尽管无状态会话管理，Spring仍添加了JSESSIONID [英] Spring adds a JSESSIONID despite stateless session management

问题描述

我正在使用以下配置对Web应用程序进行有效的JWT身份验证:

I am using a working JWT authentication of my web application with the following configuration:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
      .csrf().disable()
      .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
      .and()
      .exceptionHandling()
      .authenticationEntryPoint(
          (req, rsp, e) -> p.sendError(HttpServletResponse.SC_UNAUTHORIZED))
      .and()
      .addFilter(new UsernamePasswordAuthenticationFilter(authenticationManager(),
          jwtConfig))
      .addFilterAfter(new JwtTokenAuthenticationFilter(jwtConfig),
          UsernamePasswordAuthenticationFilter.class)
      .authorizeRequests()
      .antMatchers(HttpMethod.POST, jwtConfig.getUri()).permitAll()
      .anyRequest().authenticated();
}

从SessionCreationPolicy.STATELESS开始，我期望Spring不会自己创建会话.但是，如果我访问除/login之外的任何其他资源，我仍然在响应标头中看到以下条目:

As of SessionCreationPolicy.STATELESS i am expecting that Spring will not create a session itself. However, if i access any other resource than /login, i still see the following entry in the response header:

set-cookie: JSESSIONID=...; Path=/; HttpOnly

有人可以解释这是从哪里来的(也许不是从Spring来的)，如果它仍然从Spring来，那么需要更改什么?

Can someone explain where this is coming from (maybe not from Spring) and if it does still come from Spring what needs to be changed?

在我的控制器中进行测试，会话仍然被注入，如上面的令牌所示.我仍然不知道这是哪里来的.

Testing in my controller, the session is still injected as indicated by the above token being present. I still have no clue where this is coming from.

@PostMapping
@ResponseStatus(HttpStatus.CREATED)
public void create(HttpSession session) {
    if (session != null) {
        System.out.println("Session is existing"); // executes
    }
}

推荐答案

您当前的配置(sessionCreationPolicy(SessionCreationPolicy.STATELESS))确保Spring-Security(，只有Spring-Security )

Your current configuration (sessionCreationPolicy(SessionCreationPolicy.STATELESS)) ensures that Spring-Security (and only Spring-Security)

• 不会创建会话
• 不会依赖会话来提供身份验证详细信息(例如，提供Principal).

应用程序的任何其他组件(例如，如果您将使用Spring-Session)仍然可以自由创建会话.

Any other component of your application (for example, if you would use Spring-Session) is still free to create the session.

这篇关于尽管无状态会话管理，Spring仍添加了JSESSIONID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！