security shiro obtains the data of the previous user
1, Phenomenon
1. User 1 logs in, makes some other business requests, and exits
2. User 2 logs in and finds that the data returned is the data of user 1
2, Guess
1. The client uses keepalive and shiro ThreadLocal on the server, which may cause user 1 to log in and user 2 to log in. A client tcp link used for two http requests is connected to the same thread on the server, and shiro saves user information based on ThreadLocal. Therefore, the above phenomenon occurs
2. Due to the use of cookies on the client and session s on the server, user 1 may log in and save the cookie of user 1, and user 2 brings the cookie of user 1 when logging in, so the information of user 1 is read
3, Positioning problem
There are keepalive on the client side and shiro ThreadLocal on the server side
1. The client is keepalive. The client needs to support joint debugging
2. The server prints the data in threadId, ThreadLocal and shiro subject
3. The test found that user 1 and user 2 log in using two different threads, but the data of shiro subject is the same, so the threadLocal problem in the same thread of the server can be temporarily eliminated. After local debug ging, it is found that there may be a server session with high possibility
4. Conclusion, exclude this possibility
The client uses cookie s and the server has session problems
1. Local debugging requires that idea enable the debug mode and can support more than two requests to facilitate the simulation of user 1 login request and user 2 login request. The key settings are: set the debug configuration, allow Leave enabled, and debug with F9
2. Because it is suspected that the client has cookies, print all the parameters in the http header and find that there are cookies, as shown below
Set-Cookie: JSESSIONID=76CD05659A8AFC4A5E025D9213FFADEC; Path=/; HttpOnly Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 23-Nov-2021 06:58:19 GMT; SameSite=lax
3. In the local test, the cookie data returned by the login of user 1 is obtained, and the cookie data is brought on the login request of user 2. Use F9 to debug step by step, see the debugging stack space formed by idea, and locate step by step when to process the cookie and turn it into a server session.
4. In a word, a global session CurrentHashmap stores the session, obtains the session through JSESSIONID (that is, sessionId), and obtains the principal data of the subject through the attribute of the session, which stores the user information.
5. In addition, shiro also supports rememberMe. As shown in the cookie above, it is implemented based on cookies. However, we do not use this function at present. Therefore, set Cookie: rememberMe = deleteme
Locate the following key codes
DefaultSecurityManager.java
public Subject createSubject(SubjectContext subjectContext) {
//create a copy so we don't modify the argument's backing map:
SubjectContext context = copy(subjectContext);
//ensure that the context has a SecurityManager instance, and if not, add one:
context = ensureSecurityManager(context);
//Resolve an associated Session (usually based on a referenced session ID), and place it in the context before
//sending to the SubjectFactory. The SubjectFactory should not need to know how to acquire sessions as the
//process is often environment specific - better to shield the SF from these details:
context = resolveSession(context);
//Similarly, the SubjectFactory should not require any concept of RememberMe - translate that here first
//if possible before handing off to the SubjectFactory:
context = resolvePrincipals(context);
Subject subject = doCreateSubject(context);
//save this subject for future reference if necessary:
//(this is needed here in case rememberMe principals were resolved and they need to be stored in the
//session, so we don't constantly rehydrate the rememberMe PrincipalCollection on every operation).
//Added in 1.2:
save(subject);
return subject;
}
Request.java
protected Session doGetSession(boolean create) {
// There cannot be a session if no context has been assigned yet
Context context = getContext();
if (context == null) {
return null;
}
// Return the current session if it exists and is valid
if ((session != null) && !session.isValid()) {
session = null;
}
if (session != null) {
return session;
}
// Return the requested session if it exists and is valid
Manager manager = context.getManager();
if (manager == null) {
return null; // Sessions are not supported
}
if (requestedSessionId != null) {
try {
session = manager.findSession(requestedSessionId);
} catch (IOException e) {
session = null;
}
if ((session != null) && !session.isValid()) {
session = null;
}
if (session != null) {
session.access();
return session;
}
}
// Create a new session if requested and the response is not committed
if (!create) {
return null;
}
boolean trackModesIncludesCookie =
context.getServletContext().getEffectiveSessionTrackingModes().contains(SessionTrackingMode.COOKIE);
if (trackModesIncludesCookie && response.getResponse().isCommitted()) {
throw new IllegalStateException(sm.getString("coyoteRequest.sessionCreateCommitted"));
}
// Re-use session IDs provided by the client in very limited
// circumstances.
String sessionId = getRequestedSessionId();
if (requestedSessionSSL) {
// If the session ID has been obtained from the SSL handshake then
// use it.
} else if (("/".equals(context.getSessionCookiePath())
&& isRequestedSessionIdFromCookie())) {
/* This is the common(ish) use case: using the same session ID with
* multiple web applications on the same host. Typically this is
* used by Portlet implementations. It only works if sessions are
* tracked via cookies. The cookie must have a path of "/" else it
* won't be provided for requests to all web applications.
*
* Any session ID provided by the client should be for a session
* that already exists somewhere on the host. Check if the context
* is configured for this to be confirmed.
*/
if (context.getValidateClientProvidedNewSessionId()) {
boolean found = false;
for (Container container : getHost().findChildren()) {
Manager m = ((Context) container).getManager();
if (m != null) {
try {
if (m.findSession(sessionId) != null) {
found = true;
break;
}
} catch (IOException e) {
// Ignore. Problems with this manager will be
// handled elsewhere.
}
}
}
if (!found) {
sessionId = null;
}
}
} else {
sessionId = null;
}
session = manager.createSession(sessionId);
// Creating a new session cookie based on that session
if (session != null && trackModesIncludesCookie) {
Cookie cookie = ApplicationSessionCookieConfig.createSessionCookie(
context, session.getIdInternal(), isSecure());
response.addSessionCookieInternal(cookie);
}
if (session == null) {
return null;
}
session.access();
return session;
}
public PrincipalCollection resolvePrincipals() {
PrincipalCollection principals = getPrincipals();
if (isEmpty(principals)) {
//check to see if they were just authenticated:
AuthenticationInfo info = getAuthenticationInfo();
if (info != null) {
principals = info.getPrincipals();
}
}
if (isEmpty(principals)) {
Subject subject = getSubject();
if (subject != null) {
principals = subject.getPrincipals();
}
}
if (isEmpty(principals)) {
//try the session:
Session session = resolveSession();
if (session != null) {
principals = (PrincipalCollection) session.getAttribute(PRINCIPALS_SESSION_KEY);
}
}
return principals;
}
CookieRememberMeManager :
protected byte[] getRememberedSerializedIdentity(SubjectContext subjectContext) {
if (!WebUtils.isHttp(subjectContext)) {
if (log.isDebugEnabled()) {
String msg = "SubjectContext argument is not an HTTP-aware instance. This is required to obtain a " +
"servlet request and response in order to retrieve the rememberMe cookie. Returning " +
"immediately and ignoring rememberMe operation.";
log.debug(msg);
}
return null;
}
WebSubjectContext wsc = (WebSubjectContext) subjectContext;
if (isIdentityRemoved(wsc)) {
return null;
}
HttpServletRequest request = WebUtils.getHttpRequest(wsc);
HttpServletResponse response = WebUtils.getHttpResponse(wsc);
String base64 = getCookie().readValue(request, response);
// Browsers do not always remove cookies immediately (SHIRO-183)
// ignore cookies that are scheduled for removal
if (Cookie.DELETED_COOKIE_VALUE.equals(base64)) return null;
if (base64 != null) {
base64 = ensurePadding(base64);
if (log.isTraceEnabled()) {
log.trace("Acquired Base64 encoded identity [" + base64 + "]");
}
byte[] decoded;
try {
decoded = Base64.decode(base64);
} catch (RuntimeException rtEx) {
/*
* https://issues.apache.org/jira/browse/SHIRO-766:
* If the base64 string cannot be decoded, just assume there is no valid cookie value.
* */
getCookie().removeFrom(request, response);
log.warn("Unable to decode existing base64 encoded entity: [" + base64 + "].", rtEx);
return null;
}
if (log.isTraceEnabled()) {
log.trace("Base64 decoded byte array length: " + decoded.length + " bytes.");
}
return decoded;
} else {
//no cookie set - new site visitor?
return null;
}
}
4, Solution
1. The main configuration does not create session: context.setSessionCreationEnabled(false), etc. As follows:
@Bean
protected ShiroFilterFactoryBean shiroFilterFactoryBean(ShiroFilterChainDefinition shiroFilterChainDefinition, SecurityManager securityManager) {
ShiroFilterFactoryBean filterFactoryBean = new ShiroFilterFactoryBean();
DefaultWebSecurityManager webSecurityManager = (DefaultWebSecurityManager) securityManager;
DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator();
//Set not to store session
defaultSessionStorageEvaluator.setSessionStorageEnabled(false);
subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator);
webSecurityManager.setSubjectDAO(subjectDAO);
//Set subjectContext that does not generate session
webSecurityManager.setSubjectFactory(subjectFactory());
//Set the session manager to close the polling verification session, because the session also has a validity period and needs additional overhead to maintain
webSecurityManager.setSessionManager(sessionManager());
filterFactoryBean.setSecurityManager(securityManager);
filterFactoryBean.setFilterChainDefinitionMap(shiroFilterChainDefinition.getFilterChainMap());
Map<String, Filter> filterMap = new HashMap<>();
//custom interceptor
filterMap.put("auth", new AuthFilter());
filterFactoryBean.setFilters(filterMap);
return filterFactoryBean;
}
public DefaultSubjectFactory subjectFactory() {
return new StatelessSubjectFactory();
}
public SessionManager sessionManager() {
DefaultSessionManager sessionManager = new DefaultSessionManager();
// Turn off session verification polling
sessionManager.setSessionValidationSchedulerEnabled(false);
return sessionManager;
}
public class StatelessSubjectFactory extends DefaultWebSubjectFactory {
@Override
public Subject createSubject(SubjectContext context) {
//Do not create session
context.setSessionCreationEnabled(false);
return super.createSubject(context);
}
}