Spring Security 即使设置了“SessionCreationPolicy.STATELESS”，也会创建会话

syqv5f0l 于 2023-10-20 发布在 Spring

关注(0)|答案(1)|浏览(375)

尽管有“SessionCreationPolicy.STATELESS”，但仍创建了HttpSession。
具体实施：https://github.com/r-fujiyama/spring-app/blob/master/src/main/java/app/config/WebSecurityConfig.java

@AllArgsConstructor
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

  private final ErrorAuthenticationEntryPoint errorAuthenticationEntryPoint;

  @Bean
  public SecurityFilterChain v2APISsecurityFilterChain(HttpSecurity http,
      APIKeyAuthenticationProvider apiKeyAuthenticationProvider) throws Exception {
    http.securityMatcher("/v2/**")
        .authorizeHttpRequests(authorize -> authorize
            .requestMatchers(HttpMethod.GET, "/v2/user/**").permitAll()
            .anyRequest().authenticated()
        )
        .cors().and()
        .csrf().disable()
        .sessionManagement((session) -> session
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        )
        .apply(new APIKeyAuthenticationFilterConfig()).and()
        .authenticationProvider(apiKeyAuthenticationProvider)
        .exceptionHandling()
        .authenticationEntryPoint(errorAuthenticationEntryPoint);
    return http.build();
  }

}

2023-08-23T01:06:09.169+09:00 INFO  14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] app.filter.LoggingFilter                 : START, GET /api/v2/user/1?userType=Private&firstName=taro&lastName=nihon&age=20, client=0:0:0:0:0:0:0:1, headers=[host:"localhost:8080", connection:"keep-alive", ___internal-request-id:"993d73e7-8f3d-404b-aec2-02d674a31145", sec-ch-ua:""Chromium";v="116", "Not)A;Brand";v="24", "Google Chrome";v="116"", api-key:"*****", sec-ch-ua-mobile:"?0", user-agent:"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36", sec-ch-ua-platform:""Windows"", accept:"*/*", sec-fetch-site:"none", sec-fetch-mode:"cors", sec-fetch-dest:"empty", accept-encoding:"gzip, deflate, br", accept-language:"ja,en-US;q=0.9,en;q=0.8"], body=
2023-08-23T01:06:09.169+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Or [Mvc [pattern='/v1/**']], Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@321ca237, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@4c5a2baf, org.springframework.security.web.context.SecurityContextHolderFilter@45900b64, org.springframework.security.web.header.HeaderWriterFilter@58a2d9f9, org.springframework.web.filter.CorsFilter@1ec22831, org.springframework.security.web.authentication.logout.LogoutFilter@580fd26b, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@4087c7fc, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@79f90a3a, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@91f565d, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@63f855b, org.springframework.security.web.session.SessionManagementFilter@22ad1bae, org.springframework.security.web.access.ExceptionTranslationFilter@32456db0, org.springframework.security.web.access.intercept.AuthorizationFilter@c689973]] (1/2)
2023-08-23T01:06:09.170+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Or [Mvc [pattern='/v2/**']], Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@1e84f3c8, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@5f59ea8c, org.springframework.security.web.context.SecurityContextHolderFilter@57a6a933, org.springframework.security.web.header.HeaderWriterFilter@6f3f0ae, org.springframework.web.filter.CorsFilter@7b2ccba5, org.springframework.security.web.authentication.logout.LogoutFilter@69aa7d76, app.security.APIKeyAuthenticationFilter@64f9f455, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@5b5b59, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1934ad7c, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@5d5a51b1, org.springframework.security.web.session.SessionManagementFilter@6baf25d7, org.springframework.security.web.access.ExceptionTranslationFilter@363c32cc, org.springframework.security.web.access.intercept.AuthorizationFilter@f1266c6]] (2/2)
2023-08-23T01:06:09.170+09:00 DEBUG 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /v2/user/1?userType=Private&firstName=taro&lastName=nihon&age=20
2023-08-23T01:06:09.170+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/13)
2023-08-23T01:06:09.170+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/13)
2023-08-23T01:06:09.170+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderFilter (3/13)
2023-08-23T01:06:09.171+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (4/13)
2023-08-23T01:06:09.171+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking CorsFilter (5/13)
2023-08-23T01:06:09.171+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking LogoutFilter (6/13)
2023-08-23T01:06:09.171+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.s.w.a.logout.LogoutFilter            : Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2023-08-23T01:06:09.171+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking APIKeyAuthenticationFilter (7/13)
2023-08-23T01:06:09.171+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2023-08-23T01:06:09.171+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.s.authentication.ProviderManager     : Authenticating request with APIKeyAuthenticationProvider (1/2)
2023-08-23T01:06:09.171+09:00 DEBUG 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : Created HttpSession as SecurityContext is non-default
2023-08-23T01:06:09.171+09:00 DEBUG 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : Stored SecurityContextImpl [Authentication=PreAuthenticatedAuthenticationToken [Principal=, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[]]] to HttpSession [org.apache.catalina.session.StandardSessionFacade@1dd1a1cc]
2023-08-23T01:06:09.172+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking RequestCacheAwareFilter (8/13)
2023-08-23T01:06:09.172+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderAwareRequestFilter (9/13)
2023-08-23T01:06:09.172+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking AnonymousAuthenticationFilter (10/13)
2023-08-23T01:06:09.172+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking SessionManagementFilter (11/13)
2023-08-23T01:06:09.172+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Did not set SecurityContextHolder since already authenticated PreAuthenticatedAuthenticationToken [Principal=, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[]]
2023-08-23T01:06:09.172+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] s.CompositeSessionAuthenticationStrategy : Preparing session with ChangeSessionIdAuthenticationStrategy (1/1)
2023-08-23T01:06:09.172+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking ExceptionTranslationFilter (12/13)
2023-08-23T01:06:09.172+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking AuthorizationFilter (13/13)
2023-08-23T01:06:09.172+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] estMatcherDelegatingAuthorizationManager : Authorizing SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@9d2e8c]
2023-08-23T01:06:09.173+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] estMatcherDelegatingAuthorizationManager : Checking authorization on SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@9d2e8c] using org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer$$Lambda$742/0x0000000801049308@751529a
2023-08-23T01:06:09.173+09:00 DEBUG 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Secured GET /v2/user/1?userType=Private&firstName=taro&lastName=nihon&age=20
2023-08-23T01:06:09.185+09:00 TRACE 14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match request to [Is Secure]
2023-08-23T01:06:09.185+09:00 INFO  14632 [Trace-ID:1a177cbc-ca12-49f3-9085-1c018c6596e5] [http-nio-8080-exec-1] app.filter.LoggingFilter                 : END, headers=[Vary:Origin, Vary:Origin, Vary:Origin, Set-Cookie:JSESSIONID=D4588822282DB3BE32328A76869F809D; Path=/api; HttpOnly, X-Content-Type-Options:nosniff, X-XSS-Protection:0, Cache-Control:no-cache, no-store, max-age=0, must-revalidate, Pragma:no-cache, Expires:0, X-Frame-Options:DENY], body={"user":{"id":1,"type":"Private","status":"Registered","firstName":"taro","lastName":"nihon","age":20},"status":"Success","errors":[]}

我想知道阻止生成HttpSession的配置或实现。

spring-security

来源：https://stackoverflow.com/questions/76955160/session-is-created-even-if-sessioncreationpolicy-stateless-is-set

1条答案

按热度按时间

wsewodh21#

这是由于实现了一个扩展AbstractPreAuthenticatedProcessingFilter的过滤器。
默认情况下，此实现使用HttpSessionSecurityContextRepository，因此会创建一个HttpSession。
解决方案是将NullSecurityContextRepository或RequestAttributeSecurityContextRepository设置为SecurityContextRepository。

public class AuthenticationFilter extends AbstractPreAuthenticatedProcessingFilter {

  public AuthenticationFilter(AuthenticationManager authenticationManager) {
    setAuthenticationManager(authenticationManager);
    // HttpSession will not be created if either 
    // of the following SecurityContextRepository is set.
    setSecurityContextRepository(new RequestAttributeSecurityContextRepository());
    // or
    setSecurityContextRepository(new NullSecurityContextRepository());
  }

...
}

赞(0）回复(0）举报 2023-10-20

我来回答

Spring Security 即使设置了“SessionCreationPolicy.STATELESS”，也会创建会话

1条答案

相关问题

热门标签

最新问答