我遇到问题HttpSession在用户身份验证后变为null。无论何时重置用户密码,用户都会转到securityQuestions页面,然后再转到我们的应用程序主页。因此,当用户在重定向到securityQuestion页面时进行身份验证,但是一旦用户回答securityQuestion,HttpSession就会变为null,而spring正在创建匿名用户身份验证。
Below are my spring debug logs
2014-09-03 22:49:55,809 DEBUG | org.springframework.security.authentication.ProviderManager | | NFKqVO7EwF17 | Authentication attempt using com.dc.apps.cp.security.service.CPDaoAuthenticationProvider
2014-09-03 22:49:55,887 DEBUG | org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter | | NFKqVO7EwF17 | Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@8696305e: Principal: org.springframework.security.core.userdetails.User@49520377: Username: test1@dc.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 00.11.22.33; SessionId: C4956AA8D8DD5685E6595D3A941052B2; Not granted any authorities
2014-09-03 22:49:55,902 DEBUG | org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter | | NFKqVO7EwF17 | Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@8696305e: Principal: org.springframework.security.core.userdetails.User@49520377: Username: test1@dc.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 00.11.22.33; SessionId: C4956AA8D8DD5685E6595D3A941052B2; Not granted any authorities
2014-09-03 22:49:56,123 DEBUG | org.springframework.security.web.DefaultRedirectStrategy | test1@dc.com | NFKqVO7EwF17 | Redirecting to '/Passport/securityQuestions.do?clear=true'
2014-09-03 22:49:56,126 DEBUG | org.springframework.security.web.DefaultRedirectStrategy | test1@dc.com | NFKqVO7EwF17 | Redirecting to '/Passport/securityQuestions.do?clear=true'
2014-09-03 22:49:56,126 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository | test1@dc.com | NFKqVO7EwF17 | HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session
2014-09-03 22:49:56,128 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository | test1@dc.com | NFKqVO7EwF17 | SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@8696305e: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@8696305e: Principal: org.springframework.security.core.userdetails.User@49520377: Username: test1@dc.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 00.11.22.33; SessionId: C4956AA8D8DD5685E6595D3A941052B2; Not granted any authorities'
2014-09-03 22:49:56,129 DEBUG | org.springframework.security.web.context.SecurityContextPersistenceFilter | | NFKqVO7EwF17 | SecurityContextHolder now cleared, as request processing completed
2014-09-03 22:49:56,129 DEBUG | org.springframework.security.web.context.SecurityContextPersistenceFilter | | NFKqVO7EwF17 | SecurityContextHolder now cleared, as request processing completed
2014-09-03 22:49:57,212 DEBUG | org.springframework.security.web.FilterChainProxy | | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-09-03 22:49:57,213 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository | | NFKqVO7EwF17 | No HttpSession currently exists
2014-09-03 22:49:57,213 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository | | NFKqVO7EwF17 | No SecurityContext was available from the HttpSession: null. A new one will be created.
2014-09-03 22:49:57,214 DEBUG | org.springframework.security.web.FilterChainProxy | | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 2 of 12 in additional filter chain; firing Filter: 'WelcomePageRedirectFilter'
2014-09-03 22:49:57,214 DEBUG | org.springframework.security.web.FilterChainProxy | | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 3 of 12 in additional filter chain; firing Filter: 'InternalAuthenticationFilter'
2014-09-03 22:49:57,215 DEBUG | org.springframework.security.web.FilterChainProxy | | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2014-09-03 22:49:57,215 DEBUG | org.springframework.security.web.FilterChainProxy | | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2014-09-03 22:49:57,216 DEBUG | org.springframework.security.web.FilterChainProxy | | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 6 of 12 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2014-09-03 22:49:57,216 DEBUG | org.springframework.security.web.FilterChainProxy | | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2014-09-03 22:49:57,217 DEBUG | org.springframework.security.web.FilterChainProxy | | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2014-09-03 22:49:57,218 DEBUG | org.springframework.security.web.FilterChainProxy | | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2014-09-03 22:49:57,218 DEBUG | org.springframework.security.web.authentication.AnonymousAuthenticationFilter | anonymousUser | NFKqVO7EwF17 | Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 00.11.22.33; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2014-09-03 22:49:57,219 DEBUG | org.springframework.security.web.FilterChainProxy | anonymousUser | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2014-09-03 22:49:57,220 DEBUG | org.springframework.security.web.session.SessionManagementFilter | anonymousUser | NFKqVO7EwF17 | Requested session ID C4956AA8D8DD5685E6595D3A941052B2 is invalid.
安全的applicationContext.xml
<beans:bean id="trustedAuthenticationFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<beans:property name="principalRequestHeader" value="X-Remote-Authenticate"/>
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="exceptionIfHeaderMissing" value="false" />
<beans:property name="checkForPrincipalChanges" value="true" />
<beans:property name="invalidateSessionOnPrincipalChange" value="true" />
</beans:bean>
<!-- LOCAL LOGIN CONFIGURATION -->
<http use-expressions="true" auto-config="false" disable-url-rewriting="true" entry-point-ref="loginUrlAuthenticationEntryPoint"
request-matcher-ref="localAuthRequestMatcher">
<intercept-url pattern="/admin/**" access="hasRole('ADMIN_PERMISSION')" />
<intercept-url pattern="/system/upgrade.do" access="permitAll" />
<intercept-url pattern="/system/upgradeStatus.do" access="isAnonymous()" />
<intercept-url pattern="/enduser/ajax/upgradeCounts.do" access="permitAll" />
<intercept-url pattern="/system/**" access="hasRole('ADMIN_PERMISSION')" />
<intercept-url pattern="/enduser/**" access="isAuthenticated()" />
<intercept-url pattern="/changePassword.do" access="permitAll"/>
<intercept-url pattern="/index.do" access="isAnonymous()" />
<custom-filter after="SECURITY_CONTEXT_FILTER" ref="welcomePageRedirectFilter" />
<custom-filter before="LOGOUT_FILTER" ref="internalAuthenticationFilter" />
<form-login login-page="/index.do" authentication-failure-handler-ref="DCAuthenticationFailureHandler" authentication-success-handler-ref="DCAuthenticationSuccessHandler" />
<http-basic />
<anonymous />
<session-management session-authentication-strategy-ref="customSessionFixationProtectionStrategy" />
<logout success-handler-ref="localLogoutSuccessHandler" />
</http>
我们这个问题只是生产和暂存不在开发环境中,所以我似乎很难调试,因为它在我的本地不可重现。我真的很感激这方面的帮助