1. 首页
  2. 问答
  3. Spring为每个POST请求创建会话

Spring为每个POST请求创建会话

2015-10-20 87 views
0

我的目标是创建无状态的API。Spring为每个POST请求创建会话

截至目前,GET请求可以正常工作,但是无论何时发布POST,它都会创建会话。配置有什么问题?部分aplicationContext.xml

部分 web.xml中 
<!-- Spring 4.0 namespaces used. --> 
<security:http realm="Protected API" use-expressions="true" auto-config="false" create-session="stateless" entry-point-ref="authenticationEntryPoint"> 
    <security:custom-filter ref="authenticationFilter" position="PRE_AUTH_FILTER"/> 
    <security:intercept-url pattern="/**"/> 
</security:http> 

<security:authentication-manager alias="authenticationManager" /> 


<!-- Spring configuration loading. --> 
<listener> 
    <listener-class> 
     org.springframework.web.context.ContextLoaderListener 
    </listener-class> 
</listener> 

<!-- Spring request dispatcher. --> 
<servlet> 
    <servlet-name>mvc-dispatcher</servlet-name> 
    <servlet-class> 
     org.springframework.web.servlet.DispatcherServlet 
    </servlet-class> 
    <load-on-startup>1</load-on-startup> 
</servlet> 

<servlet-mapping> 
    <servlet-name>mvc-dispatcher</servlet-name> 
    <url-pattern>/</url-pattern> 
</servlet-mapping> 

<!-- Spring security filters. --> 
<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
</filter> 

<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping>

问题是(按评论)去除开机启动更新

终点是否有效或无t,这是我在制作POST请求时获得的堆栈跟踪:

java.lang.RuntimeException: Session support is not enabled in appengine-web.xml. To enable sessions, put <sessions-enabled>true</sessions-enabled> in that file. Without it, getSession() is allowed, but manipulation of sessionattributes is not. 
    at com.google.apphosting.utils.jetty.StubSessionManager$StubSession.throwException(StubSessionManager.java:77) 
    at com.google.apphosting.utils.jetty.StubSessionManager$StubSession.setAttribute(StubSessionManager.java:65) 
    at org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository.saveToken(HttpSessionCsrfTokenRepository.java:65) 
    at org.springframework.security.web.csrf.CsrfFilter$SaveOnAccessCsrfToken.saveTokenIfNecessary(CsrfFilter.java:227) 
    at org.springframework.security.web.csrf.CsrfFilter$SaveOnAccessCsrfToken.getToken(CsrfFilter.java:185) 
    at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:104) 
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) 
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) 
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) 
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) 
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213) 
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176) 
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) 
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) 
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157) 
    at com.google.appengine.api.socket.dev.DevSocketFilter.doFilter(DevSocketFilter.java:74) 
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157) 
    at com.google.appengine.tools.development.ResponseRewriterFilter.doFilter(ResponseRewriterFilter.java:127) 
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157) 
    at com.google.appengine.tools.development.HeaderVerificationFilter.doFilter(HeaderVerificationFilter.java:34) 
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157) 
    at com.google.appengine.api.blobstore.dev.ServeBlobFilter.doFilter(ServeBlobFilter.java:63) 
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157) 
    at com.google.apphosting.utils.servlet.TransactionCleanupFilter.doFilter(TransactionCleanupFilter.java:43) 
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157) 
    at com.google.appengine.tools.development.StaticFileFilter.doFilter(StaticFileFilter.java:125) 
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157) 
    at com.google.appengine.tools.development.DevAppServerModulesFilter.doDirectRequest(DevAppServerModulesFilter.java:366) 
    at com.google.appengine.tools.development.DevAppServerModulesFilter.doDirectModuleRequest(DevAppServerModulesFilter.java:349) 
    at com.google.appengine.tools.development.DevAppServerModulesFilter.doFilter(DevAppServerModulesFilter.java:116) 
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157) 
    at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388) 
    at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216) 
    at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182) 
    at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765) 
    at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418) 
    at com.google.appengine.tools.development.DevAppEngineWebAppContext.handle(DevAppEngineWebAppContext.java:98) 
    at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) 
    at com.google.appengine.tools.development.JettyContainerService$ApiProxyHandler.handle(JettyContainerService.java:502) 
    at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) 
    at org.mortbay.jetty.Server.handle(Server.java:326) 
    at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542) 
    at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:938) 
    at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:755) 
    at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218) 
    at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404) 
    at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409) 
    at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)

我不希望应用程序使用会话。我认为create-session="stateless"应该使用NullSecurityContextRepository,但根据堆栈跟踪HttpSessionCsrfTokenRepository代替。

下面是Spring的依赖:

compile "org.springframework:spring-webmvc:4.0.2.RELEASE" 
compile "org.springframework.security:spring-security-web:4.0.2.RELEASE" 
compile "org.springframework.security:spring-security-config:4.0.2.RELEASE"

来源

2015-10-20 Pijusn

+0

关于/ **的截取URL的内容如何?谁可以访问它,你没有指定。 –

+0

初学者停止加载所有内容两次。您正在为'ContextLoaderListener'和'DispatcherServlet'使用相同的xml,导致创建重复的bean,从而导致各种问题。你也使用Spring Boot,然后使用'spring-boot-starter-security'。由于CSFR默认启用的存储库会禁用它。另外我想知道你为什么使用Spring引导,并且仍然有一个web.xml文件,确保你不会干扰Spring Boot启动和你自己的配置。 –

+0

@WeareBorg我希望过滤器对所有路径都有效,但不强制认证。 @ M.Deinum我完全删除了启动启动器,并将'security:http'标记移至'applicationContext.xml'。我做我做的是因为许多教程使用相同的XML。我虽然春天处理。 经过一切修改,问题仍然是一样的。 – Pijusn

回答

1

看起来这是一种尝试建立会话的CSRF保护。对于无状态服务,请将其禁用:

<security:http create-session="stateless" ...> 
    <security:csrf disabled="true"/> 
    <!-- the rest same as before --> 
</security:http>

来源

2015-10-20 12:03:49 holmis83

+0

即使这解决了这个问题,我仍然建议在进行主要帖子的作者(未回答)的进一步任务之前进行清理。 –

+0

这是问题所在。 @ M.Deinum在他的评论中提到了它,但我对Spring真的很陌生,并且没有正确理解它。 – Pijusn

相关问题

 相关问题