Spring-Security：忽略服務器名稱的別名並強制重新登錄

Question

我正在使用Spring-Security進行身份驗證和授權的項目。一切似乎都工作正常，只是春季安全忽略了服務器的Alias-name。 因此，例如，如果我用domain-name.com登錄並訪問一些受保護的資源，我沒有問題。但現在當有人給我一個鏈接，如www-domain-name.com/secured/resource，那麼我被迫再次登錄，然後它工作正常。

如何確保在登錄時登錄到domain-name.com和www.domain-name.com。這個問題叫做什麼？

安全的applicationContext.xml：

<security:http create-session="ifRequired" use-expressions="true" auto-config="false" disable-url-rewriting="true"> 
     <security:form-login login-page="/login" username-parameter="j_username" password-parameter="j_password" 
          login-processing-url="/j_spring_security_check" default-target-url="/dashboard" 
          always-use-default-target="true" authentication-failure-url="/denied"/> 
     <security:remember-me key="_spring_security_remember_me" user-service-ref="userDetailsService" 
           token-validity-seconds="1209600" data-source-ref="dataSource"/> 
     <security:logout delete-cookies="JSESSIONID" invalidate-session="true" logout-url="/j_spring_security_logout"/> 
      <!--<security:intercept-url pattern="/**" requires-channel="https"/>--> 
     <security:port-mappings> 
      <security:port-mapping http="8080" https="8443"/> 
     </security:port-mappings> 
     <security:logout logout-url="/logout" logout-success-url="/" success-handler-ref="myLogoutHandler"/> 

     <security:session-management session-fixation-protection="migrateSession"> 
      <security:concurrency-control session-registry-ref="sessionReg" max-sessions="5" expired-url="/login"/> 
     </security:session-management> 
    </security:http> 

    <beans:bean id="sessionReg" class="org.springframework.security.core.session.SessionRegistryImpl"/> 

    <beans:bean id="rememberMeAuthenticationProvider" 
       class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices"> 
     <beans:constructor-arg index="0" value="_spring_security_remember_me"/> 
     <beans:constructor-arg index="1" ref="userDetailsService"/> 
     <beans:constructor-arg index="2" ref="jdbcTokenRepository"/> 
     <property name="alwaysRemember" value="true"/> 
    </beans:bean> 

    <beans:bean id="jdbcTokenRepository" 
       class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl"> 
     <beans:property name="createTableOnStartup" value="false"/> 
     <beans:property name="dataSource" ref="dataSource"/> 
    </beans:bean> 

    <!-- Remember me ends here --> 
    <security:authentication-manager alias="authenticationManager"> 
     <security:authentication-provider user-service-ref="LoginServiceImpl"> 
      <security:password-encoder ref="encoder"/> 
     </security:authentication-provider> 
    </security:authentication-manager> 

    <beans:bean id="encoder" 
       class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"> 
     <beans:constructor-arg name="strength" value="11"/> 
    </beans:bean> 

    <beans:bean id="daoAuthenticationProvider" 
       class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> 
     <beans:property name="userDetailsService" ref="LoginServiceImpl"/> 
     <beans:property name="passwordEncoder" ref="encoder"/> 
    </beans:bean> 
</beans> 

如果需要更多的東西，請讓我知道。謝謝。

更新 我CATALINA_HOME/conf/context.xml加入這兩個Tomcat實例：

<Context sessionCookiePath="/" sessionCookieDomain=".domainname.com" /> 

這查殺服務器，web應用程序不會加載。我無法找到日誌。

Answer 1

我認爲它不是spring-security問題，但它的servlet問題。您可以嘗試子域的cookie共享爲Tomcat：

<Context sessionCookieDomain=".domain-name.com" /> 

使用彈簧啓動：

@Bean 
public ServletContextInitializer servletContextInitializer() { 
    return new ServletContextInitializer() { 

     @Override 
     public void onStartup(ServletContext servletContext) throws ServletException 
     { 
      servletContext.getSessionCookieConfig().setDomain(".domain-name.com"); 
     } 
    }; 

} 

編號：Best way for allowing subdomain session cookies using Tomcat