Spring 反应式的 Spring 安全会话超时 [英] Spring security session timeout for spring reactive
问题描述
我有一个集成了 Spring Security 的响应式应用程序,它是由 spring initilizer 创建的,主要包含三个包(spring boot、spring security 和 webflux).
I have a Reactive Application with Spring Security integrated, it was created by spring initilizer with mainly thre3 packages(spring boot, spring security and webflux).
我试图通过以下 application.properties
中的配置来配置会话超时:
I was trying to configure the session timeout by following configuration in application.properties
:
spring.session.timeout=1m
使用 mvn spring-boot:run
启动应用程序后,可以通过 http://localhost:8080
访问它并要求我登录(默认情况下)安全设置).我可以使用用户名 user
和控制台上生成的密码登录.
after starting the application with mvn spring-boot:run
, It can be accessed by http://localhost:8080
and it asked me to login(by default security setting). I can use the username user
and the password generated on the console to login.
根据我的配置,我预计在空闲 1 分钟后,当我再次刷新页面 http://localhost:8080
时,它会要求我重新登录.但实际上并没有,直到 30 分钟后
Per my configuration, I expected that after 1 minutes idle time, when I refresh the page http://localhost:8080
again, it can ask me to re-login. But in fact it didn't , until 30 minutes later
所以我怀疑上面的配置不起作用
So I suspect the above configuration is not working
我是否使用了错误的配置?
Did I used the wrong configuration?
可以在此处找到重现存储库:https://github.com/ZhuBicen/ReactiveSpringSecurity.git
the reproduce repo can be found here: https://github.com/ZhuBicen/ReactiveSpringSecurity.git
推荐答案
Spring 可能应该允许针对上面的情况对反应式堆栈进行自动配置,就像对 servlet 一样.
Spring should probably allow an auto-configuration for your case above for the reactive stack as it does for servlet.
然而,会话"是状态,除非有一些持久性存储支持它,否则该状态不会扩展.您可以将 Spring Session 抽象与内存中的 ReactiveSessionRepository
一起使用,即使您(还)没有像 Redis 之类的后备存储.当您获得适当支持的后备存储并添加相应的依赖项时,您可以删除内存中的 ReactiveSessionRepository
,因为 Spring Boot 会为您自动配置您的 ReactiveSessionRepository
.
However, "session" is state and that state won't scale unless there is some persistent storage backing it. You can use the Spring Session abstraction with an in-memory ReactiveSessionRepository
even if you don't (yet) have a backing store like Redis or something. When you do get a proper supported backing store and add the corresponding dependencies, you can delete your in-memory ReactiveSessionRepository
as spring boot will auto-configure your ReactiveSessionRepository
for you.
首先添加spring session依赖
First, add the spring session dependency
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-core</artifactId>
</dependency>
其次,手动创建您的 ReactiveSessionRepository
bean.(注意:如果您使用的是 Redis 而不是内存等,这可以为您自动配置.)
Second, manually create your ReactiveSessionRepository
bean. (Note: this can be auto-configured for you if you're using Redis instead of in-memory, etc.)
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.boot.autoconfigure.session.SessionProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.session.ReactiveMapSessionRepository;
import org.springframework.session.ReactiveSessionRepository;
import org.springframework.session.config.annotation.web.server.EnableSpringWebSession;
import java.util.concurrent.ConcurrentHashMap;
/**
* This ReactiveSessionRepository isn't auto-configured so we need to create it and manually set the timeout on it.
* Later, ReactiveRedisSessionRepository will be auto-configured so we can delete this
*/
// https://www.baeldung.com/spring-session-reactive#in-memory-configuration
@Configuration
@EnableSpringWebSession
@RequiredArgsConstructor // if lombok
@Slf4j // if lombok
public class SessionConfig {
private final SessionProperties sessionProperties;
@Bean
public ReactiveSessionRepository reactiveSessionRepository() {
ReactiveMapSessionRepository sessionRepository = new ReactiveMapSessionRepository(new ConcurrentHashMap<>());
int defaultMaxInactiveInterval = (int) sessionProperties.getTimeout().toSeconds();
sessionRepository.setDefaultMaxInactiveInterval(defaultMaxInactiveInterval);
log.info("Set in-memory session defaultMaxInactiveInterval to {} seconds.", defaultMaxInactiveInterval);
return sessionRepository;
}
}
三、设置spring.session.timeout=3600
属性.
这篇关于Spring 反应式的 Spring 安全会话超时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!