没有 cookie 的 Spring Security Sessions [英] Spring Security Sessions without cookies
问题描述
我正在尝试在不利用 cookie 的情况下管理 Spring Security 中的会话.原因是 - 我们的应用程序显示在来自另一个域的 iframe 中,我们需要在我们的应用程序中管理会话,和 Safari 限制跨域 cookie 创建.(上下文:domainA.com 在 iframe 中显示 domainB.com.domainB.com 正在设置 JSESSIONID cookie 以利用 domainB.com,但由于用户的浏览器显示 domainA.com - Safari 限制 domainB.com 创建 cookie).
I'm trying to manage sessions in Spring Security without leveraging cookies. The reasoning is - our application is displayed within an iframe from another domain, we need to manage sessions in our application, and Safari restricts cross-domain cookie creation. (context : domainA.com displays domainB.com in an iframe. domainB.com is setting a JSESSIONID cookie to leverage on domainB.com, but since the user's browser is showing domainA.com - Safari restricts domainB.com from creating the cookie).
我认为要实现这一点的唯一方法(违反 OWASP 安全建议) - 是将 JSESSIONID 作为 GET 参数包含在 URL 中.我不想这样做,但我想不出替代方案.
The only way I can think to achieve this (against OWASP security recommendations) - is to include the JSESSIONID in the URL as a GET parameter. I don't WANT to do this, but I can't think of an alternative.
所以这个问题都是关于:
So this question is both about :
- 是否有更好的替代方法来解决这个问题?
- 如果没有 - 我如何使用 Spring Security 实现这一点
使用 enableSessionUrlRewriting 应该允许这样做
Reviewing Spring's Documentation around this, using enableSessionUrlRewriting should allow for this
所以我已经这样做了:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
.enableSessionUrlRewriting(true)
这并没有将 JSESSIONID 添加到 URL,但现在应该允许它.然后我利用在这个问题中找到的一些代码来设置跟踪模式"到网址
This didn't add the JSESSIONID to the URL, but it should be allowed now. I then leveraged some code found in this question to set the "tracking mode" to URL
@SpringBootApplication
public class MyApplication extends SpringBootServletInitializer {
@Override
public void onStartup(ServletContext servletContext) throws ServletException {
super.onStartup(servletContext);
servletContext
.setSessionTrackingModes(
Collections.singleton(SessionTrackingMode.URL)
);
即使在此之后 - 应用程序仍将 JSESSIONID 添加为 cookie 而不是在 URL 中.
Even after this - the application still adds the JSESSIONID as a cookie and not in the URL.
有人能帮我指明正确的方向吗?
Can someone help point me in the right direction here?
推荐答案
你看过 Spring 会话:HttpSession &RestfulAPI 使用 HTTP 标头而不是 cookie.请参阅REST 示例中的 REST 示例项目.
Have you looked at Spring Session: HttpSession & RestfulAPI which uses HTTP headers instead of cookies. See the REST sample projects in REST Sample.
这篇关于没有 cookie 的 Spring Security Sessions的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!