不使用cookie的Spring Security会话
[英]Spring Security session without using cookies
问题描述
I am using SpringMVC to receive HTTP requests from a machine we are trying to interface to. 
我正在使用SpringMVC从我们尝试连接的机器接收HTTP请求。 XML data from the machine is written in the HTTP request body. 来自机器的XML数据写在HTTP请求主体中。 Basically, 基本上,
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Foo version="2.0" xmlns="http://www.example.com/ns">
<Bar sessionId="2" />
<Baz quux="Monitor" seq="123">
...
</Baz>
</Foo>
The machine does not, and can not keep cookies. 机器没有,也无法保留饼干。 So I am unable to use session data over JSESSIONID. 所以我无法通过JSESSIONID使用会话数据。 All I have is the sessionId found in Bar. 我只有在Bar中找到的sessionId。 This sessionId should be granted by my system on the first request. 我的系统应该在第一次请求时授予此sessionId。 That is, 那是,
Step 1: Machine sends session request to me 第1步:机器向我发送会话请求
Step 2: The web app creates a session and then sends a Session type response to the machine in which it then saves and uses in subsequent requests. 步骤2:Web应用程序创建会话,然后向计算机发送会话类型响应,然后在该计算机中保存并在后续请求中使用。
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Foo version="2.0" xmlns="http://www.example.com/ns">
<Bar sessionId="2" />
<Session quux="Monitor" seq="123">
...
</Session>
</Foo>
Step 3: Communication between the machine and the web app now uses sessionId. 第3步:机器和Web应用程序之间的通信现在使用sessionId。
Questions: 问题:
- Is it possible in Spring Security to assign a session to a connection based on a sessionId? 是否可以在Spring Security中基于sessionId将会话分配给连接? In this case, the sessionId in the XML is acting like the cookie JSESSIONID. 在这种情况下,XML中的sessionId就像cookie JSESSIONID一样。 Can I configure Spring Security such that it retrieves the sessionID from the XML rather than the HTTP header or thru URL? 我是否可以配置Spring Security,以便从XML而不是HTTP标头或URL中检索sessionID?
- I wish to know if other systems have this kind of issue and what I can google to research more on this kind of problem. 我想知道其他系统是否存在这类问题以及我可以谷歌更多地研究这类问题。
1 个解决方案
解决方案1
8 已采纳 2014-09-10 06:32:06
What you are looking for is certainly possible. 您正在寻找的东西当然是可能的。 The HTTP Session is simply a container for storing the Spring Security authentication token in between requests. HTTP会话只是一个容器,用于在请求之间存储Spring Security身份验证令牌。 What you are looking for is a place to store the token in between requests and being reliably able to retrieve the token for every request. 您正在寻找的是在请求之间存储令牌并可靠地为每个请求检索令牌的位置。
The component that holds the token in between requests is an implementation of org.springframework.security.web.context.SecurityContextRepository . 在请求之间保存令牌的组件是org.springframework.security.web.context.SecurityContextRepository 。 One of the out-of-box implementations provided by Spring Security uses the HTTP Session as the storage area for tokens. Spring Security提供的一个开箱即用的实现使用HTTP Session作为令牌的存储区域。
Similarly, the component that checks the token on every request is an implementation of org.springframework.security.authentication.AuthenticationProvider . 同样,在每个请求上检查令牌的组件是org.springframework.security.authentication.AuthenticationProvider 。 At a bare minimum you need implementations for these two in order to enforce your custom strategy for storing and checking authentication tokens on every request, outside of the HTTP Session. 至少,您需要实现这两者的实现,以便在HTTP会话之外的每个请求上强制执行用于存储和检查身份验证令牌的自定义策略。
You can take a look at my sample app for a working example of this strategy for a REST based application. 您可以查看我的示例应用程序 ,以获取基于REST的应用程序的此策略的工作示例。 I will recommend that you pass the session information in HTTP headers instead of request body. 我建议您在HTTP标头而不是请求正文中传递会话信息。 It will reduce your implementation effort and simplify the solution significantly. 它将减少您的实施工作并显着简化解决方案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.