av一区二区在线观看_亚洲男人的天堂网站_日韩亚洲视频_在线成人免费_欧美日韩精品免费观看视频_久草视

您的位置:首頁技術文章
文章詳情頁

java - Spring Session, Spring Security 如何在無權限攔截的url不自動創(chuàng)建session?

瀏覽:73日期:2023-10-24 09:08:00

問題描述

我做了一個API服務器提供給手機端調(diào)用,用Spring Session連接Redis來做多臺tomcat的session共享,用security來做API的權限攔截,并且使用了x-auth-token也就是header的token驗證。現(xiàn)在遇到一個問題,有一些API是無權限驗證的,但訪問這些API時,spring會為每次request都創(chuàng)建session,返回一個新的x-auth-token,這樣可能會導致session過多,請問如何配置才能讓這種情況無需創(chuàng)建session呢?已經(jīng)配置create-session='never',但不管用。以下是security配置

<http realm='Protected API' use-expressions='true' auto-config='false'create-session='never' entry-point-ref='customAuthenticationEntryPoint'><intercept-url pattern='/auth/login/phone' access='permitAll()' /><intercept-url pattern='/**' access='isAuthenticated()' /><access-denied-handler ref='customAccessDeniedHandler' /> </http>

spring session

<!-- 在HTTP的header中使用x-auth-token:來實現(xiàn)session --> <bean /><!-- This is essential to make sure that the Spring Security session registryis notified when the session is destroyed. --> <bean /> <bean scope='singleton'><!-- session為60分鐘過期 --><property name='maxInactiveIntervalInSeconds' value='${session.maxInactiveIntervalInSeconds}'></property> </bean>...省略redis pool配置

問題解答

回答1:

找到原因了,首先打開log的trace,然后trace org.springframework,這個時候可以看到每次創(chuàng)建新session時都會有日志,spring會打印session的創(chuàng)建棧

java.lang.RuntimeException: For debugging purposes only (not an error) at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:368) at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:390) at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:217) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:238) at xxx.xxxxxxxx.LogFilter.doFilterInternal(LogFilter.java:52) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:167) at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:80) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)

其中可以找到xxx.xxxx這行,LogFilter第52行查看代碼發(fā)現(xiàn)調(diào)用了req.getSession(),雖然create-session配置了never,但若有代碼調(diào)用req.getSession(),spring仍然會創(chuàng)建一個全新的session。盡量不要在filter等全局攔截器里調(diào)用req.getSession(),否則會隨時創(chuàng)建一個新的session

標簽: java
主站蜘蛛池模板: 丁香综合 | 7777在线 | 成人一区二区三区 | 久久国产精品无码网站 | 韩国欧洲一级毛片 | 欧美日韩一区二区三区四区 | 国产午夜亚洲精品不卡 | 国产精品国产馆在线真实露脸 | 欧美日韩精品区 | 亚洲高清在线免费观看 | 亚洲高清久久 | 免费观看一级毛片视频 | 国产在线观看不卡一区二区三区 | 一区二区三区免费 | 综合精品在线 | 久久久免费毛片 | 日本免费一区二区三区四区 | 国产中文原创 | 国产在线精品一区二区三区 | 亚洲毛片在线观看 | 狠狠色综合网站久久久久久久 | 一区二区亚洲 | 欧美一级特黄aaa大片在线观看 | 国产精品精品视频一区二区三区 | 久久久成人免费视频 | 国产精品我不卡 | 日韩影音 | 欧美午夜激情在线 | 不卡的av一区 | 午夜午夜精品一区二区三区文 | 国产男女猛烈无遮掩视频免费网站 | 欧美中文字幕 | 国产乱码精品一区二区三区中文 | 99精品在线 | 国产99热| 激情五月婷婷综合 | 国产xxxx搡xxxxx搡麻豆 | 欧美亚洲国产日韩 | 高清久久久 | 精品99在线 | 免费在线观看一区二区三区 |