【发布时间】:2015-01-30 12:12:09
【问题描述】:
我们在 Tomcat 7 上部署的 webapp 遇到了问题。即使系统没有负载,用户也会被踢出系统。当我们在 eclipse 中本地运行应用程序时也会发生这种情况。
应用程序使用 Spring Security 3.2.5 对用户进行身份验证。成功登录后,应用程序会间歇性地将用户抛出到登录页面。
日志反复显示消息
2014-12-11 13:05:56 DEBUG ExceptionTranslationFilter:115 - Chain processed normally
2014-12-11 13:05:56 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-12-11 13:06:06 DEBUG HttpSessionSecurityContextRepository:152 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2014-12-11 13:06:06 DEBUG HttpSessionSecurityContextRepository:91 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@13f57a03. A new one will be created.
这是否意味着安全上下文突然被清除,这将使会话无效? 稍后,当它尝试重新创建会话时,它会以匿名用户的身份进行,然后抛出拒绝访问异常。请参阅下面的详细日志
我曾尝试使用here 列出的解决方案,但没有奏效。 任何有关这方面的帮助都会很棒。
谢谢,
达南杰
这里是详细的日志:
2014-12-11 13:05:56 DEBUG ExceptionTranslationFilter:115 - Chain processed normally
2014-12-11 13:05:56 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-12-11 13:06:06 DEBUG HttpSessionSecurityContextRepository:152 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2014-12-11 13:06:06 DEBUG HttpSessionSecurityContextRepository:91 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@13f57a03. A new one will be created.
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 2 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2014-12-11 13:06:06 DEBUG DefaultSavedRequest:331 - pathInfo: arg1=/productsearch/clearSessionProducts; arg2=/productsearch/landingpage (property not equals)
2014-12-11 13:06:06 DEBUG HttpSessionRequestCache:75 - saved request doesn't match
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2014-12-11 13:06:06 DEBUG AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faa3d44: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 0EBEF4FC60DFCD59AB3086A0B8185FE6; Granted Authorities: ROLE_ANONYMOUS'
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2014-12-11 13:06:06 DEBUG FilterChainProxy:337 - /productsearch/landingpage at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/login/view'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/login/forgotpassword'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/login/welcome'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/login/contactus'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/login/getstarted'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/login/getimage'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/login/getfooter'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/login/resetpassword'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/bgx_resources/foundation/js/login/**'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/bgx_resources/foundation/css/**'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/extjs-3.4/**'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/resources/**'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/layout/**'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/images/**'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/files/**'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/home/termsofuse'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/home/privacypolicy'
2014-12-11 13:06:06 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/productsearch/landingpage'; against '/custom-javascript-files/b2b/scroller/**'
2014-12-11 13:06:06 DEBUG FilterSecurityInterceptor:194 - Secure object: FilterInvocation: URL: /productsearch/landingpage; Attributes: [hasRole('ROLE_USER')]
2014-12-11 13:06:06 DEBUG FilterSecurityInterceptor:310 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faa3d44: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 0EBEF4FC60DFCD59AB3086A0B8185FE6; Granted Authorities: ROLE_ANONYMOUS
2014-12-11 13:06:06 DEBUG AffirmativeBased:65 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@144c61b3, returned: -1
2014-12-11 13:06:06 DEBUG ExceptionTranslationFilter:165 - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
这里是安全配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<bean id="authenticationEntryPoint" class="com.myapp.security.CustomAuthEntryPoint">
<property name="loginFormUrl" value="/login/view" />
<property name="redirectURL" value="/login/view" />
</bean>
<security:http auto-config="true" entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true" use-expressions="true">
<!-- All Login Page related resources , Allow all to access this -->
<security:intercept-url pattern="/login/**" access="permitAll"/>
<security:intercept-url pattern="/myapp_resources/foundation/js/login/**" access="permitAll"/>
<security:intercept-url pattern="/myapp_resources/foundation/css/**" access="permitAll"/>
<security:intercept-url pattern="/extjs-3.4/**" access="permitAll"/>
<security:intercept-url pattern="/resources/**" access="permitAll"/>
<security:intercept-url pattern="/layout/**" access="permitAll"/>
<security:intercept-url pattern="/images/**" access="permitAll"/>
<!-- Application protected area -->
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<security:form-login login-page="/login/view" default-target-url="/myapp/v13" always-use-default-target="true"
authentication-failure-url="/login/view"/>
<security:logout logout-success-url="/logout"/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="authenticationProvider"></security:authentication-provider>
</security:authentication-manager>
<bean id="authenticationProvider" class="com.myapp.security.CustomAuthenticationProvider">
</bean>
2014 年 12 月 17 日更新:当我们将应用程序部署到 Jboss6 时出现相同的错误,因此这可能不是 Tomcat 特定的
【问题讨论】:
-
不活动 x 分钟后会话超时?
-
它没有超时。用户在浏览时被踢出应用程序并被重定向到登录页面。
-
似乎很难破解,但安全配置可能是相关的。
-
@holmis83 我已经添加了我正在使用的安全配置。
-
我怀疑您在应用程序切换到新线程时丢失了身份验证。您可以通过将线程 ID 添加到日志记录输出来检查这一点。例如,使用 log4j,您可以将 "%t 添加到您的 ConversionPattern。
标签: java spring spring-security tomcat7 spring-4