如何阻止 Spring Boot 添加会话 cookie? [英] How to stop Spring Boot from adding session cookies?
问题描述
我有一个 Spring Boot Web 应用程序,我正在尝试将其设为无状态.在我的 WebSecurityConfigurerAdapter 中,我已经设置了
I have a Spring Boot web application that I'm trying to make stateless. In my WebSecurityConfigurerAdapter I have set
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
但是应用程序(使用 Thymeleaf 模板)通过将;jsessionid="附加到文件名来不断重写图像和脚本的 URL.除了给我一个我不想要的 cookie 之外,它还有一个恼人的副作用,即 Spring Security 会阻止请求,因为它在 URL 中有分号!
But the application (which uses Thymeleaf templates) keeps rewriting URLs for images and scripts by appending ";jsessionid=<some_session_id>" to the file name. In addition to giving me a cookie I don't want, it also has the annoying side effect that Spring Security blocks the request because it has a semicolon in the URL!
Thymeleaf 表示这是预期和期望的行为,并表示这不是他们的错: Thymeleaf 只是要求Servlet API"重写URL,我们应该在Tomcat上下文级别配置应用程序"来解决问题.
Thymeleaf says this is the intended and desired behavior and says it's not their fault: Thymeleaf merely asks the "Servlet API" to rewrite the URL, and that we should "configure the application at the Tomcat context level" to solve the problem.
那么,我该怎么做呢?我有一个用于授权的自定义 JWT cookie,所以我根本不需要或不需要会话 cookie,当然不是在重写的 URL 中.
So, how do I do that? I have a custom JWT cookie for authorization so I don't want or need the session cookie at all, certainly not in rewritten URLs.
推荐答案
jsessionid 行为,与 STATELESS 无关.
The jsessionid behavior, has nothing to do with STATELESS.
最初,servlet 容器不知道客户端(浏览器)是否支持 cookie.
Initially, the servlet container does not known whether the client (browser) supports cookies, or not.
因此,对页面的第一个请求(通常是 HTTP GET):
Therefore, on the first request to the page (typically a HTTP GET):
- servlet 容器会将
;jsessionid=...附加到所有 URL. - servlet 容器将(尝试)使用
jsessionid设置 cookie.
- The servlet container will append the
;jsessionid=...to all URLs. - The servlet container will (try) to set a cookie with the
jsessionid.
当点击链接或提交公式(HTTP GET/POST)时,浏览器会将 cookie 发送回服务器,如果且仅当浏览器首先接受设置的 cookie.现在,servlet 容器可以识别 jsessionid 是来自 cookie(通过 HTTP 请求头传输)还是来自 URL.
When clicking on link, or submitting a formular (HTTP GET/POST), the browser will send the cookie back to the server, IF AND ONLY IF, the browser did accept the cookie set in the first place.
Now, the servlet container can identify, whether the jsessionid came from the cookie (transmitted via the HTTP Request Header), or the URL.
如果 jsessionid 源自 cookie,servlet 容器将停止将 ;jsessionid=... 附加到 URL.如果 jsessionid 源自您单击的 URL,它将继续将 ;jsessionid= 附加到所有 URL.
If the jsessionid originated from the cookie, the servlet container will stop appending the ;jsessionid=... to the URLs.
If the jsessionid originated from the URL you clicked, it will continue appending the ;jsessionid= to all URLs.
这与 STATELESS 或 SessionCreationPolicy 的任何其他配置无关.
This has nothing to do with STATELESS or any other configuration of the SessionCreationPolicy.
查看 SessionCreationPolicy 的 Spring Security 文档:
Take a look at the Spring Security documentation for the SessionCreationPolicy:
/** Always create an {@link HttpSession} */
ALWAYS,
/**
* Spring Security will never create an {@link HttpSession}, but will use the
* {@link HttpSession} if it already exists
*/
NEVER,
/** Spring Security will only create an {@link HttpSession} if required */
IF_REQUIRED,
/**
* Spring Security will never create an {@link HttpSession} and it will never use it
* to obtain the {@link SecurityContext}
*/
STATELESS
更新:
要通过 URL 禁用跟踪模式,请设置以下属性:
To disable the tracking mode via URL, set following property:
server.servlet.session.tracking-modes: COOKIE
参见:https://docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html
这篇关于如何阻止 Spring Boot 添加会话 cookie?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
