stackoom
  简体   繁体   中英

Using Spring Security and Spring Redis Session on multiple servers

 原文  2015-06-16 16:47:03       java/ spring/ session/ spring-security/ spring-session

Question

I have a spring project, and have just added spring session with a redis data store to save session objects. It already used sring security for page permissions and suchlike. Imports are updated to be using using spring 4.1.6. and security 4.0.1.

It is currently using the xml based configuration. I have set up so the spring session filter is before the spring security filter 

<!-- Spring session filters -->
<filter>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<!-- security filters -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Upon going to the login page there is one cookie, as expected. A new 'session' cookie, that correlates to the cookie within redis. However upon login, there is the original JSESSIONID cookie created, this is not persisted within the redis database. This cookie is required, as if i set it to 'stateless' then the system does not log-in.

This means upon multiple instances of the UI, there will be different security sessions across the servers, rendering the redis datastore redundant.

I am currently unsure of the need of JSESSIONID, as upon login most fields are placed within the SESSION. When retrieving the user and suchlike the correct SESSION cookie is used, and the same cookie is used for saving information. Is anybody able to explain the need for it, apart from for security reasons.

Is there a way to either persist the JSESSIONID within the database aswell, or additionall save the information in the security session within the normal SESSION cookie.

1 answers

solution1
 0  2015-06-29 16:20:27

The issue is the request context was set before the spring session filter was added. The solution was to explicitly set when the requestContext was set, so it was after spring sessions. 

<!-- Spring session filters -->
<filter>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<!-- Request context filter - has to be after session so replaces the jsessionid with correct session -->
<filter>
    <filter-name>requestContextFilter</filter-name>
    <filter-class>org.springframework.web.filter.RequestContextFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>requestContextFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

This needed to be added in the web.xml of the WEB-INF

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Setting up Spring Session and Redis via XML with existing Spring Security How can I make Spring Security store the HTTP Session in a database to use the web app on multiple servers? Session Attributes using spring security Session management using spring security methods of storing session in redis using spring Spring Session + Redis + JSF Spring data redis - multiple schema - change schema in session (getting the connection) VS. using multiple connection pools session create using spring security registration CAS logout on session timeout using spring security Spring Security session without using cookies
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM