。
发生了什么变化,我们需要做什么来确保会话id正确存在?
可能的相关依赖关系
使用spring boot v2.4.4和spring v5.3.5运行(会话id存在)
+--- org.springframework.boot:spring-boot-starter-security -> 2.4.4
| +--- org.springframework.boot:spring-boot-starter:2.4.4 (*)
| +--- org.springframework:spring-aop:5.3.5 (*)
| +--- org.springframework.security:spring-security-config:5.4.5
| | +--- org.springframework.security:spring-security-core:5.4.5
| | | +--- org.springframework:spring-aop:5.2.13.RELEASE -> 5.3.5 (*)
| | | +--- org.springframework:spring-beans:5.2.13.RELEASE -> 5.3.5 (*)
| | | +--- org.springframework:spring-context:5.2.13.RELEASE -> 5.3.5 (*)
| | | +--- org.springframework:spring-core:5.2.13.RELEASE -> 5.3.5 (*)
| | | \--- org.springframework:spring-expression:5.2.13.RELEASE -> 5.3.5 (*)
| | +--- org.springframework:spring-aop:5.2.13.RELEASE -> 5.3.5 (*)
| | +--- org.springframework:spring-beans:5.2.13.RELEASE -> 5.3.5 (*)
| | +--- org.springframework:spring-context:5.2.13.RELEASE -> 5.3.5 (*)
| | \--- org.springframework:spring-core:5.2.13.RELEASE -> 5.3.5 (*)
| \--- org.springframework.security:spring-security-web:5.4.5
| +--- org.springframework.security:spring-security-core:5.4.5 (*)
| +--- org.springframework:spring-aop:5.2.13.RELEASE -> 5.3.5 (*)
| +--- org.springframework:spring-beans:5.2.13.RELEASE -> 5.3.5 (*)
| +--- org.springframework:spring-context:5.2.13.RELEASE -> 5.3.5 (*)
| +--- org.springframework:spring-core:5.2.13.RELEASE -> 5.3.5 (*)
| +--- org.springframework:spring-expression:5.2.13.RELEASE -> 5.3.5 (*)
| \--- org.springframework:spring-web:5.2.13.RELEASE -> 5.3.5 (*)使用spring boot v2.5.2和spring v5.3.8运行(缺少会话id)
+--- org.springframework.boot:spring-boot-starter-security -> 2.5.2
| +--- org.springframework.boot:spring-boot-starter:2.5.2 (*)
| +--- org.springframework:spring-aop:5.3.8 (*)
| +--- org.springframework.security:spring-security-config:5.5.1
| | +--- org.springframework.security:spring-security-core:5.5.1
| | | +--- org.springframework.security:spring-security-crypto:5.5.1
| | | +--- org.springframework:spring-aop:5.3.8 (*)
| | | +--- org.springframework:spring-beans:5.3.8 (*)
| | | +--- org.springframework:spring-context:5.3.8 (*)
| | | +--- org.springframework:spring-core:5.3.8 (*)
| | | \--- org.springframework:spring-expression:5.3.8 (*)
| | +--- org.springframework:spring-aop:5.3.8 (*)
| | +--- org.springframework:spring-beans:5.3.8 (*)
| | +--- org.springframework:spring-context:5.3.8 (*)
| | \--- org.springframework:spring-core:5.3.8 (*)
| \--- org.springframework.security:spring-security-web:5.5.1
| +--- org.springframework.security:spring-security-core:5.5.1 (*)
| +--- org.springframework:spring-core:5.3.8 (*)
| +--- org.springframework:spring-aop:5.3.8 (*)
| +--- org.springframework:spring-beans:5.3.8 (*)
| +--- org.springframework:spring-context:5.3.8 (*)
| +--- org.springframework:spring-expression:5.3.8 (*)
| \--- org.springframework:spring-web:5.3.8 (*)安全配置
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
@Override
protected void configure(HttpSecurity http) throws Exception
{
http.addFilterAfter(httpdAuthFilter(),
RequestHeaderAuthenticationFilter.class)
.addFilterAfter(getPersistanceFilter(),
SecurityContextPersistenceFilter.class)
.addFilterAfter(getSecAwareFilter(),
SecurityContextPersistenceFilter.class)
.authorizeRequests()
.antMatchers("/")
.permitAll()
.anyRequest()
.authenticated()
;
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.maximumSessions(-1)
.sessionRegistry(sessionRegistry());
}
@Bean
public HttpSessionEventPublisher httpSessionEventPublisher()
{
return new HttpSessionEventPublisher();
}
@Bean
public SessionRegistry sessionRegistry()
{
return new SessionRegistryImpl();
}
@Bean
@Override
protected AuthenticationManager authenticationManager()
{
final List<AuthenticationProvider> providers = new ArrayList<>();
providers.add(preauthAuthProvider());
return new ProviderManager(providers);
}
@Bean(name = "preAuthProvider")
/* package */ PreAuthenticatedAuthenticationProvider preauthAuthProvider()
{
PreAuthenticatedAuthenticationProvider provider =
new PreAuthenticatedAuthenticationProvider();
provider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper());
return provider;
}
@Bean(name = "httpdAuthFilter")
public RequestHeaderAuthenticationFilter httpdAuthFilter()
{
RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter =
new RequestHeaderAuthenticationFilter();
requestHeaderAuthenticationFilter
.setAuthenticationManager(authenticationManager());
return requestHeaderAuthenticationFilter;
}应用程序初始值设定项
@Configuration
public class ApplicationInitializer implements WebApplicationInitializer
{
/**
* @see org.springframework.web.WebApplicationInitializer#onStartup(javax.servlet.ServletContext)
*/
@Override
public void onStartup(ServletContext servletContext) throws ServletException
{
servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));
servletContext.getSessionCookieConfig().setHttpOnly(true);
servletContext.getSessionCookieConfig().setSecure(true);
}获取webauthenticationdetails
(注意:删除空检查)
SecurityContext secureContext = SecurityContextHolder.getContext();
Authentication auth = secureContext.getAuthentication();
WebAuthenticationDetails webAuthDetails = (WebAuthenticationDetails)auth.getDetails();
String sessionId = webAuthDetails.getSessionId();requestcontextholder
String rchSessionId =
RequestContextHolder.currentRequestAttributes().getSessionId();来自 webAuthDetails 在2.5.2中返回null,但在2.4.4中返回正确的sessionid。来自服务器的会话id RequestContextHolder 在任一版本中都是正确的。
我们根据会话id查找一些信息。
暂无答案!
目前还没有任何答案,快来回答吧!