spring boot 2.4.4和2.5.2之间webauthenticationdetails中会话id可用性的更改

bf1o4zei  于 2021-09-29  发布在  Java
关注(0)|答案(0)|浏览(203)

我们正在将spring boot应用程序从2.4.4更新到2.5.2,遇到了一个问题 .getSessionId()WebAuthenticationDetails 对象在新版本中返回null。但是,会话id从 RequestContextHolder.currentRequestAttributes().getSessionId() 未返回会话id(在这两种情况下)。
我们有一个前端sso,所以我们使用 RequestHeaderAuthenticationFilter() .
我们查阅了这些文件,但没有找到变化的来源。
发生了什么变化,我们需要做什么来确保会话id正确存在?

可能的相关依赖关系

使用spring boot v2.4.4和spring v5.3.5运行(会话id存在)

+--- org.springframework.boot:spring-boot-starter-security -> 2.4.4
|    +--- org.springframework.boot:spring-boot-starter:2.4.4 (*)
|    +--- org.springframework:spring-aop:5.3.5 (*)
|    +--- org.springframework.security:spring-security-config:5.4.5
|    |    +--- org.springframework.security:spring-security-core:5.4.5
|    |    |    +--- org.springframework:spring-aop:5.2.13.RELEASE -> 5.3.5 (*)
|    |    |    +--- org.springframework:spring-beans:5.2.13.RELEASE -> 5.3.5 (*)
|    |    |    +--- org.springframework:spring-context:5.2.13.RELEASE -> 5.3.5 (*)
|    |    |    +--- org.springframework:spring-core:5.2.13.RELEASE -> 5.3.5 (*)
|    |    |    \--- org.springframework:spring-expression:5.2.13.RELEASE -> 5.3.5 (*)
|    |    +--- org.springframework:spring-aop:5.2.13.RELEASE -> 5.3.5 (*)
|    |    +--- org.springframework:spring-beans:5.2.13.RELEASE -> 5.3.5 (*)
|    |    +--- org.springframework:spring-context:5.2.13.RELEASE -> 5.3.5 (*)
|    |    \--- org.springframework:spring-core:5.2.13.RELEASE -> 5.3.5 (*)
|    \--- org.springframework.security:spring-security-web:5.4.5
|         +--- org.springframework.security:spring-security-core:5.4.5 (*)
|         +--- org.springframework:spring-aop:5.2.13.RELEASE -> 5.3.5 (*)
|         +--- org.springframework:spring-beans:5.2.13.RELEASE -> 5.3.5 (*)
|         +--- org.springframework:spring-context:5.2.13.RELEASE -> 5.3.5 (*)
|         +--- org.springframework:spring-core:5.2.13.RELEASE -> 5.3.5 (*)
|         +--- org.springframework:spring-expression:5.2.13.RELEASE -> 5.3.5 (*)
|         \--- org.springframework:spring-web:5.2.13.RELEASE -> 5.3.5 (*)

使用spring boot v2.5.2和spring v5.3.8运行(缺少会话id)

+--- org.springframework.boot:spring-boot-starter-security -> 2.5.2
|    +--- org.springframework.boot:spring-boot-starter:2.5.2 (*)
|    +--- org.springframework:spring-aop:5.3.8 (*)
|    +--- org.springframework.security:spring-security-config:5.5.1
|    |    +--- org.springframework.security:spring-security-core:5.5.1
|    |    |    +--- org.springframework.security:spring-security-crypto:5.5.1
|    |    |    +--- org.springframework:spring-aop:5.3.8 (*)
|    |    |    +--- org.springframework:spring-beans:5.3.8 (*)
|    |    |    +--- org.springframework:spring-context:5.3.8 (*)
|    |    |    +--- org.springframework:spring-core:5.3.8 (*)
|    |    |    \--- org.springframework:spring-expression:5.3.8 (*)
|    |    +--- org.springframework:spring-aop:5.3.8 (*)
|    |    +--- org.springframework:spring-beans:5.3.8 (*)
|    |    +--- org.springframework:spring-context:5.3.8 (*)
|    |    \--- org.springframework:spring-core:5.3.8 (*)
|    \--- org.springframework.security:spring-security-web:5.5.1
|         +--- org.springframework.security:spring-security-core:5.5.1 (*)
|         +--- org.springframework:spring-core:5.3.8 (*)
|         +--- org.springframework:spring-aop:5.3.8 (*)
|         +--- org.springframework:spring-beans:5.3.8 (*)
|         +--- org.springframework:spring-context:5.3.8 (*)
|         +--- org.springframework:spring-expression:5.3.8 (*)
|         \--- org.springframework:spring-web:5.3.8 (*)
安全配置
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
  @Override
  protected void configure(HttpSecurity http) throws Exception
  {
    http.addFilterAfter(httpdAuthFilter(),
        RequestHeaderAuthenticationFilter.class)
        .addFilterAfter(getPersistanceFilter(),
            SecurityContextPersistenceFilter.class)
        .addFilterAfter(getSecAwareFilter(),
            SecurityContextPersistenceFilter.class)
        .authorizeRequests()
        .antMatchers("/")
        .permitAll()
        .anyRequest()
        .authenticated()
        ;

    http.sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
        .maximumSessions(-1)
        .sessionRegistry(sessionRegistry());

  }

  @Bean
  public HttpSessionEventPublisher httpSessionEventPublisher()
  {
    return new HttpSessionEventPublisher();
  }

  @Bean
  public SessionRegistry sessionRegistry()
  {
    return new SessionRegistryImpl();
  }

  @Bean
  @Override
  protected AuthenticationManager authenticationManager()
  {
    final List<AuthenticationProvider> providers = new ArrayList<>();
    providers.add(preauthAuthProvider());
    return new ProviderManager(providers);
  }

  @Bean(name = "preAuthProvider")
  /* package */ PreAuthenticatedAuthenticationProvider preauthAuthProvider()
  {
    PreAuthenticatedAuthenticationProvider provider =
        new PreAuthenticatedAuthenticationProvider();
    provider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper());

    return provider;
  }

  @Bean(name = "httpdAuthFilter")
  public RequestHeaderAuthenticationFilter httpdAuthFilter()
  {
    RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter =
        new RequestHeaderAuthenticationFilter();
    requestHeaderAuthenticationFilter
        .setAuthenticationManager(authenticationManager());
    return requestHeaderAuthenticationFilter;
  }
应用程序初始值设定项
@Configuration
public class ApplicationInitializer implements WebApplicationInitializer
{
  /**
   * @see org.springframework.web.WebApplicationInitializer#onStartup(javax.servlet.ServletContext)
   */
  @Override
  public void onStartup(ServletContext servletContext) throws ServletException
  {
    servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));

    servletContext.getSessionCookieConfig().setHttpOnly(true);
    servletContext.getSessionCookieConfig().setSecure(true);
  }
获取webauthenticationdetails

(注意:删除空检查)

SecurityContext secureContext = SecurityContextHolder.getContext();
Authentication auth = secureContext.getAuthentication();
WebAuthenticationDetails webAuthDetails = (WebAuthenticationDetails)auth.getDetails();

String sessionId = webAuthDetails.getSessionId();
requestcontextholder
String rchSessionId =
        RequestContextHolder.currentRequestAttributes().getSessionId();

来自 webAuthDetails 在2.5.2中返回null,但在2.4.4中返回正确的sessionid。来自服务器的会话id RequestContextHolder 在任一版本中都是正确的。
我们根据会话id查找一些信息。

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题