春季安全会议JSESSIONID [英] Spring Security session JSESSIONID

问题描述

我目前正在使用Spring Boot为Angular2前端应用程序开发REST API.

I am currently developing a REST API with Spring Boot for an Angular2 frontend app.

我使用Spring Security来管理用户身份验证，但是我需要在浏览器会话中存储一些信息.问题在于，每个请求都会创建一个新的JSESSIONID.

I use Spring Security to manage user authentification but I need to store some information in browser session. The problem is that a new JSESSIONID is created at each request.

示例:

1. 身份验证POST 它在响应头中返回Set-Cookie:JSESSIONID=C367245309E4E80606066FDCFBE0EE43. 使用用户信息创建一个新会话

1. Authentification POST It returns Set-Cookie:JSESSIONID=C367245309E4E80606066FDCFBE0EE43 in response header. A new session is created with user's information

1. 受保护的REST资源GET:会话为空且JSESSIONID Cookie不在请求标头中.它返回 Set-Cookie:JSESSIONID=163B28B7AC2042F9EFF1046F9E14A600

1. Protected REST resource GET: Session is empty and JSESSIONID Cookie is not in request header. It returns Set-Cookie:JSESSIONID=163B28B7AC2042F9EFF1046F9E14A600

我的Spring Security配置为:

My Spring Security configuration is:

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {

    // Unable x-frame-options from same origin
    httpSecurity.headers().frameOptions().sameOrigin();

    /*
     * the secret key used to signe the JWT token is known exclusively by
     * the server. With Nimbus JOSE implementation, it must be at least 256
     * characters longs.
     */
    String secret = IOUtils.toString(getClass().getClassLoader().getResourceAsStream("secret.key"),
            Charset.defaultCharset());

    httpSecurity.addFilterAfter(jwtTokenAuthenticationFilter("/**", secret), ExceptionTranslationFilter.class)
            .addFilterBefore(new SimpleCORSFilter(), CorsFilter.class)
            /*
             * Exception management is handled by the
             * authenticationEntryPoint (for exceptions related to
             * authentications) and by the AccessDeniedHandler (for
             * exceptions related to access rights)
             */
            .exceptionHandling().authenticationEntryPoint(new SecurityAuthenticationEntryPoint())
            .accessDeniedHandler(new RestAccessDeniedHandler()).and()

            /*
             * anonymous() consider no authentication as being anonymous
             * instead of null in the security context.
             */
            .anonymous().and()
            /* No Http session is used to get the security context */
            //
            .sessionManagement().maximumSessions(1).and().sessionFixation().none()
            .sessionCreationPolicy(SessionCreationPolicy.ALWAYS).and().authorizeRequests()
            /*
             * All access to the authentication service are permitted
             * without authentication (actually as anonymous)
             */
            .antMatchers("/auth/**").permitAll().antMatchers("/css/**").permitAll().antMatchers("/js/**")
            .permitAll().antMatchers("/accueil").permitAll()
            // .antMatchers("/**").permitAll()
            /*
             * All the other requests need an authentication. Role access is
             * done on Methods using annotations like @PreAuthorize
             */
            .anyRequest().authenticated().and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class).csrf()
            .csrfTokenRepository(csrfTokenRepository()).disable();
}

您能帮我解决我的会话问题吗?

Can you help me to fix my session issue please?

推荐答案

这似乎是一个angular2问题，它不发送cookie.我在调用REST api之前在构造函数中设置了此代码:

It seems to be an angular2 issue which doesn't send cookie; I set this code in my constructor before calling my REST api :

 constructor(private _http: Http) {
        let _build = (<any>_http)._backend._browserXHR.build;
        (<any>_http)._backend._browserXHR.build = () => {
            let _xhr = _build();
            _xhr.withCredentials = true;
            return _xhr;
        };
    }

现在我的JSESSIONID正在发送每个请求.

And now my JSESSIONID is sending in every request.

这篇关于春季安全会议JSESSIONID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！