没有cookie的Spring安全会话 [英] Spring Security Sessions without cookies
问题描述
我正在尝试在不使用Cookie的情况下管理Spring Security中的会话。原因是 - 我们的应用程序显示在另一个域的iframe中,我们需要在我们的应用程序中管理会话,并且Safari限制了跨域cookie的创建。 (上下文:domainA.com在iframe中显示domainB.com.domainB.com正在设置一个JSESSIONID cookie以在domainB.com上使用,但由于用户的浏览器显示domainA.com - Safari限制domainB.com创建cookie) 。
I'm trying to manage sessions in Spring Security without leveraging cookies. The reasoning is - our application is displayed within an iframe from another domain, we need to manage sessions in our application, and Safari restricts cross-domain cookie creation. (context : domainA.com displays domainB.com in an iframe. domainB.com is setting a JSESSIONID cookie to leverage on domainB.com, but since the user's browser is showing domainA.com - Safari restricts domainB.com from creating the cookie).
我认为实现这一目标的唯一方法(针对OWASP安全建议) - 将URL中的JSESSIONID作为GET参数包含在内。我不想这样做,但我想不出另一种选择。
The only way I can think to achieve this (against OWASP security recommendations) - is to include the JSESSIONID in the URL as a GET parameter. I don't WANT to do this, but I can't think of an alternative.
所以这个问题都是关于:
So this question is both about :
- 是否有更好的替代解决方案这个问题?
- 如果没有 - 我怎么能用Spring Security实现这个目标
回顾Spring的关于此的文档,使用 enableSessionUrlRewriting 应该允许这个
Reviewing Spring's Documentation around this, using enableSessionUrlRewriting should allow for this
所以我这样做了:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
.enableSessionUrlRewriting(true)
这不是不要将JSESSIONID添加到URL,但现在应该允许它。然后,我利用在此问题中找到的一些代码来设置跟踪模式到URL
This didn't add the JSESSIONID to the URL, but it should be allowed now. I then leveraged some code found in this question to set the "tracking mode" to URL
@SpringBootApplication
public class MyApplication extends SpringBootServletInitializer {
@Override
public void onStartup(ServletContext servletContext) throws ServletException {
super.onStartup(servletContext);
servletContext
.setSessionTrackingModes(
Collections.singleton(SessionTrackingMode.URL)
);
即使在此之后 - 应用程序仍然将JSESSIONID添加为cookie而不是URL。
Even after this - the application still adds the JSESSIONID as a cookie and not in the URL.
有人可以帮我指点正确的方向吗?
Can someone help point me in the right direction here?
推荐答案
你看过 Spring Session:HttpSession& RestfulAPI 使用HTTP标头而不是cookie。请参阅 REST示例中的REST示例项目。
Have you looked at Spring Session: HttpSession & RestfulAPI which uses HTTP headers instead of cookies. See the REST sample projects in REST Sample.
这篇关于没有cookie的Spring安全会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!