简体   繁体   English

Spring Security会话如何工作?

[英]How does Spring Security sessions work?

How do Spring sessions work when you login to a form on Spring security as described in this tutorial? 如本教程中所述,当您在Spring安全性上登录表单时,Spring会话如何工作? http://static.springsource.org/spring-security/site/tutorial.html http://static.springsource.org/spring-security/site/tutorial.html

Is it cookie based? 它是基于cookie吗? Im not sure what exactly is going on that allows the user to log in and have it remember and keep you logged in for the remainder of the browsing session. 我不确定究竟发生了什么,允许用户登录并让它记住并让您在浏览会话的剩余时间内保持登录状态。

It is cookie based similar to how the servlet maintains sessions . 它基于cookie,类似于servlet维护会话的方式。 If cookies are disabled, you would have to resort to URL rewriting .According to the FAQ here . 如果禁用cookie,则必须使用URL重写。根据此处的常见问题解答。

"All it sees are HTTP requests and it ties those to a particular session according to the value of the the JSESSIONID cookie that they contain. When a user authenticates during a session, Spring Security's concurrent session control checks the number of other authenticated sessions that they have. If they are already authenticated with the same session, then re-authenticating will have no effect. " “所有它看到的都是HTTP请求,它根据它们包含的JSESSIONID cookie的值将它们与特定会话联系起来。当用户在会话期间进行身份验证时,Spring Security的并发会话控制会检查其他经过身份验证的会话的数量。如果他们已经使用相同的会话进行了身份验证,那么重新进行身份验证将无效。“

also

"If clients have cookies disabled, and you are not rewriting URLs to include the jsessionid, then the session will be lost. Note that the use of cookies is preferred for security reasons, as it does not expose the session information in the URL. " “如果客户端禁用了cookie,并且您没有重写URL以包含jsessionid,则会话将丢失。请注意,出于安全原因,首选使用cookie,因为它不会在URL中公开会话信息。”

See here for the Single sign on feature 请参阅此处了解单点登录功能

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM