我正在使用Spring 4.3.21RELEASE和Spring Security 4.2.10.RELEASE开发资源服务器
我已经这样配置资源服务器
@Configuration
@EnableResourceServer
public class Oauth2ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().hasRole("USER");
}
@Override
public void configure(ResourceServerSecurityConfigurer config) {
config.resourceId("resource_server");
RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
remoteTokenServices.setCheckTokenEndpointUrl("http://my_url_to_validate_token/");
remoteTokenServices.setClientId("cliend_id");
remoteTokenServices.setClientSecret("secred_id");
config.tokenServices(remoteTokenServices);
}
}
调试 RemoteTokenServices.loadAuthentication 和 OAuth2AuthenticationManager.authenticate 正常运行,并进行正确的验证和认证。
但是在那之后我得到了这个错误
Jan 04, 2019 4:58:13 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [apiServlet] in context with path [] threw exception [Filtered request failed.] with root cause
org.apache.shiro.session.UnknownSessionException: There is no session with id [0bfdf9b2-7e2b-421c-97d3-e0fef7f5a531]
at org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170)
at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236)
at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222)
at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:108)
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:112)
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.setAttribute(AbstractNativeSessionManager.java:216)
at org.apache.shiro.session.mgt.DelegatingSession.setAttribute(DelegatingSession.java:151)
at org.apache.shiro.session.ProxiedSession.setAttribute(ProxiedSession.java:128)
at org.apache.shiro.web.servlet.ShiroHttpSession.setAttribute(ShiroHttpSession.java:202)
配置还需要一些额外的东西吗?
期待您的帮助。非常感谢!
答案 0 :(得分:0)
这个问题似乎与防止会话固定攻击的Spring安全机制以及可能正在创建一个新会话的ShiroFilter有关,该弹簧被视为会话固定攻击。
一种解决方案是禁用spring Security的会话固定,(不是一个好的选择)
http.sessionManagement().sessionFixation().none();
另一种方法是更改过滤器的顺序,以前我已经以此顺序定义
//Shiro Filter
FilterRegistration.Dynamic shiroFilterRegistration = servletContext.addFilter("shiroFilter", new DelegatingFilterProxy("shiroFilter"));
shiroFilterRegistration.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
//Shiro Filter
//Spring security filter
FilterRegistration.Dynamic filterRegistration = servletContext.addFilter(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME, DelegatingFilterProxy.class);
filterRegistration.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/protected_resource");
// Spring security filter
如果我们更改订单
//Spring security filter
FilterRegistration.Dynamic filterRegistration = servletContext.addFilter(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME, DelegatingFilterProxy.class);
filterRegistration.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/protected_resource");
// Spring security filter
//Shiro Filter
FilterRegistration.Dynamic shiroFilterRegistration = servletContext.addFilter("shiroFilter", new DelegatingFilterProxy("shiroFilter"));
shiroFilterRegistration.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
//Shiro Filter
我们摆脱了这个例外