Spring Security 会话 JSESSIONID

Posted 2023-02-27

【中文标题】Spring Security 会话 JSESSIONID

【英文标题】：Spring Security session JSESSIONID

【发布时间】：2017-02-27 17:11:18

【问题描述】：

我目前正在使用 Spring Boot 为 Angular2 前端应用程序开发 REST API。

我使用 Spring Security 来管理用户身份验证，但我需要在浏览器会话中存储一些信息。问题是每次请求都会创建一个新的JSESSIONID。

例子：

认证POST 它在响应标头中返回 Set-Cookie:JSESSIONID=C367245309E4E80606066FDCFBE0EE43。 使用用户信息创建一个新会话

受保护的 REST 资源 GET：会话为空且 JSESSIONID Cookie 不在请求标头中。它返回 Set-Cookie:JSESSIONID=163B28B7AC2042F9EFF1046F9E14A600

我的 Spring Security 配置是：

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception 

    // Unable x-frame-options from same origin
    httpSecurity.headers().frameOptions().sameOrigin();

    /*
     * the secret key used to signe the JWT token is known exclusively by
     * the server. With Nimbus JOSE implementation, it must be at least 256
     * characters longs.
     */
    String secret = IOUtils.toString(getClass().getClassLoader().getResourceAsStream("secret.key"),
            Charset.defaultCharset());

    httpSecurity.addFilterAfter(jwtTokenAuthenticationFilter("/**", secret), ExceptionTranslationFilter.class)
            .addFilterBefore(new SimpleCORSFilter(), CorsFilter.class)
            /*
             * Exception management is handled by the
             * authenticationEntryPoint (for exceptions related to
             * authentications) and by the AccessDeniedHandler (for
             * exceptions related to access rights)
             */
            .exceptionHandling().authenticationEntryPoint(new SecurityAuthenticationEntryPoint())
            .accessDeniedHandler(new RestAccessDeniedHandler()).and()

            /*
             * anonymous() consider no authentication as being anonymous
             * instead of null in the security context.
             */
            .anonymous().and()
            /* No Http session is used to get the security context */
            //
            .sessionManagement().maximumSessions(1).and().sessionFixation().none()
            .sessionCreationPolicy(SessionCreationPolicy.ALWAYS).and().authorizeRequests()
            /*
             * All access to the authentication service are permitted
             * without authentication (actually as anonymous)
             */
            .antMatchers("/auth/**").permitAll().antMatchers("/css/**").permitAll().antMatchers("/js/**")
            .permitAll().antMatchers("/accueil").permitAll()
            // .antMatchers("/**").permitAll()
            /*
             * All the other requests need an authentication. Role access is
             * done on Methods using annotations like @PreAuthorize
             */
            .anyRequest().authenticated().and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class).csrf()
            .csrfTokenRepository(csrfTokenRepository()).disable();

你能帮我解决我的会话问题吗？

【参考方案1】：

这似乎是一个不发送 cookie 的 angular2 问题；在调用我的 REST api 之前，我在构造函数中设置了这段代码：

 constructor(private _http: Http) 
        let _build = (<any>_http)._backend._browserXHR.build;
        (<any>_http)._backend._browserXHR.build = () => 
            let _xhr = _build();
            _xhr.withCredentials = true;
            return _xhr;
        ;
    

现在我的 JSESSIONID 正在发送每个请求。

【讨论】：

我有同样的问题，但你的解决方案对我不起作用....你能显示更多你的代码吗？喜欢 ws 调用的源代码还是你的 app.module ？

嘿，你添加了：response.setHeader("withCredentials", "true");和 response.setHeader("Access-Control-Allow-Headers","withCredentials");在你的 Spring Boot 配置中（例如：CorsFilter）？

我有同样的问题，我在我的 spring 配置中添加了带有 withCredentials 的标题，但我得到了结果：Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:4200' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

经过一番努力，您的解决方案对我有用。非常感谢。