如何防止spring-security将; jsessionid = XXX附加到登录重定向中? [英] How can I prevent spring-security from appending ;jsessionid=XXX to login redirects?
问题描述
当未经身份验证的客户端请求需要security-config.xml
中定义的非匿名访问级别的URL时,Spring Security会将HTTP重定向发送到我们的登录页面(例如/login
).很好.
When an unauthenticated client requests a URL that requires a non-anonymous access level as defined in security-config.xml
, spring security sends an HTTP redirect to our login page (e.g. /login
). That's fine.
问题是,由于缺少现有会话(由客户端请求中提供的cookie标识),spring-security会发出重定向,该重定向还会在URL中指定客户端的新会话,例如/login;jsessionid=8o7pglapojus
.
The issue is that absent an existing session (identified by a cookie provided in the client's request), spring-security issues a redirect that also specifies the client's new session in the URL, e.g. /login;jsessionid=8o7pglapojus
.
许多容器都支持此功能(显然,它在tomcat中可以正常工作吗?),但是看来Jetty(这是我们现在正在使用的功能)不支持-重定向的URL完全到达了我们的URL路由器(包括jsessionid
"parameter"),并且通过码头/弹簧安全性将命名会话与/login
请求关联(即,对
Many containers support this (apparently it works fine in tomcat?), but it appears that Jetty (which is what we're using right now) does not -- the redirected URL comes through to our URL router completely intact (including the jsessionid
"parameter"), and the named session is not associated with the /login
request by jetty/spring-security (i.e. a totally new session ID is provided in the Set-Cookie header of the response to the /login
request).
我们可以通过在路由中匹配/login.*
来解决此问题,但是我很好奇是否有任何方法可以防止在身份验证重定向中发出会话ID.
We can work around this by matching /login.*
in our routes, but I'm curious if there's any way to prevent the emission of the session id in the authentication redirect to begin with.
推荐答案
在Spring Security 3.0.0 M1或更高版本中,您可以在<http>
命名空间中设置disable-url-rewriting="true"
.看看是否有帮助.另请参见此功能请求.
In Spring Security 3.0.0 M1 or newer you could set disable-url-rewriting="true"
in the <http>
namespace. See if that helps. Also see this feature request.
这篇关于如何防止spring-security将; jsessionid = XXX附加到登录重定向中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!