java - Spring为每个POST请求创建 session

标签 java spring google-app-engine session spring-security

我的目标是创建无状态 API。

到目前为止,GET 请求工作正常,但每当进行 POST 时,它都会创建 session 。配置有什么问题?

问题已更新(根据评论),删除启动启动程序:

aplicationContext.xml 的一部分:

<!-- Spring 4.0 namespaces used. -->
<security:http realm="Protected API" use-expressions="true" auto-config="false" create-session="stateless" entry-point-ref="authenticationEntryPoint">
    <security:custom-filter ref="authenticationFilter" position="PRE_AUTH_FILTER"/>
    <security:intercept-url pattern="/**"/>
</security:http>

<security:authentication-manager alias="authenticationManager" />

web.xml的一部分:

<!-- Spring configuration loading. -->
<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>

<!-- Spring request dispatcher. -->
<servlet>
    <servlet-name>mvc-dispatcher</servlet-name>
    <servlet-class>
        org.springframework.web.servlet.DispatcherServlet
    </servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<!-- Spring security filters. -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

无论端点是否有效,这是我在发出 POST 请求时得到的堆栈跟踪:

java.lang.RuntimeException: Session support is not enabled in appengine-web.xml.  To enable sessions, put <sessions-enabled>true</sessions-enabled> in that file.  Without it, getSession() is allowed, but manipulation of sessionattributes is not.
    at com.google.apphosting.utils.jetty.StubSessionManager$StubSession.throwException(StubSessionManager.java:77)
    at com.google.apphosting.utils.jetty.StubSessionManager$StubSession.setAttribute(StubSessionManager.java:65)
    at org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository.saveToken(HttpSessionCsrfTokenRepository.java:65)
    at org.springframework.security.web.csrf.CsrfFilter$SaveOnAccessCsrfToken.saveTokenIfNecessary(CsrfFilter.java:227)
    at org.springframework.security.web.csrf.CsrfFilter$SaveOnAccessCsrfToken.getToken(CsrfFilter.java:185)
    at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:104)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    at com.google.appengine.api.socket.dev.DevSocketFilter.doFilter(DevSocketFilter.java:74)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    at com.google.appengine.tools.development.ResponseRewriterFilter.doFilter(ResponseRewriterFilter.java:127)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    at com.google.appengine.tools.development.HeaderVerificationFilter.doFilter(HeaderVerificationFilter.java:34)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    at com.google.appengine.api.blobstore.dev.ServeBlobFilter.doFilter(ServeBlobFilter.java:63)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    at com.google.apphosting.utils.servlet.TransactionCleanupFilter.doFilter(TransactionCleanupFilter.java:43)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    at com.google.appengine.tools.development.StaticFileFilter.doFilter(StaticFileFilter.java:125)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    at com.google.appengine.tools.development.DevAppServerModulesFilter.doDirectRequest(DevAppServerModulesFilter.java:366)
    at com.google.appengine.tools.development.DevAppServerModulesFilter.doDirectModuleRequest(DevAppServerModulesFilter.java:349)
    at com.google.appengine.tools.development.DevAppServerModulesFilter.doFilter(DevAppServerModulesFilter.java:116)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
    at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
    at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
    at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
    at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
    at com.google.appengine.tools.development.DevAppEngineWebAppContext.handle(DevAppEngineWebAppContext.java:98)
    at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
    at com.google.appengine.tools.development.JettyContainerService$ApiProxyHandler.handle(JettyContainerService.java:502)
    at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
    at org.mortbay.jetty.Server.handle(Server.java:326)
    at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
    at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:938)
    at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:755)
    at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
    at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
    at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
    at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)

我根本不希望应用程序使用 session 。我认为 create-session="stateless" 应该使用 NullSecurityContextRepository 但根据堆栈跟踪 HttpSessionCsrfTokenRepository 被改用。

以下是 Spring 依赖项:

compile "org.springframework:spring-webmvc:4.0.2.RELEASE"
compile "org.springframework.security:spring-security-web:4.0.2.RELEASE"
compile "org.springframework.security:spring-security-config:4.0.2.RELEASE"

最佳答案

看起来是 CSRF 保护尝试创建 session 。对于无状态服务,禁用它:

<security:http create-session="stateless" ...>
  <security:csrf disabled="true"/>
  <!-- the rest same as before -->
</security:http>

关于java - Spring为每个POST请求创建 session ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33231620/

上一篇:java - strip 对象元数据字段的使命是什么?

下一篇:java - 用Java创建服务器以进行全局访问

相关文章:

java - Html 表单通过应用程序引擎提交数据存储实体和 blobstore

java - 使用 MockMvc 自定义 RequestMappingHandlerMapping

java - 使用 getter 还是直接访问私有(private)成员更好?

java - 如何在netbeans中打印1到10并打印奇数和偶数?

spring - 在Spring JDBC中通过JNDI获取JDBC连接

java - 如何在使用spring自动布线时传递构造函数参数?

java - 尝试运行 gradle 命令时无法从 '11.0.1' 确定 java 版本

javascript - 如何在 html thymeleaf 中使用变量作为参数

windows - AppEngine SDK for Go with Bash on Ubuntu on Windows

java - 无法部署到 GAE - .jsp 文件无法编译

©2024 IT工具网  联系我们