Duplicate session creation & duplicate threads in AuthenticationProvider? Why?

问题

So I have some Spring Boot Security code, and for some reason although my STATELESS angular app sends a single GET request. The Spring Security seems to get two requests and start processing them in the same milliseconds on two threads (then I end up getting a unique user constraint as it tries to add same user twice to the DB).

Is there something wrong with my spring security configuration where double-requests are happening? Spring Security should basically check ALL requests coming from stateless app for the X-AUTH-TOKEN.

http
            .authenticationProvider(authenticationProvider)
                .addFilterBefore(new HeaderAuthenticationFilter(), BasicAuthenticationFilter.class)
                //.addFilterBefore(new CorsFilter(request -> corsConfiguration), HeaderAuthenticationFilter.class)
                .authorizeRequests()
                .antMatchers("/").permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .csrf().disable()
                .exceptionHandling().accessDeniedPage("/error");

Basically HeaderAuthenticationProvider and HeaderAuthenticationFilter are used for checking X-AUTH-TOKEN.

2017-05-17 19:46:41.868  INFO 5 --- [nio-8443-exec-8] o.a.c.util.SessionIdGeneratorBase        : Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [13,338] milliseconds.
2017-05-17 19:46:41.868  INFO 5 --- [nio-8443-exec-1] o.a.c.util.SessionIdGeneratorBase        : Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [8,315] milliseconds.
2017-05-17 19:46:41.872  INFO 5 --- [nio-8443-exec-8] m.d.f.a.HeaderAuthenticationProvider     : Authenticate:: Authorization Token: bf6bbb6f5a850fb7b152b5e143534e5bd13a96abd3250d2
2017-05-17 19:46:41.872  INFO 5 --- [nio-8443-exec-1] m.d.f.a.HeaderAuthenticationProvider     : Authenticate:: Authorization Token: bf6bbb6f5a850fb7b152b5e143534e5bd13a96abd3250d2

回答1:

Not sure if you still have this issue. I had similar issue before and my issue was due to Spring started two DelegateFilter chains, one default and one customized. Instead, every filter was executed twice. From your log, it looks like you probably has similar issue. The way I solved it was to have my filter extends OncePerRequestFilter.

来源：https://stackoverflow.com/questions/44033738/duplicate-session-creation-duplicate-threads-in-authenticationprovider-why