我正在使用Spring 4.3.21.RELEASE和Spring Security 4.2.10.RELEASE开发Resource Server,
我已经像这样配置了我的资源服务器
@Configuration
@EnableResourceServer
public class Oauth2ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().hasRole("USER");
}
@Override
public void configure(ResourceServerSecurityConfigurer config) {
config.resourceId("resource_server");
RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
remoteTokenServices.setCheckTokenEndpointUrl("http://my_url_to_validate_token/");
remoteTokenServices.setClientId("cliend_id");
remoteTokenServices.setClientSecret("secred_id");
config.tokenServices(remoteTokenServices);
}
}
调试RemoteTokenServices.loadAuthentication和OAuth2AuthenticationManager.authenticate正常工作并执行正确的验证和身份验证。
但在那之后我收到了这个错误
Jan 04, 2019 4:58:13 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [apiServlet] in context with path [] threw exception [Filtered request failed.] with root cause
org.apache.shiro.session.UnknownSessionException: There is no session with id [0bfdf9b2-7e2b-421c-97d3-e0fef7f5a531]
at org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170)
at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236)
at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222)
at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:108)
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:112)
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.setAttribute(AbstractNativeSessionManager.java:216)
at org.apache.shiro.session.mgt.DelegatingSession.setAttribute(DelegatingSession.java:151)
at org.apache.shiro.session.ProxiedSession.setAttribute(ProxiedSession.java:128)
at org.apache.shiro.web.servlet.ShiroHttpSession.setAttribute(ShiroHttpSession.java:202)
配置需要额外的东西吗?
期待您的帮助。非常感谢!
这问题似乎与Spring安全机制有关,以防止会话固定攻击和ShiroFilter,它可能正在创建一个新的会话,春天认为是会话固定攻击。
一种解决方案是禁用spring Security的会话固定,(不是一个好的选择)
http.sessionManagement().sessionFixation().none();
另一个是改变过滤器的顺序,以前我已按此顺序定义
//Shiro Filter
FilterRegistration.Dynamic shiroFilterRegistration = servletContext.addFilter("shiroFilter", new DelegatingFilterProxy("shiroFilter"));
shiroFilterRegistration.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
//Shiro Filter
//Spring security filter
FilterRegistration.Dynamic filterRegistration = servletContext.addFilter(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME, DelegatingFilterProxy.class);
filterRegistration.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/protected_resource");
// Spring security filter
如果我们改变订单
//Spring security filter
FilterRegistration.Dynamic filterRegistration = servletContext.addFilter(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME, DelegatingFilterProxy.class);
filterRegistration.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/protected_resource");
// Spring security filter
//Shiro Filter
FilterRegistration.Dynamic shiroFilterRegistration = servletContext.addFilter("shiroFilter", new DelegatingFilterProxy("shiroFilter"));
shiroFilterRegistration.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
//Shiro Filter
我们摆脱了这个例外