java - 身份验证成功后，spring security HttpSession 为 null

Question

我正在使用 spring security 3.0.5.RELEASE。身份验证成功后，用户未经过身份验证，而是在日志中显示此消息

16/10/2014 00:08:17 [http-bio-8080-exec-5] (AbstractAuthenticationProcessingFilter.java:289) DEBUG - Authentication success...

16/10/2014 00:08:17 [http-bio-8080-exec-5] (HttpSessionSecurityContextRepository.java:360) DEBUG - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@57920877: ... 16/10/2014 00:08:17 [http-bio-8080-exec-5] (SecurityContextPersistenceFilter.java:89) DEBUG - SecurityContextHolder now cleared, as request processing completed...

16/10/2014 00:08:18 [http-bio-8080-exec-6] (HttpSessionSecurityContextRepository.java:130) DEBUG - No HttpSession currently exists 16/10/2014 00:08:18 [http-bio-8080-exec-6] (HttpSessionSecurityContextRepository.java:88) DEBUG - No SecurityContext was available from the HttpSession: null. A new one will be created.

这是我的 session web.xml:

<filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

安全.xml

<security:http auto-config="true" use-expressions="true" access-denied-page="/denied.htm">
<security:intercept-url pattern="/"  access="permitAll" />
<security:intercept-url pattern="/user/login"  access="permitAll" />
<security:intercept-url pattern="/admin/**"  access="hasRole('ROLE_ADMIN')" />
<security:form-login    login-page="/user/login.htm"  authentication-failure-url="/user/login.htm?error=true"   default-target-url="/" />
<security:logout invalidate-session="true" logout-success-url="/index.htm" logout-url="/logout.htm" />

<security:authentication-manager>
    <security:authentication-provider user-service-ref="userDetailsService">
        <security:password-encoder ref="passwordEncoder" />
    </security:authentication-provider>
</security:authentication-manager>

<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the 
    database -->
<bean
    class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder" />

<bean id="userDaoService" class="com.example.dao.jdbc.JdbcUserDao">
    <property name="dataSource" ref="dataSource" />
</bean>

<bean id="userDetailsService" class="com.cercle.core.services.impl.UserServiceImpl">
</bean>

<bean id="userDetails" class="com.example.model.User">
</bean>

Answer 1

我发现了问题。 Springconf没问题，但是我的tomcat在apache2后面运行，我忘记通知apache2保存cookie(使用命令ProxyPassReverseCookiePath)