没有 cookie 的 Spring Security Sessions [英] Spring Security Sessions without cookies

问题描述

我正在尝试在不利用 cookie 的情况下管理 Spring Security 中的会话.原因是 - 我们的应用程序显示在来自另一个域的 iframe 中，我们需要在我们的应用程序中管理会话，和 Safari 限制跨域 cookie 创建.(上下文:domainA.com 在 iframe 中显示 domainB.com.domainB.com 正在设置 JSESSIONID cookie 以利用 domainB.com，但由于用户的浏览器显示 domainA.com - Safari 限制 domainB.com 创建 cookie).

I'm trying to manage sessions in Spring Security without leveraging cookies. The reasoning is - our application is displayed within an iframe from another domain, we need to manage sessions in our application, and Safari restricts cross-domain cookie creation. (context : domainA.com displays domainB.com in an iframe. domainB.com is setting a JSESSIONID cookie to leverage on domainB.com, but since the user's browser is showing domainA.com - Safari restricts domainB.com from creating the cookie).

我认为要实现这一点的唯一方法(违反 OWASP 安全建议) - 是将 JSESSIONID 作为 GET 参数包含在 URL 中.我不想这样做，但我想不出替代方案.

The only way I can think to achieve this (against OWASP security recommendations) - is to include the JSESSIONID in the URL as a GET parameter. I don't WANT to do this, but I can't think of an alternative.

所以这个问题都是关于:

So this question is both about :

• 是否有更好的替代方法来解决这个问题?
• 如果没有 - 我如何使用 Spring Security 实现这一点

使用 enableSessionUrlRewriting 应该允许这样做

Reviewing Spring's Documentation around this, using enableSessionUrlRewriting should allow for this

所以我已经这样做了:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
            .enableSessionUrlRewriting(true)

这并没有将 JSESSIONID 添加到 URL，但现在应该允许它.然后我利用在这个问题中找到的一些代码来设置跟踪模式"到网址

This didn't add the JSESSIONID to the URL, but it should be allowed now. I then leveraged some code found in this question to set the "tracking mode" to URL

@SpringBootApplication
public class MyApplication extends SpringBootServletInitializer {

   @Override
   public void onStartup(ServletContext servletContext) throws ServletException {
      super.onStartup(servletContext);

      servletContext
        .setSessionTrackingModes(
            Collections.singleton(SessionTrackingMode.URL)
      );

即使在此之后 - 应用程序仍将 JSESSIONID 添加为 cookie 而不是在 URL 中.

Even after this - the application still adds the JSESSIONID as a cookie and not in the URL.

有人能帮我指明正确的方向吗?

Can someone help point me in the right direction here?

推荐答案

你看过 Spring 会话:HttpSession &RestfulAPI 使用 HTTP 标头而不是 cookie.请参阅REST 示例中的 REST 示例项目.

Have you looked at Spring Session: HttpSession & RestfulAPI which uses HTTP headers instead of cookies. See the REST sample projects in REST Sample.

这篇关于没有 cookie 的 Spring Security Sessions的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！