当我的会话创建策略设置为STATELESS时,为什么Spring Security的SessionManagementFilter运行?
[英]Why is Spring Security's SessionManagementFilter running when my session creation policy is set to STATELESS?
问题描述
I have a J2EE REST-based web application that uses Spring Security 4.0.1.RELEASE. 
我有一个使用Spring Security 4.0.1.RELEASE的基于J2EE REST的Web应用程序。 I am configuring Spring Security with a Java-based configuration and have set the session creation policy to STATELESS like so: 我正在使用基于Java的配置来配置Spring Security,并将会话创建策略设置为STATELESS,如下所示:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(secureEnabled=true, prePostEnabled=true, jsr250Enabled=true, order=1)
public class DefaultSecurityBeansConfig extends WebSecurityConfigurerAdapter {
// ...
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()...; // additional config omitted for brevity
// ...
}
// ...
}
After reading this article about Spring Security session management, I believe that the SessionManagementFilter filter should not be running in Spring Security's filter chain. 看完这篇文章关于Spring Security的会话管理,我相信SessionManagementFilter过滤器不应该在Spring Security的过滤器链运行。 But it definitely is. 但这绝对是。 I can set a breakpoint in that class's doFilter method, and it is run on every request to the server. 我可以在该类的doFilter方法中设置一个断点,并在对服务器的每个请求上运行该断点。
What is going on here? 这里发生了什么? The fact that this filter is running is causing other unexpected behavior in my app that I thought had been configured away. 此筛选器正在运行的事实正在导致我认为已经配置掉的我的应用程序中的其他意外行为。
Thanks. 谢谢。
1 个解决方案
解决方案1
3 已采纳 2018-06-13 16:51:41
When using Spring Security, session management is broader than storing the authenticated user in the session (as explained in the Session Management Section of the Spring Security Guide). 使用Spring Security时,会话管理要比将经过身份验证的用户存储在会话中更为广泛(如Spring Security Guide的Session Management一节所述)。
HTTP session related functionality is handled by a combination of the
SessionManagementFilterand theSessionAuthenticationStrategyinterface, which the filter delegates to.SessionManagementFilter和SessionAuthenticationStrategy接口的组合处理,过滤器委托该接口。 Typical usage includes session-fixation protection attack prevention, detection of session timeouts and restrictions on how many sessions an authenticated user may have open concurrently.
Saying sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) doesn't mean that your application is stateless, it means that Spring Security won't create a session. 说sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)并不意味着您的应用程序是无状态的,这意味着Spring Security不会创建会话。 If there is something else in your application still creating a session, Spring Security will try to protect it from a session-fixation attack. 如果您的应用程序中还有其他内容仍在创建会话,Spring Security将尝试保护它免受会话固定攻击。
How a session-fixation attack is done depends on the configured strategy; 会话固定攻击的完成方式取决于配置的策略。 the default is to change the session identifier on each request. 默认设置是更改每个请求的会话标识符。 In Servlet 3.1 and newer containers, the ChangeSessionIdAuthenticationStrategy is the default if no explicit configuration is done. 在Servlet 3.1和更高版本的容器中,如果未进行任何显式配置,则ChangeSessionIdAuthenticationStrategy是默认值。 In Servlet 3.0 and below, the default is migrateSession . 在Servlet 3.0及更低版本中,默认值为migrateSession 。
You can disable session-fixation protection by doing sessionFixation().none() ; 您可以通过执行sessionFixation().none()来禁用会话固定保护。 however, you have to question if that is what you really want as that, potentially, makes your application less safe. 但是,您必须质疑这是否是真正想要的,因为这可能会使您的应用程序不安全。
Depending on what breaks/fails you might want to fix that instead of making your application less secure. 根据中断/失败的原因,您可能要解决此问题,而不是使应用程序的安全性降低。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.