我们正在将Spring Boot应用程序从2.4.4更新到2.5.2,遇到了一个问题,在新版本中,WebAuthenticationDetails对象的.getSessionId()返回空。然而,来自RequestContextHolder.currentRequestAttributes().getSessionId()的会话ID确实返回了一个会话ID(在两个实例中)。
我们有一个前端SSO,所以我们使用RequestHeaderAuthenticationFilter()。
我们翻阅了文档,但没有发现变化来自哪里。
是什么改变了,我们需要做什么来确保会话ID的正确存在?
Probable Relevant Dependencies
Running with Spring Boot v2.4.4, Spring v5.3.5 (session id present)
+--- org.springframework.boot:spring-boot-starter-security -> 2.4.4
| +--- org.springframework.boot:spring-boot-starter:2.4.4 (*)
| +--- org.springframework:spring-aop:5.3.5 (*)
| +--- org.springframework.security:spring-security-config:5.4.5
| | +--- org.springframework.security:spring-security-core:5.4.5
| | | +--- org.springframework:spring-aop:5.2.13.RELEASE -> 5.3.5 (*)
| | | +--- org.springframework:spring-beans:5.2.13.RELEASE -> 5.3.5 (*)
| | | +--- org.springframework:spring-context:5.2.13.RELEASE -> 5.3.5 (*)
| | | +--- org.springframework:spring-core:5.2.13.RELEASE -> 5.3.5 (*)
| | | \--- org.springframework:spring-expression:5.2.13.RELEASE -> 5.3.5 (*)
| | +--- org.springframework:spring-aop:5.2.13.RELEASE -> 5.3.5 (*)
| | +--- org.springframework:spring-beans:5.2.13.RELEASE -> 5.3.5 (*)
| | +--- org.springframework:spring-context:5.2.13.RELEASE -> 5.3.5 (*)
| | \--- org.springframework:spring-core:5.2.13.RELEASE -> 5.3.5 (*)
| \--- org.springframework.security:spring-security-web:5.4.5
| +--- org.springframework.security:spring-security-core:5.4.5 (*)
| +--- org.springframework:spring-aop:5.2.13.RELEASE -> 5.3.5 (*)
| +--- org.springframework:spring-beans:5.2.13.RELEASE -> 5.3.5 (*)
| +--- org.springframework:spring-context:5.2.13.RELEASE -> 5.3.5 (*)
| +--- org.springframework:spring-core:5.2.13.RELEASE -> 5.3.5 (*)
| +--- org.springframework:spring-expression:5.2.13.RELEASE -> 5.3.5 (*)
| \--- org.springframework:spring-web:5.2.13.RELEASE -> 5.3.5 (*)
Running with Spring Boot v2.5.2, Spring v5.3.8 (session id missing)
+--- org.springframework.boot:spring-boot-starter-security -> 2.5.2
| +--- org.springframework.boot:spring-boot-starter:2.5.2 (*)
| +--- org.springframework:spring-aop:5.3.8 (*)
| +--- org.springframework.security:spring-security-config:5.5.1
| | +--- org.springframework.security:spring-security-core:5.5.1
| | | +--- org.springframework.security:spring-security-crypto:5.5.1
| | | +--- org.springframework:spring-aop:5.3.8 (*)
| | | +--- org.springframework:spring-beans:5.3.8 (*)
| | | +--- org.springframework:spring-context:5.3.8 (*)
| | | +--- org.springframework:spring-core:5.3.8 (*)
| | | \--- org.springframework:spring-expression:5.3.8 (*)
| | +--- org.springframework:spring-aop:5.3.8 (*)
| | +--- org.springframework:spring-beans:5.3.8 (*)
| | +--- org.springframework:spring-context:5.3.8 (*)
| | \--- org.springframework:spring-core:5.3.8 (*)
| \--- org.springframework.security:spring-security-web:5.5.1
| +--- org.springframework.security:spring-security-core:5.5.1 (*)
| +--- org.springframework:spring-core:5.3.8 (*)
| +--- org.springframework:spring-aop:5.3.8 (*)
| +--- org.springframework:spring-beans:5.3.8 (*)
| +--- org.springframework:spring-context:5.3.8 (*)
| +--- org.springframework:spring-expression:5.3.8 (*)
| \--- org.springframework:spring-web:5.3.8 (*)
Security Configuration
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
@Override
protected void configure(HttpSecurity http) throws Exception
{
http.addFilterAfter(httpdAuthFilter(),
RequestHeaderAuthenticationFilter.class)
.addFilterAfter(getPersistanceFilter(),
SecurityContextPersistenceFilter.class)
.addFilterAfter(getSecAwareFilter(),
SecurityContextPersistenceFilter.class)
.authorizeRequests()
.antMatchers("/")
.permitAll()
.anyRequest()
.authenticated()
;
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.maximumSessions(-1)
.sessionRegistry(sessionRegistry());
}
@Bean
public HttpSessionEventPublisher httpSessionEventPublisher()
{
return new HttpSessionEventPublisher();
}
@Bean
public SessionRegistry sessionRegistry()
{
return new SessionRegistryImpl();
}
@Bean
@Override
protected AuthenticationManager authenticationManager()
{
final List<AuthenticationProvider> providers = new ArrayList<>();
providers.add(preauthAuthProvider());
return new ProviderManager(providers);
}
@Bean(name = "preAuthProvider")
/* package */ PreAuthenticatedAuthenticationProvider preauthAuthProvider()
{
PreAuthenticatedAuthenticationProvider provider =
new PreAuthenticatedAuthenticationProvider();
provider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper());
return provider;
}
@Bean(name = "httpdAuthFilter")
public RequestHeaderAuthenticationFilter httpdAuthFilter()
{
RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter =
new RequestHeaderAuthenticationFilter();
requestHeaderAuthenticationFilter
.setAuthenticationManager(authenticationManager());
return requestHeaderAuthenticationFilter;
}
Application Initializer
@Configuration
public class ApplicationInitializer implements WebApplicationInitializer
{
/**
* @see org.springframework.web.WebApplicationInitializer#onStartup(javax.servlet.ServletContext)
*/
@Override
public void onStartup(ServletContext servletContext) throws ServletException
{
servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));
servletContext.getSessionCookieConfig().setHttpOnly(true);
servletContext.getSessionCookieConfig().setSecure(true);
}
StackOverflow:java - Change in session id availability in WebAuthenticationDetails between Spring Boot 2.4.4 and 2.5.2 - Stack Overflow