个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
25
4
我有一个带有 REST API 的简单 Web 应用程序,我想通过基于 token 的身份验证来保护它。这是我的安全过滤器:
public class AuthFilter extends AbstractAuthenticationProcessingFilter {
private static final String AUTH_HEADER = "Authorization";
public AuthFilter(RequestMatcher reqMatcher) {
super(reqMatcher);
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
//30 line: here is first place in my code where exception occurred
this.setAuthenticationSuccessHandler((req1, res1, auth) -> chain.doFilter(req1, res1));
//32 line: second place in my code where exception occurred
super.doFilter(req, res, chain);
}
@Override
public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
throws AuthenticationException, IOException, ServletException {
String token = req.getHeader(AUTH_HEADER);
if (token == null || token.isEmpty()) {
throw new BadCredentialsException("Token is not present!");
}
AuthToken authToken = new AuthToken(token);
authToken.setDetails(authenticationDetailsSource.buildDetails(req));
return this.getAuthenticationManager().authenticate(authToken);
}
}
通过 token 提取用户的身份验证提供程序:
@Component
public class AuthProvider implements AuthenticationProvider {
@Autowired private UsersService usersService;
@Autowired private TokensService tokensService;
@Override
public Authentication authenticate(Authentication auth) throws AuthenticationException {
AuthToken authToken = (AuthToken) auth;
String t = authToken.getToken();
try {
Token token = tokensService.get(t);
if (token.isAdmin()) {
User admin = User.createAdmin();
return new AuthToken(t, admin);
}
User user = usersService.getBy(token);
return new AuthToken(t, user);
} catch (TokenNotFoundException e) {
throw new BadCredentialsException("Token not found!");
} catch (UserNotFoundException e) {
throw new BadCredentialsException("User by token not found!");
}
}
@Override
public boolean supports(Class<?> auth) {
return AuthToken.class.isAssignableFrom(auth);
}
}
最后这是我的安全配置:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.addFilterBefore(filter(), AnonymousAuthenticationFilter.class)
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
protected AbstractAuthenticationProcessingFilter filter() throws Exception {
AuthFilter filter = new AuthFilter(
new RegexRequestMatcher("^(\\/rest)(?!(\\/settings)|(\\/security))(\\/?.*)", null));
filter.setAuthenticationManager(authenticationManagerBean());
return filter;
}
}
一切正常,但当我向端点发送请求时,会定期引发NullPointerException。并非每个请求都会出现异常,可能是在 10 或 20 个请求之后,这里没有出现此异常的顺序。对相同端点的请求可以很好地工作,但在多次请求后会引发 NullPointerException 。此外,第一个请求可能会引发异常。
这是堆栈跟踪:
2018-04-20 11:14:33.162 ERROR 3868 --- [p-nio-80-exec-9] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
java.lang.NullPointerException: null
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.14.jar:8.5.14]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at ru.asu.edu.studyload.security.AuthFilter.lambda$0(AuthFilter.java:30) ~[bin/:na]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.successfulAuthentication(AbstractAuthenticationProcessingFilter.java:326) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:240) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at ru.asu.edu.studyload.security.AuthFilter.doFilter(AuthFilter.java:32) ~[bin/:na]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.14.jar:8.5.14]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.14.jar:8.5.14]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.14.jar:8.5.14]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.14.jar:8.5.14]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.14.jar:8.5.14]
at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:106) ~[spring-boot-actuator-1.5.3.RELEASE.jar:1.5.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) ~[tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80) [tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799) [tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861) [tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455) [tomcat-embed-core-8.5.14.jar:8.5.14]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.14.jar:8.5.14]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [na:1.8.0_131]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [na:1.8.0_131]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.14.jar:8.5.14]
at java.lang.Thread.run(Unknown Source) [na:1.8.0_131]
我做错了什么?
最佳答案
我刚刚遇到了同样的问题,并注意到问题出在调用
this.setAuthenticationSuccessHandler((req1, res1, auth) -> chain.doFilter(req1, res1));
在doFilter方法内。 doFilter 不是线程安全的,我们在 lambda 函数内使用 chain 变量。当我们有多个并发请求访问此过滤器时,我们可能会遇到竞争条件。
[nio-8080-exec-6] => doFilter() with (chain 1285350683)
[nio-8080-exec-7] => doFilter() with (chain 1471502546)
[nio-8080-exec-6] => setAuthenticationSuccessHandler lambda (continue chain 1471502546)
[nio-8080-exec-7] => setAuthenticationSuccessHandler lambda (continue chain 1471502546)
[nio-8080-exec-7] => c.p.gbm.api.rest.RestEndpointsLogger : type=http method=GET endpoint=/test status-code=200
[nio-8080-exec-7] => setAuthenticationSuccessHandler lambda (release chain 1471502546)
2019-05-07 17:23:10.346 ERROR 68613 --- [nio-8080-exec-6] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in
context with path [] threw exception
java.lang.NullPointerException: null
正如我们在上面看到的,当线程 6 尝试运行 servlet.service() 来解析请求时,线程 7 已经释放了将 servlet 设置为 null 的链。
关于java - Spring 安全: sporadic NullPointerException,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/49936273/
25
4
0
我正在将我的模板代码移植到 XTend。在某些时候,我在测试用例中有这种类型的条件处理: @Test def xtendIfTest() { val obj = new FD if (
我是新来的 kotlin , 当我开始 Null Safety 时,我对下面的情况感到困惑. There's some data inconsistency with regard to initia
我的应用程序一直在各种Android版本中保持良好状态。我有用户在Android 4.3、5.0、5.1和6.0上正常运行。但是,具有S7 Edge的用户刚刚更新了Android 7.0,将文本粘贴到
我使用的是最新版本的 LWUIT (1.5)。我在资源编辑器中设计了我的表单,然后将代码生成到 netbeans。问题是如果我想访问除表单之外的任何对象,我会收到此错误: java.lang.Null
更新: 我在 Fedora 21 上运行它。 SonarQube - 5.0。 SonarQube Runner - 2.4 更新 2:Findbugs v3.1,Java 插件 v2.8 更新3:
RecupData 我的类仅在 web 中返回 NullPointerException。我连接到 pgsql db 8.3.7 - 该脚本在“控制台”syso 中运行良好 - 但引发了测试 Web
我在 mac 上使用 Processing 2.08。我正在尝试使用文档中给出的 createShape 函数创建 PShape。 PShape s; void setup(){ size(500
我在 mac 上使用 Processing 2.08。我正在尝试使用文档中给出的 createShape 函数创建 PShape。 PShape s; void setup(){ size(500
每次运行此 jsp 时,都会收到以下错误异常: org.apache.jasper.JasperException: java.lang.NullPointerException root cause
Kotlin 在编译时有一个出色的 null 检查,使用分离到“可空?”和“不可为空”的对象。它有一个 KAnnotator 来帮助确定来自 Java 的对象是否可以为空。但是,如果 not-null
我有一个布局将显示一个TextView,用于显示一个滴答时间。我遵循了此链接中的代码 How to Display current time that changes dynamically for
Elasticsearch 1.4.1版(“lucene_version”:“4.10.2”) 我有一个像这样的文件: $ curl 'http://localhost:9200/blog/artic
这是我从另一个类调用函数的方法Selenium 设置已定义。 public void Transfer() throws Exception { System.out.println("\nTrans
我试图在主类中使用我在此类中创建的函数,但它崩溃并显示“警告:无法在根 0 处打开/创建首选项根节点 Software\JavaSoft\Prefsx80000002。 Windows RegCrea
这个问题已经有答案了: What is a NullPointerException, and how do I fix it? (12 个回答) 已关闭 3 年前。 我有一个 Java 代码,它将
我声明了两张牌: Card card1 = new Card('3', Card.Suit.clubs); Card card2 = new Card('T', Card.Suit.diamonds)
我编写了一段代码来解码 Base64 图像并在 javafx 中表示该图像。在我的 url base64 代码中不断变化。这就是我在 javafx 代码中使用任务的原因。但我收到错误:java.lan
我正在尝试使用 arrayList 的 arrayList 在 Java 中实现图形。 每当调用 addEdge 函数时,我都会收到 NullPointerException 。我似乎无法弄清楚为什么
我是 Java/android 的新手,所以很多这些术语都是外国的,但我愿意学习。我不打算详细介绍该应用程序,因为我认为它不相关。我目前的问题是,我使用了博客中的教程和代码 fragment ,并使我
我正在开发一个 Android 应用程序来在 Android developer guide 的帮助下录制视频.我程序上的所有代码都与此页面相同。 我在 之外定义了权限标签。 当应
我是一名优秀的程序员,十分优秀!