spring安全性后,Spring安全性HttpSession为null

时间:2014-10-15 23:35:04

标签: java spring security authentication httpsession

我正在使用spring security 3.0.5.RELEASE。身份验证成功后,用户未经过身份验证我在日志

中有此消息
  

16/10/2014 00:08:17 [http-bio-8080-exec-5]   (AbstractAuthenticationProcessingFilter.java:289)DEBUG -   身份验证成功......

     

16/10/2014 00:08:17 [http-bio-8080-exec-5]   (HttpSessionSecurityContextRepository.java:360)DEBUG -   SecurityContext存储到HttpSession:   “org.springframework.security.core.context.SecurityContextImpl@57920877:   ... 16/10/2014 00:08:17 [http-bio-8080-exec-5]   (SecurityContextPersistenceFilter.java:89)DEBUG -   SecurityContextHolder现已清除,请求处理完成...

     

16/10/2014 00:08:18 [http-bio-8080-exec-6]   (HttpSessionSecurityContextRepository.java:130)DEBUG - 没有HttpSession   目前存在   16/10/2014 00:08:18 [http-bio-8080-exec-6]   (HttpSessionSecurityContextRepository.java:88)DEBUG - 没有   SecurityContext可以从HttpSession获得:null。一个新的   将被创建。

这是我的conf web.xml中:

<filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

的security.xml

<security:http auto-config="true" use-expressions="true" access-denied-page="/denied.htm">
<security:intercept-url pattern="/"  access="permitAll" />
<security:intercept-url pattern="/user/login"  access="permitAll" />
<security:intercept-url pattern="/admin/**"  access="hasRole('ROLE_ADMIN')" />
<security:form-login    login-page="/user/login.htm"  authentication-failure-url="/user/login.htm?error=true"   default-target-url="/" />
<security:logout invalidate-session="true" logout-success-url="/index.htm" logout-url="/logout.htm" />

<security:authentication-manager>
    <security:authentication-provider user-service-ref="userDetailsService">
        <security:password-encoder ref="passwordEncoder" />
    </security:authentication-provider>
</security:authentication-manager>

<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the 
    database -->
<bean
    class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder" />

<bean id="userDaoService" class="com.example.dao.jdbc.JdbcUserDao">
    <property name="dataSource" ref="dataSource" />
</bean>

<bean id="userDetailsService" class="com.cercle.core.services.impl.UserServiceImpl">
</bean>

<bean id="userDetails" class="com.example.model.User">
</bean>

1 个答案:

答案 0 :(得分:1)

我发现了问题。 Spring conf没关系,但我的tomcat在apache2后面运行,我忘了通知apache2保存cookie(使用命令ProxyPassReverseCookiePath)