如何让 Spring Boot 从不发出会话 cookie? [英] How to make spring boot never issue session cookie?

问题描述

我正在使用 Spring Boot 开发 Restful API 服务器.我将我的项目配置为使用基本身份验证，如下所示.

I'm developing Restful API server by using spring boot. I configured my project to use basic authentication as below.

@ComponentScan
@EnableAutoConfiguration
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    ...
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).and()
            .csrf().disable()
            .authorizeRequests().anyRequest().hasRole("USER").and()
            .httpBasic();
    }
    ...
}

但是当我通过 Chrome-Postman-Plugin 测试 API 时，在第一次调用后，服务器从不需要用户凭据.我注意到创建了JSESSIONID"cookie.

But when I tested the API by Chrome-Postman-Plugin, after first call, server never require user credential. And I noticed that 'JSESSIONID' cookie was created.

我的项目中没有其他安全配置.我想知道为什么会发生这种情况...

There are no other security configurations in my project. I wonder why this happens...

推荐答案

您是否尝试过使用 SessionCreationPolicy.STATELESS.spring 文档:

Have you tried using SessionCreationPolicy.STATELESS. There is a subtle difference between STATELESS and NEVER in the spring docs:

STATELESS:Spring Security 永远不会创建 HttpSession 并且永远不会使用它来获取 SecurityContext.

STATELESS: Spring Security will never create an HttpSession and it will never use it to obtain the SecurityContext.

NEVER:Spring Security 永远不会创建 HttpSession，但会使用已经存在的 HttpSession.

NEVER: Spring Security will never create an HttpSession, but will use the HttpSession if it already exists.

所以我建议您清除所有 cookie，将其切换到 STATELESS 并重试.可能是您在切换到 NEVER 时已经有了 HttpSession.

So I would suggest that you clear all your cookies, switch it to STATELESS and try again. It could be that you had already an HttpSession when you switched to NEVER.

这篇关于如何让 Spring Boot 从不发出会话 cookie?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！