小贝子编程

如何防止匿名用户会话的 Redis 写入



我有这个示例应用程序:

package com.example.session;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.session.data.redis.config.annotation.web.http.EnableRedisHttpSession;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@SpringBootApplication
public class DemoRedisDataSessionApplication {
    @Configuration
    @EnableWebSecurity
    @EnableRedisHttpSession(redisNamespace = "demo-redis-data-session")
    public static class AppConfiguration extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.inMemoryAuthentication().withUser("user").password("0000").roles("USER");
        }
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.formLogin().and()
                    .authorizeRequests().antMatchers("/ping").permitAll().and()
                    .authorizeRequests().anyRequest().fullyAuthenticated();
        }
    }
    @RestController
    public static class AppController {
        @GetMapping("/ping")
        public String ping() {
            return "pong";
        }
        @GetMapping("/secured")
        public String secured() {
            return "secured";
        }
    }
    public static void main(String[] args) {
        SpringApplication.run(DemoRedisDataSessionApplication.class, args);
    }
}

当我点击/secured时,我被 302 重定向到/login表单,如果我没有登录,这就是我所期望的,但我在 Redis 中得到了一些不需要的条目:

127.0.0.1:6379> keys * 1) "spring:session:demo-redis-data-session:sessions:expires:dbb124b9-c37d-454c-8d67-409f28cb88a6" 2) "spring:session:demo-redis-data-session:expirations:1515426060000" 3) "spring:session:demo-redis-data-session:sessions:dbb124b9-c37d-454c-8d67-409f28cb88a6"

我不想为每个匿名用户(读取爬虫(创建此数据,那么有没有办法在与匿名用户一起访问安全端点/页面时防止这些 Redis 条目?

用于此示例项目的其他数据

docker-compose.yml

version: "2" services: redis: image: redis ports: - "6379:6379"

弹簧启动版本

1.5.9.RELEASE

这不是最佳解决方案,因为它只为所有爬虫创建一个会话,但至少我没有让 Redis 充满不需要的会话。

import lombok.extern.log4j.Log4j;
import org.springframework.session.Session;
import org.springframework.session.SessionRepository;
import org.springframework.session.web.http.CookieHttpSessionStrategy;
import org.springframework.session.web.http.MultiHttpSessionStrategy;
import org.springframework.stereotype.Component;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@Log4j
@Component
public class CrawlerManagerSessionStrategyWrapper implements MultiHttpSessionStrategy {
    private CookieHttpSessionStrategy delegate;
    private volatile String crawlerSessionId;
    public CrawlerManagerSessionStrategyWrapper() {
        this.delegate = new CookieHttpSessionStrategy();
    }
    public String getRequestedSessionId(HttpServletRequest request) {
        String sessionId = getSessionIdForCrawler(request);
        if (sessionId != null)
            return sessionId;
        else {
            return delegate.getRequestedSessionId(request);
        }
    }
    public void onNewSession(Session session, HttpServletRequest request, HttpServletResponse response) {
        delegate.onNewSession(session, request, response);
        if (isCrawler(request)) {
            crawlerSessionId = session.getId();
        }
    }
    public void onInvalidateSession(HttpServletRequest request, HttpServletResponse response) {
        delegate.onInvalidateSession(request, response);
    }
    public HttpServletRequest wrapRequest(HttpServletRequest request, HttpServletResponse response) {
        return request;
    }
    public HttpServletResponse wrapResponse(HttpServletRequest request, HttpServletResponse response) {
        return response;
    }
    private String getSessionIdForCrawler(HttpServletRequest request) {
        if (isCrawler(request)) {
            SessionRepository<Session> repo = (SessionRepository<Session>) request.getAttribute(SessionRepository.class.getName());
            if (crawlerSessionId != null && repo != null) {
                Session session = repo.getSession(crawlerSessionId);
                if (session != null) {
                    return crawlerSessionId;
                }
            }
        }
        return null;
    }
    private boolean isCrawler(HttpServletRequest request) {
        // Here goes the logic to understand if the request comes from a crawler, for example by checking the user agent.
        return true;
    }
}

唯一要实现的是isCrawler方法来声明请求是否来自爬网程序。

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium