创建会话无状态使用 [英] create-session stateless usage
问题描述
我希望更改为 create-session="stateless" 将是在我的 web 应用程序中实现无状态 Spring 安全性的结束,但事实并非如此.
I was hoping that changing into create-session="stateless" would be the end of it to achieve stateless spring security in my webapp, but it is not so.
随着这一变化,spring security 似乎不起作用,因为(我的假设)spring security 不会在会话中存储任何内容,并且无法对受保护的 Web 请求进行身份验证.
With that change, the spring security seems to be not working, since (my assumption) spring security doesnt store anything in the session, and cannot do authentication to secured web requests.
我如何使用这个无状态功能?
我似乎还找不到任何有关如何为无状态 Web 应用实现无状态 Spring 安全性的相关示例.
I cannot seem to find any relevant examples yet on how to achieve stateless spring security for a stateless webapp.
谢谢!
推荐答案
我有一个基于 Spring 的 web 应用程序,它具有完全无状态的安全性,而让它像这样工作的唯一方法是完全禁用会话创建(使用 create-session="never").这会强制对每个请求进行重新身份验证,因此您还需要将 web 应用程序配置为使用 HTTP 基本身份验证或摘要式身份验证(当然是通过 HTTPS),因为它们不需要特别复杂的协商(相比之下,表单基于登录和 OAuth 都需要一个会话,因为它们建立身份验证上下文的过程要复杂得多).这意味着您需要将 <security:http-basic/> 之类的元素放在 <security:http> 元素中.
I have a Spring-based webapp which has fully stateless security, and the only way to make it work like that is to disable session creation completely (with create-session="never"). That forces re-authentication with each request, so you'll be wanting to also configure the webapp to use HTTP Basic Auth or Digest Auth (over HTTPS, of course) as those don't require a particularly complex negotiation (by contrast, form-based login and OAuth both require a session because they have a much more complicated process for establishing the authentication context). That means you'll want to put an element like <security:http-basic /> inside your <security:http> element.
(这样做的好处是它启用了极其简单的客户端库,因为它们不必进行 cookie/会话管理.成本是一些处理开销——建立用户参与的角色集as 必须对每个请求重新计算 - 以及您可以使用的身份验证机制的一些限制.)
(The advantage of doing it this way is that it enables extremely simple client libraries as they don't have to do cookie/session management. The cost is some processing overhead — the establishment of what set of roles the user is participating as will have to be recomputed on each request — and some limitations on which authentication mechanisms you can use.)
这篇关于创建会话无状态使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
