身份验证后在 Oauth 资源服务器上有 "UnknownSessionException: There is no session with id"
Having "UnknownSessionException: There is no session with id" on Oauth Resource Server after Authentication
我正在使用 Spring 4.3.21.RELEASE 和 Spring 安全 4.2.10.RELEASE、
开发资源服务器
我已经像这样配置了我的资源服务器
@Configuration
@EnableResourceServer
public class Oauth2ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().hasRole("USER");
}
@Override
public void configure(ResourceServerSecurityConfigurer config) {
config.resourceId("resource_server");
RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
remoteTokenServices.setCheckTokenEndpointUrl("http://my_url_to_validate_token/");
remoteTokenServices.setClientId("cliend_id");
remoteTokenServices.setClientSecret("secred_id");
config.tokenServices(remoteTokenServices);
}
}
调试 RemoteTokenServices.loadAuthentication 和 OAuth2AuthenticationManager.authenticate 工作正常并进行正确的验证和身份验证。
但在那之后我收到了这个错误
Jan 04, 2019 4:58:13 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [apiServlet] in context with path [] threw exception [Filtered request failed.] with root cause
org.apache.shiro.session.UnknownSessionException: There is no session with id [0bfdf9b2-7e2b-421c-97d3-e0fef7f5a531]
at org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170)
at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236)
at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222)
at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:108)
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:112)
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.setAttribute(AbstractNativeSessionManager.java:216)
at org.apache.shiro.session.mgt.DelegatingSession.setAttribute(DelegatingSession.java:151)
at org.apache.shiro.session.ProxiedSession.setAttribute(ProxiedSession.java:128)
at org.apache.shiro.web.servlet.ShiroHttpSession.setAttribute(ShiroHttpSession.java:202)
是否需要额外的配置?
期待您的帮助。非常感谢!
这个问题似乎与 spring 防止会话固定攻击的安全机制和可能正在创建新会话的 ShiroFilter 有关,spring 将其视为会话固定攻击。
一个解决方案是禁用 spring 安全性的会话固定,(不是一个好的选择)
http.sessionManagement().sessionFixation().none();
另一个是改变过滤器的顺序,我之前定义的是这个顺序
//Shiro Filter
FilterRegistration.Dynamic shiroFilterRegistration = servletContext.addFilter("shiroFilter", new DelegatingFilterProxy("shiroFilter"));
shiroFilterRegistration.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
//Shiro Filter
//Spring security filter
FilterRegistration.Dynamic filterRegistration = servletContext.addFilter(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME, DelegatingFilterProxy.class);
filterRegistration.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/protected_resource");
// Spring security filter
如果我们改变顺序
//Spring security filter
FilterRegistration.Dynamic filterRegistration = servletContext.addFilter(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME, DelegatingFilterProxy.class);
filterRegistration.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/protected_resource");
// Spring security filter
//Shiro Filter
FilterRegistration.Dynamic shiroFilterRegistration = servletContext.addFilter("shiroFilter", new DelegatingFilterProxy("shiroFilter"));
shiroFilterRegistration.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
//Shiro Filter
我们摆脱了这个异常
我正在使用 Spring 4.3.21.RELEASE 和 Spring 安全 4.2.10.RELEASE、
开发资源服务器我已经像这样配置了我的资源服务器
@Configuration
@EnableResourceServer
public class Oauth2ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().hasRole("USER");
}
@Override
public void configure(ResourceServerSecurityConfigurer config) {
config.resourceId("resource_server");
RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
remoteTokenServices.setCheckTokenEndpointUrl("http://my_url_to_validate_token/");
remoteTokenServices.setClientId("cliend_id");
remoteTokenServices.setClientSecret("secred_id");
config.tokenServices(remoteTokenServices);
}
}
调试 RemoteTokenServices.loadAuthentication 和 OAuth2AuthenticationManager.authenticate 工作正常并进行正确的验证和身份验证。
但在那之后我收到了这个错误
Jan 04, 2019 4:58:13 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [apiServlet] in context with path [] threw exception [Filtered request failed.] with root cause
org.apache.shiro.session.UnknownSessionException: There is no session with id [0bfdf9b2-7e2b-421c-97d3-e0fef7f5a531]
at org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170)
at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236)
at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222)
at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:108)
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:112)
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.setAttribute(AbstractNativeSessionManager.java:216)
at org.apache.shiro.session.mgt.DelegatingSession.setAttribute(DelegatingSession.java:151)
at org.apache.shiro.session.ProxiedSession.setAttribute(ProxiedSession.java:128)
at org.apache.shiro.web.servlet.ShiroHttpSession.setAttribute(ShiroHttpSession.java:202)
是否需要额外的配置?
期待您的帮助。非常感谢!
这个问题似乎与 spring 防止会话固定攻击的安全机制和可能正在创建新会话的 ShiroFilter 有关,spring 将其视为会话固定攻击。
一个解决方案是禁用 spring 安全性的会话固定,(不是一个好的选择)
http.sessionManagement().sessionFixation().none();
另一个是改变过滤器的顺序,我之前定义的是这个顺序
//Shiro Filter
FilterRegistration.Dynamic shiroFilterRegistration = servletContext.addFilter("shiroFilter", new DelegatingFilterProxy("shiroFilter"));
shiroFilterRegistration.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
//Shiro Filter
//Spring security filter
FilterRegistration.Dynamic filterRegistration = servletContext.addFilter(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME, DelegatingFilterProxy.class);
filterRegistration.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/protected_resource");
// Spring security filter
如果我们改变顺序
//Spring security filter
FilterRegistration.Dynamic filterRegistration = servletContext.addFilter(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME, DelegatingFilterProxy.class);
filterRegistration.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/protected_resource");
// Spring security filter
//Shiro Filter
FilterRegistration.Dynamic shiroFilterRegistration = servletContext.addFilter("shiroFilter", new DelegatingFilterProxy("shiroFilter"));
shiroFilterRegistration.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
//Shiro Filter
我们摆脱了这个异常