Cześć,
w mojej pierwszej aplikacji opartej na Spring MVC Security mam dziwny problem, z którym zmagam się już od kilki dni. W logach na poziomie debug dostaję coś takiego dokładnie co 500ms:
12:15:13.148 DEBUG o.s.security.web.FilterChainProxy - / at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
12:15:13.148 DEBUG o.s.security.web.FilterChainProxy - / at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
12:15:13.148 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No HttpSession currently exists
12:15:13.148 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
12:15:13.148 DEBUG o.s.security.web.FilterChainProxy - / at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
12:15:13.148 DEBUG o.s.s.w.h.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@12a30f53
12:15:13.149 DEBUG o.s.security.web.FilterChainProxy - / at position 4 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
12:15:13.149 DEBUG o.s.security.web.FilterChainProxy - / at position 5 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
12:15:13.149 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/'; against '/loguot'
12:15:13.149 DEBUG o.s.security.web.FilterChainProxy - / at position 6 of 14 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
12:15:13.149 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'HEAD /' doesn't match 'POST /auth/login_check
12:15:13.149 DEBUG o.s.security.web.FilterChainProxy - / at position 7 of 14 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
12:15:13.149 DEBUG o.s.security.web.FilterChainProxy - / at position 8 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
12:15:13.149 DEBUG o.s.security.web.FilterChainProxy - / at position 9 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
12:15:13.149 DEBUG o.s.security.web.FilterChainProxy - / at position 10 of 14 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
12:15:13.149 DEBUG o.s.security.web.FilterChainProxy - / at position 11 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
12:15:13.149 DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
12:15:13.149 DEBUG o.s.security.web.FilterChainProxy - / at position 12 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter'
12:15:13.149 DEBUG o.s.security.web.FilterChainProxy - / at position 13 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
12:15:13.149 DEBUG o.s.security.web.FilterChainProxy - / at position 14 of 14 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
12:15:13.149 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/'; against '/'
12:15:13.149 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /; Attributes: [permitAll]
12:15:13.149 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
12:15:13.149 DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@4fe450b9, returned: 1
12:15:13.149 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Authorization successful
12:15:13.149 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - RunAsManager did not change Authentication object
12:15:13.149 DEBUG o.s.security.web.FilterChainProxy - / reached end of additional filter chain; proceeding with original chain
12:15:13.150 DEBUG o.s.web.servlet.DispatcherServlet - DispatcherServlet with name 'dispatcher' processing HEAD request for [/]
12:15:13.150 DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Looking up handler method for path /
12:15:13.150 DEBUG o.s.w.s.m.m.a.ExceptionHandlerExceptionResolver - Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'HEAD' not supported
12:15:13.150 DEBUG o.s.w.s.m.a.ResponseStatusExceptionResolver - Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'HEAD' not supported
12:15:13.150 DEBUG o.s.w.s.m.s.DefaultHandlerExceptionResolver - Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'HEAD' not supported
12:15:13.150 WARN o.s.web.servlet.PageNotFound - Request method 'HEAD' not supported
12:15:13.150 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
12:15:13.150 DEBUG o.s.web.servlet.DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'dispatcher': assuming HandlerAdapter completed request handling
12:15:13.151 DEBUG o.s.web.servlet.DispatcherServlet - Successfully completed request
12:15:13.151 DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
12:15:13.151 DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
12:15:13.154 DEBUG o.s.security.web.FilterChainProxy - / at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
12:15:13.154 DEBUG o.s.security.web.FilterChainProxy - / at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
12:15:13.154 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No HttpSession currently exists
12:15:13.154 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
12:15:13.154 DEBUG o.s.security.web.FilterChainProxy - / at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
12:15:13.154 DEBUG o.s.s.w.h.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@12a30f53
12:15:13.154 DEBUG o.s.security.web.FilterChainProxy - / at position 4 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
12:15:13.155 DEBUG o.s.security.web.FilterChainProxy - / at position 5 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
12:15:13.155 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/'; against '/loguot'
12:15:13.155 DEBUG o.s.security.web.FilterChainProxy - / at position 6 of 14 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
12:15:13.155 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'HEAD /' doesn't match 'POST /auth/login_check
12:15:13.155 DEBUG o.s.security.web.FilterChainProxy - / at position 7 of 14 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
12:15:13.155 DEBUG o.s.security.web.FilterChainProxy - / at position 8 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
12:15:13.155 DEBUG o.s.security.web.FilterChainProxy - / at position 9 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
12:15:13.155 DEBUG o.s.security.web.FilterChainProxy - / at position 10 of 14 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
12:15:13.155 DEBUG o.s.security.web.FilterChainProxy - / at position 11 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
12:15:13.155 DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
12:15:13.155 DEBUG o.s.security.web.FilterChainProxy - / at position 12 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter'
12:15:13.155 DEBUG o.s.security.web.FilterChainProxy - / at position 13 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
12:15:13.155 DEBUG o.s.security.web.FilterChainProxy - / at position 14 of 14 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
12:15:13.155 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/'; against '/'
12:15:13.155 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /; Attributes: [permitAll]
12:15:13.155 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
12:15:13.155 DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@4fe450b9, returned: 1
12:15:13.155 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Authorization successful
12:15:13.155 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - RunAsManager did not change Authentication object
12:15:13.155 DEBUG o.s.security.web.FilterChainProxy - / reached end of additional filter chain; proceeding with original chain
12:15:13.155 DEBUG o.s.web.servlet.DispatcherServlet - DispatcherServlet with name 'dispatcher' processing HEAD request for [/]
12:15:13.155 DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Looking up handler method for path /
12:15:13.155 DEBUG o.s.w.s.m.m.a.ExceptionHandlerExceptionResolver - Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'HEAD' not supported
12:15:13.155 DEBUG o.s.w.s.m.a.ResponseStatusExceptionResolver - Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'HEAD' not supported
12:15:13.155 DEBUG o.s.w.s.m.s.DefaultHandlerExceptionResolver - Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'HEAD' not supported
12:15:13.155 WARN o.s.web.servlet.PageNotFound - Request method 'HEAD' not supported
12:15:13.155 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
12:15:13.155 DEBUG o.s.web.servlet.DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'dispatcher': assuming HandlerAdapter completed request handling
12:15:13.155 DEBUG o.s.web.servlet.DispatcherServlet - Successfully completed request
12:15:13.155 DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
12:15:13.155 DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
Czy jest to zachowanie poprawne, że tak mnie zasypuje logami? Raczej nie - spada wydajność, a w dodatku aplikacja nigdy nie kończy procesu uruchamiania. Wydaje mi się, że problem leży w konfiguracji Security. Czy widzicie tutaj jakiś błąd, który powodowałby taką sytuację:
SecurityConfig.java
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
DataSource dataSource;
@Autowired
@Qualifier("userDetailsService")
UserDetailsService userDetailsService;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.accessDeniedPage("/403")
.and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/signup**").permitAll()
.antMatchers("/login**").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/admin/update**").hasRole("ADMIN")
.antMatchers("/account").hasRole("USER")
.antMatchers("/account/**").hasRole("USER")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/auth/login_check")
.defaultSuccessUrl("/account")
.failureUrl("/login?error")
.usernameParameter("username")
.passwordParameter("password")
.and()
.rememberMe()
.tokenRepository(persistentTokenRepository())
.tokenValiditySeconds(1209600)
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/loguot"))
.logoutSuccessUrl("/login?loguot")
.deleteCookies("JSESSIONID")
.invalidateHttpSession(true)
.and()
.csrf()
.and()
.sessionManagement()
.invalidSessionUrl("/login?error")
.maximumSessions(1);
}
@Bean
public PersistentTokenRepository persistentTokenRepository() {
JdbcTokenRepositoryImpl db = new JdbcTokenRepositoryImpl();
db.setDataSource(dataSource);
return db;
}
@Bean
public SavedRequestAwareAuthenticationSuccessHandler savedRequestAwareAuthenticationSuccessHandler() {
SavedRequestAwareAuthenticationSuccessHandler auth = new SavedRequestAwareAuthenticationSuccessHandler();
auth.setTargetUrlParameter("targetUrl");
return auth;
}
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
}
MvcConfig.java
@EnableWebMvc
@Configuration
@ComponentScan(basePackages = { "pl.sbg.gui.web.controller" })
public class MvcConfig extends WebMvcConfigurerAdapter {
@Override
public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {
configurer.enable();
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/resources/**").addResourceLocations("/resources/**");
}
@Bean
public InternalResourceViewResolver viewResolver() {
InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
viewResolver.setViewClass(JstlView.class);
viewResolver.setPrefix("/WEB-INF/pages/");
viewResolver.setSuffix(".jsp");
return viewResolver;
}
}