Spring Security会话JSESSIONID

Question

我目前正在为Angular2前端应用程序开发一个带有Spring Boot的REST API。

我使用Spring Security来管理用户身份验证，但我需要在浏览器会话中存储一些信息。问题是每次请求都会创建一个新的JSESSIONID。

示例：

1. 认证POST 它在响应头中返回Set-Cookie:JSESSIONID=C367245309E4E80606066FDCFBE0EE43。 使用用户的信息创建新会话



1. 受保护的REST资源GET：会话为空且JSESSIONID Cookie不在请求标头中。它回来了 Set-Cookie:JSESSIONID=163B28B7AC2042F9EFF1046F9E14A600



我的Spring Security配置是：

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {

    // Unable x-frame-options from same origin
    httpSecurity.headers().frameOptions().sameOrigin();

    /*
     * the secret key used to signe the JWT token is known exclusively by
     * the server. With Nimbus JOSE implementation, it must be at least 256
     * characters longs.
     */
    String secret = IOUtils.toString(getClass().getClassLoader().getResourceAsStream("secret.key"),
            Charset.defaultCharset());

    httpSecurity.addFilterAfter(jwtTokenAuthenticationFilter("/**", secret), ExceptionTranslationFilter.class)
            .addFilterBefore(new SimpleCORSFilter(), CorsFilter.class)
            /*
             * Exception management is handled by the
             * authenticationEntryPoint (for exceptions related to
             * authentications) and by the AccessDeniedHandler (for
             * exceptions related to access rights)
             */
            .exceptionHandling().authenticationEntryPoint(new SecurityAuthenticationEntryPoint())
            .accessDeniedHandler(new RestAccessDeniedHandler()).and()

            /*
             * anonymous() consider no authentication as being anonymous
             * instead of null in the security context.
             */
            .anonymous().and()
            /* No Http session is used to get the security context */
            //
            .sessionManagement().maximumSessions(1).and().sessionFixation().none()
            .sessionCreationPolicy(SessionCreationPolicy.ALWAYS).and().authorizeRequests()
            /*
             * All access to the authentication service are permitted
             * without authentication (actually as anonymous)
             */
            .antMatchers("/auth/**").permitAll().antMatchers("/css/**").permitAll().antMatchers("/js/**")
            .permitAll().antMatchers("/accueil").permitAll()
            // .antMatchers("/**").permitAll()
            /*
             * All the other requests need an authentication. Role access is
             * done on Methods using annotations like @PreAuthorize
             */
            .anyRequest().authenticated().and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class).csrf()
            .csrfTokenRepository(csrfTokenRepository()).disable();
}

您能帮我解决会话问题吗？

Answer 1

似乎是一个没有发送cookie的angular2问题;我在调用REST api之前在构造函数中设置了这段代码：

SCHWERWIEGEND: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'customAuthenticationProvider': Unsatisfied dependency expressed through field 'ur'; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean found for dependency [de.applikationschmiede.repository.UserRepository]: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {@org.springframework.beans.factory.annotation.Autowired(required=true)}
    at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:569)
    at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:88)
    at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:349)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1219)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:543)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:482)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:751)
    at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:861)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:541)
    at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:444)
    at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:326)
    at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:107)
    at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4717)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5179)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1403)
    at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1393)
    at java.util.concurrent.FutureTask.run(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean found for dependency [de.applikationschmiede.repository.UserRepository]: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {@org.springframework.beans.factory.annotation.Autowired(required=true)}
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.raiseNoMatchingBeanFound(DefaultListableBeanFactory.java:1463)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1094)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1056)
    at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:566)
    ... 24 more

现在我的JSESSIONID正在发送每个请求。