我想弄清楚为什么春季会议不设置会话头,仍然设置JSESSIONID
。此外,我试图确定为什么我的测试没有得到浏览器所做的JSESSIONID
。我不是在尝试使用redis,只是在内存存储。
@RestController
@SpringBootApplication
public class Application {
@RequestMapping( "/" )
public String greeting() {
return "hello";
}
@Configuration
@Order( SecurityProperties.ACCESS_OVERRIDE_ORDER )
protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Bean
static SessionRepository<? extends ExpiringSession> repository() {
return new MapSessionRepository( );
}
@Bean
static HttpSessionStrategy httpSessionStrategy() {
return new HeaderHttpSessionStrategy();
}
@Autowired
void globalUserDetails( final AuthenticationManagerBuilder auth ) throws Exception {
auth.inMemoryAuthentication().withUser( "admin" ).password( "admin" ).roles( "USER", "ADMIN" );
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic()
.and()
.authorizeRequests()
.anyRequest().authenticated();
}
}
public static void main( final String[] args ) {
SpringApplication app = new SpringApplication( Application.class );
app.setShowBanner( false );
app.run( args );
}
}
和一个测试类
@RunWith( SpringJUnit4ClassRunner.class )
@WebAppConfiguration
@SpringApplicationConfiguration( classes = { MockServletContext.class, Application.class } )
public class ApplicationTest {
private MockMvc mockMvc = null;
private MockHttpServletRequestBuilder requestBuilder;
@Autowired private WebApplicationContext context;
@Autowired private FilterChainProxy springSecurityFilterChain;
@Before
public void setup() {
mockMvc = MockMvcBuilders.webAppContextSetup( context )
.addFilter( springSecurityFilterChain )
.build();
requestBuilder = get( "/" )
.header( "Authorization", "Basic " + Base64.getEncoder().encodeToString( "admin:admin".getBytes() ) );
}
@Test
public void getSessionToken() throws Exception {
this.mockMvc.perform( requestBuilder )
.andExpect( status().is2xxSuccessful() )
.andExpect( header().string( "X-Auth-Token", notNullValue() ) );
}
@Test
public void getJessionId() throws Exception {
// response does not agree with an actual browser request which has a JSESSIONID
this.mockMvc.perform( requestBuilder )
.andExpect( status().is2xxSuccessful() )
.andExpect( cookie().doesNotExist( "JSESSIONID" ) );
}
}
这些是响应头铬有当我登录在/
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=6D7E2CB0AAFDD3B5DB53BA77C0725750; Path=/; HttpOnly
Content-Type: text/html;charset=UTF-8
Content-Length: 5
Date: Fri, 29 May 2015 01:16:33 GMT
最后是pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.xenoterracide</groupId>
<artifactId>spring-session-test-case</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<!-- use UTF-8 for everything -->
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
</properties>
<parent>
<groupId>io.spring.platform</groupId>
<artifactId>platform-bom</artifactId>
<version>1.1.2.RELEASE</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
</project>
为什么我没有得到X-Auth-Token
头而不是JESSIONID
Cookie?为什么我的测试没有说我得到了JSESSIONID
饼干?
您需要添加配置类,做以下三件事:
- 启用
SessionRepositoryFilter
(这是由@EnableSpringHttpSession
注释完成) - 提供bean实现
HttpSessionIdResolver
接口-在您的情况下headerhttpessionidresolver - 因为
@EnableSpringHttpSession
需要提供SessionRepository
-它需要提供一个bean来实现这个接口(MapSessionRepository
在下面的例子中使用)
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.session.MapSessionRepository;
import org.springframework.session.config.annotation.web.http.EnableSpringHttpSession;
import org.springframework.session.web.http.HeaderHttpSessionIdResolver;
import org.springframework.session.web.http.HttpSessionIdResolver;
import java.util.concurrent.ConcurrentHashMap;
@Configuration
@EnableSpringHttpSession
public class HttpSessionConfig {
@Bean
MapSessionRepository sessionRepository() {
return new MapSessionRepository(new ConcurrentHashMap<>());
}
@Bean
public HttpSessionIdResolver httpSessionIdResolver() {
return HeaderHttpSessionIdResolver.xAuthToken();
}
}
您所需要的只是定义适当的httpessionidresolver实现。spring-session默认使用cookiehttpessionidresolver。
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.session.web.http.HeaderHttpSessionIdResolver;
import org.springframework.session.web.http.HttpSessionIdResolver;
@Configuration
public class SessionConfig {
@Bean
public HttpSessionIdResolver httpSessionIdResolver() {
return HeaderHttpSessionIdResolver.xAuthToken();
}
}
至少它可以在Spring Boot 2.2.5.RELEASE中使用