【发布时间】:2020-10-12 00:26:44
【问题描述】:
我们有一个 Spring MVC 应用程序,我认为会话或 cookie 管理存在一些错误配置,基本上我们有关于资源、会话配置和安全性的配置
XML 配置:
<security:http auto-config=
"false" use-expressions="true"
disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint"
create-session="ifRequired">
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
<security:csrf disabled="true"/>
<security:custom-filter ref="sessionFilter" before="SESSION_MANAGEMENT_FILTER" />
<security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter" />
<security:intercept-url pattern="/resources/**" access="permitAll()"/>
...
</security:http>
会话过滤器:
public class SessionFilter implements Filter {
private boolean httpOnly=false;
private boolean secure=false;
public SessionFilter(boolean httpOnly, boolean secure) {
this.httpOnly = httpOnly;
this.secure = secure;
}
public SessionFilter() {
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(
ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
Cookie[] allCookies = req.getCookies();
if (allCookies != null && !"self-health-check".equals(req.getHeader("User-Agent"))) {
Cookie session =
Arrays.stream(allCookies).filter(x -> x.getName().equals("JSESSIONID"))
.findFirst().orElse(null);
if (session != null) {
session.setHttpOnly(httpOnly);
session.setSecure(secure);
res.addCookie(session);
}
}
chain.doFilter(req, res);
}
@Override
public void destroy() {
}
}
客户正在问这个问题;为什么有很多会话端点? 不知道正常不正常。 请帮忙!
【问题讨论】:
标签: spring spring-mvc session cookies resources