stackoom
  简体   繁体   中英

Spring Boot - how to conditionally enable/disable sessions

 原文  2018-07-27 10:37:14       java/ spring/ spring-security/ spring-session

Question

I've built a REST API service using Spring where I've enabled sessions using MongoDB: 

@Configuration
@EnableMongoHttpSession(maxInactiveIntervalInSeconds = Globals.SESSION_MAX_INTERVAL)
public class SessionConfig {

    @Bean
    public AbstractMongoSessionConverter createSessionConverterBean() {
        return new JacksonMongoSessionConverter(Collections.singletonList(new GeoModule()));
    }
}

I would however, like to have control over which connections should be issued a session. Currently, every HTTP request has a session generated for it, but there are scenarios where the session is not needed, and I'd prefer not to clutter up the session storage with session objects that will never be used.

One such scenario is a standalone desktop application that acts as a content management system. This application has no need for HTTP sessions because authentication is done via the application side via a custom authorization header. This application also only accesses endpoints from a certain root route mapping:

Public traffic routes to api.domain.com/pub and the CMS traffic routes through api.domain.com/cpi .

It would be nice to be able to tell Spring that it does not need to create a session for any requests coming to /cpi . The desktop application also provides a unique Origin that I can match as well if that is more easily done.

My Web security looks like this: 

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .anyRequest()
            .permitAll()
            .and()
            .cors()
            .and()
            .httpBasic();
    http.csrf().disable(); // Self-implemented
}

I've searched all over and haven't found a thing. Can anyone point me in the right direction?

Thanks!

2 answers

solution1
 0  2018-07-27 10:54:32

You could add multiple security configuration in the following scheme. Where one is explicitly matching for the all /cpi requests and the other one handling the remaining requests.

You could also configure different authentication methods this way. 

@Order(1)
@Configuration
public static class Custom1WebSecurityConfigurerAdapter extends 
WebSecurityConfigurerAdapter {
    http
                .antMatcher("/cpi/**")
                .authorizeRequests()
                ...

    http.sessionManagement() // dont create a session for this configuration
              .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}


@Order(2)
@Configuration
public static class Custom2WebSecurityConfigurerAdapter extends 
WebSecurityConfigurerAdapter {
    http
                .authorizeRequests()
                ...
}

solution2
 0  2019-07-01 10:42:48

You could try below in application.yml file. 

server:
  servlet:
    session:
      persistent: false
      timeout: 0

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to conditionally enable or disable scheduled jobs in Spring? How to enable or disable user in Spring Boot Security How to Enable/Disable specific rest end point in spring boot? How to Autowire conditionally in spring boot? Disable JSESSIONID conditionally in Spring-Boot-Web / Tomcat How to manage guest sessions in Spring Boot How to disable autocommit Spring Boot? How to disable caching in spring boot How to disable Spring Boot Security How to disable ErrorPageFilter in Spring Boot?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM