Spring 反应式的 Spring 安全会话超时 [英] Spring security session timeout for spring reactive

问题描述

我有一个集成了 Spring Security 的响应式应用程序，它是由 spring initilizer 创建的，主要包含三个包(spring boot、spring security 和 webflux).

I have a Reactive Application with Spring Security integrated, it was created by spring initilizer with mainly thre3 packages(spring boot, spring security and webflux).

我试图通过以下 application.properties 中的配置来配置会话超时:

I was trying to configure the session timeout by following configuration in application.properties:

spring.session.timeout=1m

使用 mvn spring-boot:run 启动应用程序后，可以通过 http://localhost:8080 访问它并要求我登录(默认情况下)安全设置).我可以使用用户名 user 和控制台上生成的密码登录.

after starting the application with mvn spring-boot:run, It can be accessed by http://localhost:8080 and it asked me to login(by default security setting). I can use the username user and the password generated on the console to login.

根据我的配置，我预计在空闲 1 分钟后，当我再次刷新页面 http://localhost:8080 时，它会要求我重新登录.但实际上并没有，直到 30 分钟后

Per my configuration, I expected that after 1 minutes idle time, when I refresh the page http://localhost:8080 again, it can ask me to re-login. But in fact it didn't , until 30 minutes later

所以我怀疑上面的配置不起作用

So I suspect the above configuration is not working

我是否使用了错误的配置?

Did I used the wrong configuration?

可以在此处找到重现存储库:https://github.com/ZhuBicen/ReactiveSpringSecurity.git

the reproduce repo can be found here: https://github.com/ZhuBicen/ReactiveSpringSecurity.git

推荐答案

Spring 可能应该允许针对上面的情况对反应式堆栈进行自动配置，就像对 servlet 一样.

Spring should probably allow an auto-configuration for your case above for the reactive stack as it does for servlet.

然而，会话"是状态，除非有一些持久性存储支持它，否则该状态不会扩展.您可以将 Spring Session 抽象与内存中的 ReactiveSessionRepository 一起使用，即使您(还)没有像 Redis 之类的后备存储.当您获得适当支持的后备存储并添加相应的依赖项时，您可以删除内存中的 ReactiveSessionRepository，因为 Spring Boot 会为您自动配置您的 ReactiveSessionRepository.

However, "session" is state and that state won't scale unless there is some persistent storage backing it. You can use the Spring Session abstraction with an in-memory ReactiveSessionRepository even if you don't (yet) have a backing store like Redis or something. When you do get a proper supported backing store and add the corresponding dependencies, you can delete your in-memory ReactiveSessionRepository as spring boot will auto-configure your ReactiveSessionRepository for you.

首先添加spring session依赖

First, add the spring session dependency

    <dependency>
      <groupId>org.springframework.session</groupId>
      <artifactId>spring-session-core</artifactId>
    </dependency>

其次，手动创建您的 ReactiveSessionRepository bean.(注意:如果您使用的是 Redis 而不是内存等，这可以为您自动配置.)

Second, manually create your ReactiveSessionRepository bean. (Note: this can be auto-configured for you if you're using Redis instead of in-memory, etc.)

import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.boot.autoconfigure.session.SessionProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.session.ReactiveMapSessionRepository;
import org.springframework.session.ReactiveSessionRepository;
import org.springframework.session.config.annotation.web.server.EnableSpringWebSession;

import java.util.concurrent.ConcurrentHashMap;

/**
 * This ReactiveSessionRepository isn't auto-configured so we need to create it and manually set the timeout on it.
 * Later, ReactiveRedisSessionRepository will be auto-configured so we can delete this
 */
// https://www.baeldung.com/spring-session-reactive#in-memory-configuration
@Configuration
@EnableSpringWebSession
@RequiredArgsConstructor // if lombok
@Slf4j // if lombok
public class SessionConfig {

    private final SessionProperties sessionProperties;

    @Bean
    public ReactiveSessionRepository reactiveSessionRepository() {
        ReactiveMapSessionRepository sessionRepository = new ReactiveMapSessionRepository(new ConcurrentHashMap<>());
        int defaultMaxInactiveInterval = (int) sessionProperties.getTimeout().toSeconds();
        sessionRepository.setDefaultMaxInactiveInterval(defaultMaxInactiveInterval);
        log.info("Set in-memory session defaultMaxInactiveInterval to {} seconds.", defaultMaxInactiveInterval);
        return sessionRepository;
    }
}

三、设置spring.session.timeout=3600属性.

这篇关于Spring 反应式的 Spring 安全会话超时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！