我可以关闭 web.xml 中的 HttpSession 吗? [英] Can I turn off the HttpSession in web.xml?
问题描述
我想完全消除 HttpSession - 我可以在 web.xml 中这样做吗?我确信有容器特定的方法可以做到这一点(当我进行 Google 搜索时,这就是搜索结果拥挤的原因).
附言这是一个坏主意吗?我更喜欢在我真正需要它们之前完全禁用它们.
我想彻底消除HttpSession
您不能完全禁用它.您需要做的就是不要通过request.getSession()
或request.getSession(true)
来处理它Web 应用程序代码中的任何位置,并通过设置 <%@page session="false"%>
来确保您的 JSP 不会隐式执行此操作.
如果您主要关心的是禁用在 HttpSession
幕后使用的 cookie,那么您可以在 Java EE 5/Servlet 2.5 中仅在特定于服务器的 webapp 配置中这样做.例如,在 Tomcat 中,您可以在
元素中将 cookies
属性设置为 false
.
另请参阅此 Tomcat 特定文档.这样,会话将不会保留在未重写 URL 的后续请求中——仅当您出于某种原因从请求中获取它时.毕竟,如果你不需要它,只是不要抢它,那么它根本不会被创建/保留.
或者,如果您已经使用 Java EE 6/Servlet 3.0 或更新版本,并且真的想通过 web.xml
来实现,那么您可以使用新的 <cookie
元素,如下所示将最大年龄归零:web.xml
中的 -config>
<会话超时>1</会话超时><cookie-config><max-age>0</max-age></cookie-config></session-config>
如果您想在 Web 应用程序中进行硬编码,以便 getSession()
永远不会返回 HttpSession
(或空"HttpSession
),那么你需要创建一个过滤器来监听 /*
的 url-pattern
用 HttpServletRequestWrapper
实现,它返回所有 getSession()
方法 null
,或者一个虚拟的自定义 HttpSession
实现,它什么都不做,甚至抛出 UnsupportedOperationException
.>
@Overridepublic void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) 抛出 IOException, ServletException {chain.doFilter(新的 HttpServletRequestWrapper((HttpServletRequest)请求){@覆盖公共 HttpSession getSession() {返回空;}@覆盖公共 HttpSession getSession(布尔创建){返回空;}}, 回复);}
<小时><块引用>
P.S.这是一个坏主意吗?我更喜欢在我真正需要它们之前完全禁用它们.
如果你不需要它们,就不要使用它们.就这样.真的:)
I would like to eliminate the HttpSession completely - can I do this in web.xml? I'm sure there are container specific ways to do it (which is what crowds the search results when I do a Google search).
P.S. Is this a bad idea? I prefer to completely disable things until I actually need them.
I would like to eliminate the HttpSession completely
You can't entirely disable it. All you need to do is to just not to get a handle of it by either request.getSession()
or request.getSession(true)
anywhere in your webapplication's code and making sure that your JSPs don't implicitly do that by setting <%@page session="false"%>
.
If your main concern is actually disabling the cookie which is been used behind the scenes of HttpSession
, then you can in Java EE 5 / Servlet 2.5 only do so in the server-specific webapp configuration. In for example Tomcat you can set the cookies
attribute to false
in <Context>
element.
<Context cookies="false">
Also see this Tomcat specific documentation. This way the session won't be retained in the subsequent requests which aren't URL-rewritten --only whenever you grab it from the request for some reason. After all, if you don't need it, just don't grab it, then it won't be created/retained at all.
Or, if you're already on Java EE 6 / Servlet 3.0 or newer, and really want to do it via web.xml
, then you can use the new <cookie-config>
element in web.xml
as follows to zero-out the max age:
<session-config>
<session-timeout>1</session-timeout>
<cookie-config>
<max-age>0</max-age>
</cookie-config>
</session-config>
If you want to hardcode in your webapplication so that getSession()
never returns a HttpSession
(or an "empty" HttpSession
), then you'll need to create a filter listening on an url-pattern
of /*
which replaces the HttpServletRequest
with a HttpServletRequestWrapper
implementation which returns on all getSession()
methods null
, or a dummy custom HttpSession
implementation which does nothing, or even throws UnsupportedOperationException
.
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
chain.doFilter(new HttpServletRequestWrapper((HttpServletRequest) request) {
@Override
public HttpSession getSession() {
return null;
}
@Override
public HttpSession getSession(boolean create) {
return null;
}
}, response);
}
P.S. Is this a bad idea? I prefer to completely disable things until I actually need them.
If you don't need them, just don't use them. That's all. Really :)
这篇关于我可以关闭 web.xml 中的 HttpSession 吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!