java - Spring Security 在负载平衡(AWS Beanstalk)环境中失败？

Question

我正在处理在现有环境中运行良好的现有代码。该应用程序有一个登录表单，可在用户登录后将其带到登录页面。

我的问题:当我将应用程序移动到 AWS Beanstalk(有 2 个实例)时，成功登录将用户带回登录页面

该应用程序基于 Spring(MVC，安全性)，具有以下安全配置:

<security:http use-expressions="true">
    <security:intercept-url pattern="/" access="permitAll" />
    <security:intercept-url pattern="/index.html" access="permitAll" />
    <security:intercept-url pattern="/login.html" access="permitAll" />

    ... bunch of other pages ....

    <security:intercept-url pattern="/secure/**" access="isAuthenticated()" />


    <security:form-login login-page="/login.html"
        default-target-url="/secure/landing.html"
        authentication-failure-url="/login.html?login_error=1" />

    <security:logout logout-url="/logout.html"
        logout-success-url="/login.html" />
</security:http>

该应用程序在单节点环境中运行良好，用户登录时的示例日志跟踪:

1: [http-bio-8080-exec-1 DEBUG DefaultRedirectStrategy - sendRedirect - Redirecting to '/myapp/secure/landing.html'

2: [http-bio-8080-exec-1] DEBUG HttpSessionSecurityContextRepository - saveContext - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@86073c69: /* some details */ Granted Authorities: ROLE_USER'

3: [http-bio-8080-exec-1] DEBUG SecurityContextPersistenceFilter - doFilter - SecurityContextHolder now cleared, as request processing completed

4: [http-bio-8080-exec-1] DEBUG AntPathRequestMatcher - matches - Checking match of request : '/secure/landing.html'; against '/resources/**'

当此应用程序(我们采用完全相同的 war 文件)进入配置有 2 个实例的 AWS Beanstalk 环境时，会发生以下情况:

1: [http-bio-8080-exec-7] DEBUG DefaultRedirectStrategy - sendRedirect - Redirecting to '/secure/landing.html'

2: [http-bio-8080-exec-7] DEBUG HttpSessionSecurityContextRepository - createNewSessionIfAllowed - HttpSession being created as SecurityContext is non-default

3: [http-bio-8080-exec-7] DEBUG HttpSessionSecurityContextRepository - saveContext - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@a3421210: /* some details */ Granted Authorities: ROLE_USER'

4: [http-bio-8080-exec-7] DEBUG SecurityContextPersistenceFilter - doFilter - SecurityContextHolder now cleared, as request processing completed

5: [http-bio-8080-exec-9] DEBUG AntPathRequestMatcher - matches - Checking match of request : '/login.html'; against '/resources/**'

逐行比较:

• AWS 日志多了 1 行，第 2 行
• AWS 日志在最后一行第 5 行显示线程从 exec-7 更改为 exec-9(因此它丢失了原始请求重定向并将其替换回/login.html 而不是/secure/landing.html )

为了解决 AWS 中出现的问题，将 beantalk 重新配置为仅适用于 1 个实例似乎隐藏了问题。

知道在多节点环境中失败的配置缺少什么吗？

Answer 1

使用负载均衡器时，您必须记住，每个请求都可能在不同的实例上结束。在这种情况下，存储在服务器 1 上的任何信息将无法用于服务器 2。在用户身份验证的情况下，有几种方法可以解决此问题:

• 使用第三方来维护身份验证信息。
• 使用粘性 session - 配置负载平衡器始终转发到一台服务器在 http session 期间