【问题标题】:Tomcat 7 sessions end unexpectedly Spring Security with message: HttpSession returned null object for SPRING_SECURITY_CONTEXTTomcat 7 会话意外结束 Spring Security 并显示消息:HttpSession 返回了 SPRING_SECURITY_CONTEXT 的空对象
【发布时间】:2015-01-30 12:12:09
【问题描述】:

我们在 Tomcat 7 上部署的 webapp 遇到了问题。即使系统没有负载,用户也会被踢出系统。当我们在 eclipse 中本地运行应用程序时也会发生这种情况。

应用程序使用 Spring Security 3.2.5 对用户进行身份验证。成功登录后,应用程序会间歇性地将用户抛出到登录页面。

日志反复显示消息

2014-12-11 13:05:56 DEBUG ExceptionTranslationFilter:115 - Chain processed normally
2014-12-11 13:05:56 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-12-11 13:06:06 DEBUG HttpSessionSecurityContextRepository:152 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2014-12-11 13:06:06 DEBUG HttpSessionSecurityContextRepository:91 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@13f57a03. A new one will be created.

这是否意味着安全上下文突然被清除,这将使会话无效? 稍后,当它尝试重新创建会话时,它会以匿名用户的身份进行,然后抛出拒绝访问异常。请参阅下面的详细日志

我曾尝试使用here 列出的解决方案,但没有奏效。 任何有关这方面的帮助都会很棒。

谢谢,
达南杰

这里是详细的日志:

2014-12-11 13:05:56 DEBUG ExceptionTranslationFilter:115 - Chain processed normally
2014-12-11 13:05:56 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-12-11 13:06:06 DEBUG HttpSessionSecurityContextRepository:152 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2014-12-11 13:06:06 DEBUG HttpSessionSecurityContextRepository:91 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@13f57a03. A new one will be created.
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 2 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2014-12-11 13:06:06 DEBUG DefaultSavedRequest:331 - pathInfo: arg1=/productsearch/clearSessionProducts; arg2=/productsearch/landingpage (property not equals)
2014-12-11 13:06:06 DEBUG HttpSessionRequestCache:75 - saved request doesn't match
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2014-12-11 13:06:06 DEBUG AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faa3d44: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 0EBEF4FC60DFCD59AB3086A0B8185FE6; Granted Authorities: ROLE_ANONYMOUS'
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/login/view'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/login/forgotpassword'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/login/welcome'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/login/contactus'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/login/getstarted'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/login/getimage'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/login/getfooter'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/login/resetpassword'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/bgx_resources/foundation/js/login/**'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/bgx_resources/foundation/css/**'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/extjs-3.4/**'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/resources/**'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/layout/**'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/images/**'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/files/**'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/home/termsofuse'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/home/privacypolicy'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/custom-javascript-files/b2b/scroller/**'
2014-12-11 13:06:06 DEBUG FilterSecurityInterceptor:194 - Secure object: FilterInvocation: URL: /productsearch/landingpage; Attributes: [hasRole('ROLE_USER')]
2014-12-11 13:06:06 DEBUG FilterSecurityInterceptor:310 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faa3d44: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 0EBEF4FC60DFCD59AB3086A0B8185FE6; Granted Authorities: ROLE_ANONYMOUS
2014-12-11 13:06:06 DEBUG AffirmativeBased:65 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@144c61b3, returned: -1
2014-12-11 13:06:06 DEBUG ExceptionTranslationFilter:165 - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)

这里是安全配置:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="
            http://www.springframework.org/schema/beans 
            http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
            http://www.springframework.org/schema/security
            http://www.springframework.org/schema/security/spring-security-3.2.xsd">        
        <bean id="authenticationEntryPoint" class="com.myapp.security.CustomAuthEntryPoint">
            <property name="loginFormUrl" value="/login/view" />
            <property name="redirectURL" value="/login/view" />
        </bean>
    <security:http auto-config="true" entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true" use-expressions="true">
        <!-- All Login Page related resources , Allow all to access this -->
        <security:intercept-url pattern="/login/**" access="permitAll"/>
        <security:intercept-url pattern="/myapp_resources/foundation/js/login/**" access="permitAll"/>
        <security:intercept-url pattern="/myapp_resources/foundation/css/**" access="permitAll"/>
        <security:intercept-url pattern="/extjs-3.4/**" access="permitAll"/>
        <security:intercept-url pattern="/resources/**" access="permitAll"/>
        <security:intercept-url pattern="/layout/**" access="permitAll"/>
        <security:intercept-url pattern="/images/**" access="permitAll"/>

        <!-- Application protected area -->
        <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />

        <security:form-login login-page="/login/view" default-target-url="/myapp/v13" always-use-default-target="true"
            authentication-failure-url="/login/view"/>
        <security:logout logout-success-url="/logout"/>
    </security:http>


    <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider
   ref="authenticationProvider"></security:authentication-provider>
 </security:authentication-manager>

 <bean id="authenticationProvider" class="com.myapp.security.CustomAuthenticationProvider">
 </bean>

2014 年 12 月 17 日更新:当我们将应用程序部署到 Jboss6 时出现相同的错误,因此这可能不是 Tomcat 特定的

【问题讨论】:

  • 不活动 x 分钟后会话超时?
  • 它没有超时。用户在浏览时被踢出应用程序并被重定向到登录页面。
  • 似乎很难破解,但安全配置可能是相关的。
  • @holmis83 我已经添加了我正在使用的安全配置。
  • 我怀疑您在应用程序切换到新线程时丢失了身份验证。您可以通过将线程 ID 添加到日志记录输出来检查这一点。例如,使用 log4j,您可以将 "%t 添加到您的 ConversionPattern。

标签: java spring spring-security tomcat7 spring-4


【解决方案1】:

看来它必须对我们在同一个应用程序中创建的批处理作业做一些事情。 (Using Quartz Scheduler)。禁用作业解决了这个问题。

Quartz 调度程序似乎正在创建新线程,这使应用程序切换到新创建的线程。

【讨论】:

    猜你喜欢
    • 2012-09-22
    • 2014-04-21
    • 2016-07-27
    • 2013-01-28
    • 2019-01-30
    • 2013-11-20
    • 1970-01-01
    • 2016-03-10
    • 2021-08-13
    相关资源
    最近更新 更多