Java Spring会话未设置X-Auth-Token，JSSessionID仍然存在_Java_Spring_Spring Mvc_Spring Boot_Spring Session

Java Spring会话未设置X-Auth-Token，JSSessionID仍然存在

java spring spring-mvc spring-boot

Java Spring会话未设置X-Auth-Token，JSSessionID仍然存在,java,spring,spring-mvc,spring-boot,spring-session,Java,Spring,Spring Mvc,Spring Boot,Spring Session,我试图弄明白为什么Spring会话没有设置会话头，而仍然设置JSESSIONID。此外，我还试图确定为什么我的测试没有获得浏览器提供的JSESSIONID。我不是在尝试使用redis，只是在内存中存储 @RestController @SpringBootApplication public class Application { @RequestMapping( "/" ) public String greeting() { return "hello";

我试图弄明白为什么Spring会话没有设置会话头，而仍然设置

JSESSIONID

。此外，我还试图确定为什么我的测试没有获得浏览器提供的

JSESSIONID

。我不是在尝试使用redis，只是在内存中存储

@RestController
@SpringBootApplication
public class Application {

    @RequestMapping( "/" )
    public String greeting() {
        return "hello";
    }



    @Configuration
    @Order( SecurityProperties.ACCESS_OVERRIDE_ORDER )
    protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Bean
        static SessionRepository<? extends ExpiringSession> repository() {
            return new MapSessionRepository( );
        }

        @Bean
        static HttpSessionStrategy httpSessionStrategy() {
            return new HeaderHttpSessionStrategy();
        }

        @Autowired
        void globalUserDetails( final AuthenticationManagerBuilder auth ) throws Exception {
            auth.inMemoryAuthentication().withUser( "admin" ).password( "admin" ).roles( "USER", "ADMIN" );
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.httpBasic()
                    .and()
                    .authorizeRequests()
                    .anyRequest().authenticated();
        }
    }

    public static void main( final String[] args ) {
        SpringApplication app = new SpringApplication( Application.class );
        app.setShowBanner( false );
        app.run( args );
    }
}

这些是我在

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=6D7E2CB0AAFDD3B5DB53BA77C0725750; Path=/; HttpOnly
Content-Type: text/html;charset=UTF-8
Content-Length: 5
Date: Fri, 29 May 2015 01:16:33 GMT

最后是我的

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.xenoterracide</groupId>
    <artifactId>spring-session-test-case</artifactId>
    <version>1.0-SNAPSHOT</version>

    <properties>
        <!-- use UTF-8 for everything -->
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <java.version>1.8</java.version>
    </properties>

    <parent>
        <groupId>io.spring.platform</groupId>
        <artifactId>platform-bom</artifactId>
        <version>1.1.2.RELEASE</version>
    </parent>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.session</groupId>
            <artifactId>spring-session</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>
</project>


4.0.0
com.xenoterracide
spring会话测试用例
1.0-快照
UTF-8
UTF-8
1.8
io.spring.platform
平台物料清单
1.1.2.1发布
org.springframework.boot
SpringBootStarterWeb
org.springframework.session
春季会议
org.springframework.boot
弹簧启动安全
org.springframework.boot
弹簧起动试验
测试

为什么我没有得到

X-Auth-Token

头而不是

JESSIONID

Cookie？为什么我的测试没有说我得到了

JSESSIONID

cookie？

您所需要的就是定义正确的httpsessiondresolver实现。默认情况下，spring会话使用CookieHttpSessionIdResolver

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.session.web.http.HeaderHttpSessionIdResolver;
import org.springframework.session.web.http.HttpSessionIdResolver;

@Configuration
public class SessionConfig {

    @Bean
    public HttpSessionIdResolver httpSessionIdResolver() {
        return HeaderHttpSessionIdResolver.xAuthToken();
    }
}

至少它适用于Spring Boot 2.2.5.发行版。

您需要添加配置类来完成三件事：

启用

SessionRepositoryFilter

（这是通过

@EnableSpringHttpSession

注释完成的）

提供bean实现

HttpSessiondResolver

接口-在您的例子中是HeaderHttpSessionIdResolver

因为

@EnableSpringHttpSession

需要提供

SessionRepository

-它还需要提供一个实现此接口的bean（

MapSessionRepository

在下面的示例中使用）

示例配置：

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.session.MapSessionRepository;
import org.springframework.session.config.annotation.web.http.EnableSpringHttpSession;
import org.springframework.session.web.http.HeaderHttpSessionIdResolver;
import org.springframework.session.web.http.HttpSessionIdResolver;

import java.util.concurrent.ConcurrentHashMap;

@Configuration
@EnableSpringHttpSession
public class HttpSessionConfig {

    @Bean
    MapSessionRepository sessionRepository() {
        return new MapSessionRepository(new ConcurrentHashMap<>());
    }

    @Bean
    public HttpSessionIdResolver httpSessionIdResolver() {
        return HeaderHttpSessionIdResolver.xAuthToken();
    }
}

import org.springframework.context.annotation.Bean；
导入org.springframework.context.annotation.Configuration；
导入org.springframework.session.MapSessionRepository；
导入org.springframework.session.config.annotation.web.http.EnableSpringHttpSession；
导入org.springframework.session.web.http.HeaderHttpSessionIdResolver；
导入org.springframework.session.web.http.httpsessiondresolver；
导入java.util.concurrent.ConcurrentHashMap；
@配置
@启用SpringHttpSession
公共类HttpSessionConfig{
@豆子
MapSessionRepository sessionRepository（）{
返回新的MapSessionRepository（新的ConcurrentHashMap（））；
}
@豆子
公共HttpSessionIdResolver HttpSessionIdResolver（）{
返回HeaderHttpSessionIdResolver.xAuthToken（）；
}
}

这是什么版本的Spring Security？@chrylis 3.2.7我知道默认行为在3.2和4.0之间发生了变化。也许您需要一个带有（）的

。csrf（）

？您还没有配置过滤器，所以基本上什么都没有发生。添加一个额外的bean扩展

AbstractHttpSessionApplicationInitializer

，它配置Spring会话。从另一个配置中删除2个bean。@chrylis csrf不应该与此有任何关系，我已经在更完整的版本中使用了它。

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.session.MapSessionRepository;
import org.springframework.session.config.annotation.web.http.EnableSpringHttpSession;
import org.springframework.session.web.http.HeaderHttpSessionIdResolver;
import org.springframework.session.web.http.HttpSessionIdResolver;

import java.util.concurrent.ConcurrentHashMap;

@Configuration
@EnableSpringHttpSession
public class HttpSessionConfig {

    @Bean
    MapSessionRepository sessionRepository() {
        return new MapSessionRepository(new ConcurrentHashMap<>());
    }

    @Bean
    public HttpSessionIdResolver httpSessionIdResolver() {
        return HeaderHttpSessionIdResolver.xAuthToken();
    }
}