我目前正在使用 Spring Boot 为 Angular2 前端应用程序开发 REST API。
我使用 Spring Security 来管理用户身份验证,但我需要在浏览器 session 中存储一些信息。问题是在每次请求时都会创建一个新的 JSESSIONID
。
示例:
- 身份验证
POST
它在响应 header 中返回Set-Cookie:JSESSIONID=C367245309E4E80606066FDCFBE0EE43
。 使用用户信息创建一个新 session
- protected REST 资源
GET
: session 为空且JSESSIONID
Cookie 不在请求 header 中。它返回Set-Cookie:JSESSIONID=163B28B7AC2042F9EFF1046F9E14A600
我的 Spring Security 配置是:
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
// Unable x-frame-options from same origin
httpSecurity.headers().frameOptions().sameOrigin();
/*
* the secret key used to signe the JWT token is known exclusively by
* the server. With Nimbus JOSE implementation, it must be at least 256
* characters longs.
*/
String secret = IOUtils.toString(getClass().getClassLoader().getResourceAsStream("secret.key"),
Charset.defaultCharset());
httpSecurity.addFilterAfter(jwtTokenAuthenticationFilter("/**", secret), ExceptionTranslationFilter.class)
.addFilterBefore(new SimpleCORSFilter(), CorsFilter.class)
/*
* Exception management is handled by the
* authenticationEntryPoint (for exceptions related to
* authentications) and by the AccessDeniedHandler (for
* exceptions related to access rights)
*/
.exceptionHandling().authenticationEntryPoint(new SecurityAuthenticationEntryPoint())
.accessDeniedHandler(new RestAccessDeniedHandler()).and()
/*
* anonymous() consider no authentication as being anonymous
* instead of null in the security context.
*/
.anonymous().and()
/* No Http session is used to get the security context */
//
.sessionManagement().maximumSessions(1).and().sessionFixation().none()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS).and().authorizeRequests()
/*
* All access to the authentication service are permitted
* without authentication (actually as anonymous)
*/
.antMatchers("/auth/**").permitAll().antMatchers("/css/**").permitAll().antMatchers("/js/**")
.permitAll().antMatchers("/accueil").permitAll()
// .antMatchers("/**").permitAll()
/*
* All the other requests need an authentication. Role access is
* done on Methods using annotations like @PreAuthorize
*/
.anyRequest().authenticated().and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class).csrf()
.csrfTokenRepository(csrfTokenRepository()).disable();
}
你能帮我解决我的 session 问题吗?
最佳答案
这似乎是一个不发送 cookie 的 angular2 问题;在调用我的 REST api 之前,我在我的构造函数中设置了这段代码:
constructor(private _http: Http) {
let _build = (<any>_http)._backend._browserXHR.build;
(<any>_http)._backend._browserXHR.build = () => {
let _xhr = _build();
_xhr.withCredentials = true;
return _xhr;
};
}
现在我的 JSESSIONID 正在发送每个请求。
关于session - Spring Security session JSESSIONID,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/40108053/