[英]Hazelcast + spring security + distributed sessions = how to make it work?
Being inspired by http://docs.hazelcast.org/docs/latest/manual/html/websessionreplication.html I decided to give it a try and use in my Spring MVC + Security application. 受http://docs.hazelcast.org/docs/latest/manual/html/websessionreplication.html的启发,我决定尝试在Spring MVC + Security应用程序中使用它。
First issue I hit is - Hazelcast was complaining it can't find sessionRegistry
bean. 我遇到的第一个问题是-Hazelcast抱怨无法找到
sessionRegistry
bean。 I solved it pretty quickly by adding following bean to spring-security context 我通过在spring-security上下文中添加以下bean很快解决了它
<bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
But I hit next issue right away and still can't solve it. 但是我马上遇到了下一个问题,但仍然无法解决。 This is what happens:
这是发生了什么:
JSESSIONID
and REMEMBER_ME_TOKEN
cookies are cleared, but hazelcast.sessionId
cookie is NOT cleared) JSESSIONID
和REMEMBER_ME_TOKEN
cookies被清除,但hazelcast.sessionId
cookie 不会清零) invalidSessionStrategy
happens invalidSessionStrategy
After some debugging I found several facts: 经过一些调试后,我发现了一些事实:
SessionManagementFilter#doFilter
check for request.isRequestedSessionIdValid()
returns false
SessionManagementFilter#doFilter
内部检查request.isRequestedSessionIdValid()
返回false
JSESSIONID
and hazelcast.sessionId
are different (which is I assume by design) JSESSIONID
和hazelcast.sessionId
是不同的(我设计hazelcast.sessionId
) request.isRequestedSessionIdValid()
and request.getSession()
- looks like if former returns false
, then latter suppose to create new session - which doesn't happen request.isRequestedSessionIdValid()
和request.getSession()
之间的不一致而发生问题-好像如果前者返回false
,则后者假设要创建新会话-不会发生 What I tried so far (and it didn't help): 到目前为止,我尝试了什么(但没有帮助):
hazelcast.sessionId
cookie using buildin spring security logout handler (no success, coockie appears again with same value) hazelcast.sessionId
Spring安全性注销处理程序手动清除hazelcast.sessionId
cookie(没有成功,coockie再次以相同的值出现) HttpSessionDestroyedEvent
on logout. HttpSessionDestroyedEvent
。 No effect was noticed JSESSIONID
as session id for hazelcast cookie name (in that case I can open ap only once, all subsequent requests result in infinite redirects to invalid-session
) JSESSIONID
作为hazelcast cookie名称的会话ID(在这种情况下,我只能打开ap,所有后续请求都会导致无限次重定向到invalid-session
) So... Apparently it's not that simple as stated in official Hazelcast docs. 所以...显然,这并非像Hazelcast官方文档中所述的那么简单。 Any ideas how to make it work?
有什么想法使它起作用吗?
So it looks like I found how to fix that infinite redirect to invalid session
issue. 因此,看来我找到了解决该
infinite redirect to invalid session
问题的方法。 I'm not sure if it's shortcut or it's 100% right way to do so... 我不确定这是快捷方式还是100%正确的方式...
I created custom InvalidSessionStrategyImpl
with following code: 我使用以下代码创建了自定义
InvalidSessionStrategyImpl
:
@Override
public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException {
if (request.getSession(false) instanceof HazelcastHttpSession) {
HazelcastHttpSession hazelCastSession = (HazelcastHttpSession) request.getSession(false);
hazelCastSession.invalidate();
} else {
request.getSession();
}
redirectStrategy.sendRedirect(request, response, redirecctTo);
}
ps In case you curious - right after that I hit another issue: excessive CPU consumption. ps如果您好奇-之后我又遇到了另一个问题:CPU消耗过多。 Hazelcast eats 100% CPU.
Hazelcast吃了100%的CPU。 Completely unacceptable issue (especially for cloud deployment like Jelastic where you pay by resource usage).
完全无法接受的问题(尤其是对于像Jelastic这样的云部署,您需要根据资源使用情况付费)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.