[英]Spring Session not setting X-Auth-Token, JSESSIONID still present
我試圖弄清楚為什么 Spring Session 沒有設置會話標頭並且仍在設置JSESSIONID 。 另外,我試圖確定為什么我的測試沒有獲得瀏覽器所做的JSESSIONID 。 我不是在嘗試使用 redis,只是在內存中存儲。
@RestController
@SpringBootApplication
public class Application {
@RequestMapping( "/" )
public String greeting() {
return "hello";
}
@Configuration
@Order( SecurityProperties.ACCESS_OVERRIDE_ORDER )
protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Bean
static SessionRepository<? extends ExpiringSession> repository() {
return new MapSessionRepository( );
}
@Bean
static HttpSessionStrategy httpSessionStrategy() {
return new HeaderHttpSessionStrategy();
}
@Autowired
void globalUserDetails( final AuthenticationManagerBuilder auth ) throws Exception {
auth.inMemoryAuthentication().withUser( "admin" ).password( "admin" ).roles( "USER", "ADMIN" );
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic()
.and()
.authorizeRequests()
.anyRequest().authenticated();
}
}
public static void main( final String[] args ) {
SpringApplication app = new SpringApplication( Application.class );
app.setShowBanner( false );
app.run( args );
}
}
和一個測試類
@RunWith( SpringJUnit4ClassRunner.class )
@WebAppConfiguration
@SpringApplicationConfiguration( classes = { MockServletContext.class, Application.class } )
public class ApplicationTest {
private MockMvc mockMvc = null;
private MockHttpServletRequestBuilder requestBuilder;
@Autowired private WebApplicationContext context;
@Autowired private FilterChainProxy springSecurityFilterChain;
@Before
public void setup() {
mockMvc = MockMvcBuilders.webAppContextSetup( context )
.addFilter( springSecurityFilterChain )
.build();
requestBuilder = get( "/" )
.header( "Authorization", "Basic " + Base64.getEncoder().encodeToString( "admin:admin".getBytes() ) );
}
@Test
public void getSessionToken() throws Exception {
this.mockMvc.perform( requestBuilder )
.andExpect( status().is2xxSuccessful() )
.andExpect( header().string( "X-Auth-Token", notNullValue() ) );
}
@Test
public void getJessionId() throws Exception {
// response does not agree with an actual browser request which has a JSESSIONID
this.mockMvc.perform( requestBuilder )
.andExpect( status().is2xxSuccessful() )
.andExpect( cookie().doesNotExist( "JSESSIONID" ) );
}
}
這些是我在/登錄時 chrome 的響應標頭
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=6D7E2CB0AAFDD3B5DB53BA77C0725750; Path=/; HttpOnly
Content-Type: text/html;charset=UTF-8
Content-Length: 5
Date: Fri, 29 May 2015 01:16:33 GMT
最后這是我的pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.xenoterracide</groupId>
<artifactId>spring-session-test-case</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<!-- use UTF-8 for everything -->
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
</properties>
<parent>
<groupId>io.spring.platform</groupId>
<artifactId>platform-bom</artifactId>
<version>1.1.2.RELEASE</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
</project>
為什么我沒有得到X-Auth-Token標頭而不是JESSIONID Cookie? 為什么我的測試沒有說我得到了JSESSIONID cookie?
您所需要的只是定義正確的 HttpSessionIdResolver 實現。 默認情況下,spring-session 使用 CookieHttpSessionIdResolver。
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.session.web.http.HeaderHttpSessionIdResolver;
import org.springframework.session.web.http.HttpSessionIdResolver;
@Configuration
public class SessionConfig {
@Bean
public HttpSessionIdResolver httpSessionIdResolver() {
return HeaderHttpSessionIdResolver.xAuthToken();
}
}
至少它適用於 Spring Boot 2.2.5.RELEASE。
您需要添加配置類做三件事:
SessionRepositoryFilter (這是通過@EnableSpringHttpSession注釋完成的)HttpSessionIdResolver接口的 bean - 在您的情況下為 HeaderHttpSessionIdResolver@EnableSpringHttpSession需要提供SessionRepository - 它也需要提供一個實現這個接口的 bean( MapSessionRepository在下面的例子中使用)示例配置:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.session.MapSessionRepository;
import org.springframework.session.config.annotation.web.http.EnableSpringHttpSession;
import org.springframework.session.web.http.HeaderHttpSessionIdResolver;
import org.springframework.session.web.http.HttpSessionIdResolver;
import java.util.concurrent.ConcurrentHashMap;
@Configuration
@EnableSpringHttpSession
public class HttpSessionConfig {
@Bean
MapSessionRepository sessionRepository() {
return new MapSessionRepository(new ConcurrentHashMap<>());
}
@Bean
public HttpSessionIdResolver httpSessionIdResolver() {
return HeaderHttpSessionIdResolver.xAuthToken();
}
}
如何在Spring Security中使用內置的X-Auth-Token而不是Spring Session Http Cookie
[英]How to use In-Built X-Auth-Token In Spring Security instead of Spring Session Http Cookie
盡管 session 管理無狀態,但 Spring 添加了 JSESSIONID
[英]Spring adds a JSESSIONID despite stateless session management
如何關閉用戶會話/身份驗證。 在 Spring OAuth2 中為用戶/客戶端發送訪問令牌后的上下文
[英]How to close user session/auth. context after access token is sent for a user/client in Spring OAuth2
Spring Security 如何通過各種 Session Creation 和 Session Fixation 組合處理 JSESSIONID?
[英]How does Spring Security handle JSESSIONID with various Session Creation and Session Fixation combinations?
Internet Explorer-通過客戶端Java或C#代碼設置會話Cookie來指定JSessionID
[英]Internet Explorer - Specify JSessionID by setting Session Cookie via Client Java or C# Code
如何從JSESSIONID cookie的客戶端獲取Spring Security的令牌用戶名?
[英]How to get a Spring Security's token username on the client side from JSESSIONID cookie?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.