我正在使用Spring Boot 1.5应用程序,它在启用了ssl的嵌入式tomcat上工作。它具有会话范围的代理Bean,可以正常工作。但是,当我将tomcat从ssl更改为纯http时,会话作用域的bean不会保留值。有人对此有想法吗?
是这样的
@Component("userSessionMap")
@Scope(value=WebApplicationContext.SCOPE_SESSION, proxyMode=ScopedProxyMode.TARGET_CLASS)
public class UserSessionMap extends HashMap<Object, Object> implements Serializable, HttpSessionBindingListener {
Spring安全性也用于此,它看起来像Spring安全性正在更改会话作用域的bean。经过进一步分析,我发现如果我们将Spring Security和会话范围的bean一起使用,则会话范围的bean不会保留其值。
我检查了日志,当我们使用SSL证书运行应用程序时,spring安全性会保留sessionId
o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 46D13CFB4E2F394705C428FFEA9BEC74; Granted Authorities: ROLE_ANONYMOUS'
如果我们使用普通的http,则没有会话ID
o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'