Java Spring会话未设置X-Auth-Token,JSSessionID仍然存在
我试图弄明白为什么Spring会话没有设置会话头,而仍然设置Java Spring会话未设置X-Auth-Token,JSSessionID仍然存在,java,spring,spring-mvc,spring-boot,spring-session,Java,Spring,Spring Mvc,Spring Boot,Spring Session,我试图弄明白为什么Spring会话没有设置会话头,而仍然设置JSESSIONID。此外,我还试图确定为什么我的测试没有获得浏览器提供的JSESSIONID。我不是在尝试使用redis,只是在内存中存储 @RestController @SpringBootApplication public class Application { @RequestMapping( "/" ) public String greeting() { return "hello";
JSESSIONID
。此外,我还试图确定为什么我的测试没有获得浏览器提供的JSESSIONID
。我不是在尝试使用redis,只是在内存中存储
@RestController
@SpringBootApplication
public class Application {
@RequestMapping( "/" )
public String greeting() {
return "hello";
}
@Configuration
@Order( SecurityProperties.ACCESS_OVERRIDE_ORDER )
protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Bean
static SessionRepository<? extends ExpiringSession> repository() {
return new MapSessionRepository( );
}
@Bean
static HttpSessionStrategy httpSessionStrategy() {
return new HeaderHttpSessionStrategy();
}
@Autowired
void globalUserDetails( final AuthenticationManagerBuilder auth ) throws Exception {
auth.inMemoryAuthentication().withUser( "admin" ).password( "admin" ).roles( "USER", "ADMIN" );
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic()
.and()
.authorizeRequests()
.anyRequest().authenticated();
}
}
public static void main( final String[] args ) {
SpringApplication app = new SpringApplication( Application.class );
app.setShowBanner( false );
app.run( args );
}
}
这些是我在/
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=6D7E2CB0AAFDD3B5DB53BA77C0725750; Path=/; HttpOnly
Content-Type: text/html;charset=UTF-8
Content-Length: 5
Date: Fri, 29 May 2015 01:16:33 GMT
最后是我的pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.xenoterracide</groupId>
<artifactId>spring-session-test-case</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<!-- use UTF-8 for everything -->
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
</properties>
<parent>
<groupId>io.spring.platform</groupId>
<artifactId>platform-bom</artifactId>
<version>1.1.2.RELEASE</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
</project>
4.0.0
com.xenoterracide
spring会话测试用例
1.0-快照
UTF-8
UTF-8
1.8
io.spring.platform
平台物料清单
1.1.2.1发布
org.springframework.boot
SpringBootStarterWeb
org.springframework.session
春季会议
org.springframework.boot
弹簧启动安全
org.springframework.boot
弹簧起动试验
测试
为什么我没有得到
X-Auth-Token
头而不是JESSIONID
Cookie?为什么我的测试没有说我得到了JSESSIONID
cookie?您所需要的就是定义正确的httpsessiondresolver实现。默认情况下,spring会话使用CookieHttpSessionIdResolver
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.session.web.http.HeaderHttpSessionIdResolver;
import org.springframework.session.web.http.HttpSessionIdResolver;
@Configuration
public class SessionConfig {
@Bean
public HttpSessionIdResolver httpSessionIdResolver() {
return HeaderHttpSessionIdResolver.xAuthToken();
}
}
至少它适用于Spring Boot 2.2.5.发行版。您需要添加配置类来完成三件事:
SessionRepositoryFilter
(这是通过@EnableSpringHttpSession
注释完成的)HttpSessiondResolver
接口-在您的例子中是HeaderHttpSessionIdResolver@EnableSpringHttpSession
需要提供SessionRepository
-它还需要提供一个实现此接口的bean(MapSessionRepository
在下面的示例中使用)import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.session.MapSessionRepository;
import org.springframework.session.config.annotation.web.http.EnableSpringHttpSession;
import org.springframework.session.web.http.HeaderHttpSessionIdResolver;
import org.springframework.session.web.http.HttpSessionIdResolver;
import java.util.concurrent.ConcurrentHashMap;
@Configuration
@EnableSpringHttpSession
public class HttpSessionConfig {
@Bean
MapSessionRepository sessionRepository() {
return new MapSessionRepository(new ConcurrentHashMap<>());
}
@Bean
public HttpSessionIdResolver httpSessionIdResolver() {
return HeaderHttpSessionIdResolver.xAuthToken();
}
}
import org.springframework.context.annotation.Bean;
导入org.springframework.context.annotation.Configuration;
导入org.springframework.session.MapSessionRepository;
导入org.springframework.session.config.annotation.web.http.EnableSpringHttpSession;
导入org.springframework.session.web.http.HeaderHttpSessionIdResolver;
导入org.springframework.session.web.http.httpsessiondresolver;
导入java.util.concurrent.ConcurrentHashMap;
@配置
@启用SpringHttpSession
公共类HttpSessionConfig{
@豆子
MapSessionRepository sessionRepository(){
返回新的MapSessionRepository(新的ConcurrentHashMap());
}
@豆子
公共HttpSessionIdResolver HttpSessionIdResolver(){
返回HeaderHttpSessionIdResolver.xAuthToken();
}
}
这是什么版本的Spring Security?@chrylis 3.2.7我知道默认行为在3.2和4.0之间发生了变化。也许您需要一个带有()的。csrf()
?您还没有配置过滤器,所以基本上什么都没有发生。添加一个额外的bean扩展AbstractHttpSessionApplicationInitializer
,它配置Spring会话。从另一个配置中删除2个bean。@chrylis csrf不应该与此有任何关系,我已经在更完整的版本中使用了它。
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.session.MapSessionRepository;
import org.springframework.session.config.annotation.web.http.EnableSpringHttpSession;
import org.springframework.session.web.http.HeaderHttpSessionIdResolver;
import org.springframework.session.web.http.HttpSessionIdResolver;
import java.util.concurrent.ConcurrentHashMap;
@Configuration
@EnableSpringHttpSession
public class HttpSessionConfig {
@Bean
MapSessionRepository sessionRepository() {
return new MapSessionRepository(new ConcurrentHashMap<>());
}
@Bean
public HttpSessionIdResolver httpSessionIdResolver() {
return HeaderHttpSessionIdResolver.xAuthToken();
}
}