我可以关闭web.xml中的HttpSession吗? [英] Can I turn off the HttpSession in web.xml?
问题描述
我想完全消除HttpSession - 我可以在web.xml中这样做吗?我确信有一些特定于容器的方法(当我进行Google搜索时,搜索结果会出现这种情况)。
P.S。这是一个坏主意吗?我更喜欢完全禁用它,直到我真正需要它们。
我想要完全消除HttpSession
你无法完全禁用它。您需要做的就是不通过 request.getSession()或请求获取它的句柄.getSession(true)在您的webapplication代码中的任何位置,并通过设置<%@ page session =false%>确保您的JSP不会隐式执行此操作。
如果您的主要问题实际上是禁用在 HttpSession ,那么你可以在Java EE 5 / Servlet 2.5中只在特定于服务器的webapp配置中这样做。在例如Tomcat中,您可以在< Context> <中将 cookies 属性设置为 false / code>元素。
< Context cookies =false>
另见 Tomcat特定文档。这样,会话将不会保留在后续的URL重写请求中 - 只要您出于某种原因从请求中获取它时。毕竟,如果你不需要它,只是不抓住它,那么根本不会创建/保留它。
<或者,如果您已经使用Java EE 6 / Servlet 3.0或更高版本,并且真的想通过
web.xml 进行,那么您可以使用新的< cookie-config> web.xml 中的元素,如下所示,以清除最大年龄: < session-config>
< session-timeout> 1< / session-timeout>
< cookie-config>
< max-age> 0< / max-age>
< / cookie-config>
< / session-config>
如果你想在webapplication中进行硬编码,那么 getSession()永远不会返回 HttpSession (或空 HttpSession ),那么你需要创建一个过滤器,监听 url-pattern 的 / * ,它取代 HttpServletRequest HttpServletRequestWrapper 实现,它返回所有 getSession()方法 null ,或者虚拟自定义 HttpSession 实现,它什么都不做,甚至抛出 UnsupportedOperationException 。
@Override
public void doFilter(ServletRequest请求,ServletResponse响应,FilterChain链)抛出IOException,ServletException {
chain.doFilter(new HttpServletRequestWrapper(( HttpServletRequest)请求){
@Override
public HttpSession getSession(){
return null;
}
@Override
public HttpSession getSession(boolean create){
return null;
}
},响应);
}
PS这是一个坏主意吗?我宁愿完全禁用它,直到我真正需要它们。
如果你不需要它们,只需要'使用它们。就这样。真的:)
I would like to eliminate the HttpSession completely - can I do this in web.xml? I'm sure there are container specific ways to do it (which is what crowds the search results when I do a Google search).
P.S. Is this a bad idea? I prefer to completely disable things until I actually need them.
I would like to eliminate the HttpSession completely
You can't entirely disable it. All you need to do is to just not to get a handle of it by either request.getSession() or request.getSession(true) anywhere in your webapplication's code and making sure that your JSPs don't implicitly do that by setting <%@page session="false"%>.
If your main concern is actually disabling the cookie which is been used behind the scenes of HttpSession, then you can in Java EE 5 / Servlet 2.5 only do so in the server-specific webapp configuration. In for example Tomcat you can set the cookies attribute to false in <Context> element.
<Context cookies="false">
Also see this Tomcat specific documentation. This way the session won't be retained in the subsequent requests which aren't URL-rewritten --only whenever you grab it from the request for some reason. After all, if you don't need it, just don't grab it, then it won't be created/retained at all.
Or, if you're already on Java EE 6 / Servlet 3.0 or newer, and really want to do it via web.xml, then you can use the new <cookie-config> element in web.xml as follows to zero-out the max age:
<session-config>
<session-timeout>1</session-timeout>
<cookie-config>
<max-age>0</max-age>
</cookie-config>
</session-config>
If you want to hardcode in your webapplication so that getSession() never returns a HttpSession (or an "empty" HttpSession), then you'll need to create a filter listening on an url-pattern of /* which replaces the HttpServletRequest with a HttpServletRequestWrapper implementation which returns on all getSession() methods null, or a dummy custom HttpSession implementation which does nothing, or even throws UnsupportedOperationException.
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
chain.doFilter(new HttpServletRequestWrapper((HttpServletRequest) request) {
@Override
public HttpSession getSession() {
return null;
}
@Override
public HttpSession getSession(boolean create) {
return null;
}
}, response);
}
P.S. Is this a bad idea? I prefer to completely disable things until I actually need them.
If you don't need them, just don't use them. That's all. Really :)
这篇关于我可以关闭web.xml中的HttpSession吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
