在spring中自动为JSESSIONID cookie添加安全标志 [英] Add secure flag to JSESSIONID cookie in spring automatically

问题描述

我有一个位于nginx后面的tomcat应用程序服务器。
SSL在nginx上终止。
部署在tomcat上的Spring web-mvc应用程序应该在JSESSIONID上设置安全标志。
如果spring有一些自动检测功能会很酷，所以我在开发过程中不会受到打扰，因为我没有SSL。

I have a tomcat application server that is behind a nginx. SSL terminates on the nginx. The Spring web-mvc application that is deployed on the tomcat should set the secure flag on the JSESSIONID. It would be cool if spring has some automatic detection for this so I don't get bothered during development because I don't have SSL there.

是有没有办法告诉spring自动设置标志？

Is there a way to tell spring to set the flag automatically?

我使用JavaConfig设置应用程序并使用Maven创建可部署的war文件。

I use JavaConfig to setup the application and use Maven to create a deployable war-file.

我已经检查了这个，但这看起来有点丑陋和静态：
为JSESSION id cookie设置'secure'标志

I have checked this already, but this looks somehow ugly and static: set 'secure' flag to JSESSION id cookie

推荐答案

当你使用 spring-session ，例如在reddis中坚持你的会话，
这确实是自动完成的。该cookie由 org.springframework.session.web.http.CookieHttpSessionStrategy 创建，其中 CookieHttpSessionStrategy #createSessionCookie 检查是否请求来自HTTPS并相应地设置安全：

When you use spring-session, e.g. to persist your session in reddis, this is indeed done automatically. The cookie is than created by org.springframework.session.web.http.CookieHttpSessionStrategy which in CookieHttpSessionStrategy#createSessionCookie checks if the request comes via HTTPS and sets secure accordingly:

sessionCookie.setSecure(request.isSecure());

如果你 不 使用spring-会话，您可以使用 ServletContextInitializer 配置安全cookie。
使用应用程序属性，根据个人资料将其设置为true / false。

If you do not use spring-session, you can configure secure cookies using a ServletContextInitializer. Use a application property, to set it to true/false depending on a profile.

@Bean
public ServletContextInitializer servletContextInitializer(@Value("${secure.cookie}") boolean secure) {
    return new ServletContextInitializer() {

        @Override
        public void onStartup(ServletContext servletContext) throws ServletException {
            servletContext.getSessionCookieConfig().setSecure(secure);
        }
    };
}

application.properties（在配置文件'prod'未激活时用于dev） ：

application.properties (used in dev when profile 'prod' is not active):

secure.cookie=false

application-prod.properties（仅在配置文件'prod'处于活动状态时使用，覆盖application.properties中的值）：

application-prod.properties (only used when profile 'prod' is active, overwrites value in application.properties):

secure.cookie=false

在prod服务器上启动您的应用程序：

start your application on the prod server with :

--spring.profiles.active=prod

听起来有些努力，如果你到目前为止还没有使用过配置文件，但是你很可能还需要一个prod环境的配置文件，所以它真的很值得。

Sounds like some effort, if you have not worked with profiles so far, but you will most likely need a profile for prod environment anyway, so its really worth it.

这篇关于在spring中自动为JSESSIONID cookie添加安全标志的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！