问题描述
我正在使用 Spring Boot 开发 Restful API 服务器.我将我的项目配置为使用基本身份验证,如下所示.
I'm developing Restful API server by using spring boot. I configured my project to use basic authentication as below.
@ComponentScan
@EnableAutoConfiguration
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
...
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).and()
.csrf().disable()
.authorizeRequests().anyRequest().hasRole("USER").and()
.httpBasic();
}
...
}
但是当我通过 Chrome-Postman-Plugin 测试 API 时,在第一次调用后,服务器从不需要用户凭据.我注意到创建了JSESSIONID"cookie.
But when I tested the API by Chrome-Postman-Plugin, after first call, server never require user credential. And I noticed that 'JSESSIONID' cookie was created.
我的项目中没有其他安全配置.我想知道为什么会发生这种情况...
There are no other security configurations in my project. I wonder why this happens...
推荐答案
您是否尝试过使用 SessionCreationPolicy.STATELESS
.:
Have you tried using SessionCreationPolicy.STATELESS
. There is a subtle difference between STATELESS
and NEVER
in the spring docs:
STATELESS
:Spring Security 永远不会创建 HttpSession
并且永远不会使用它来获取 SecurityContext
.
STATELESS
: Spring Security will never create an HttpSession
and it will never use it to obtain the SecurityContext
.
NEVER
:Spring Security 永远不会创建 HttpSession
,但会使用已经存在的 HttpSession.
NEVER
: Spring Security will never create an HttpSession
, but will use the HttpSession if it already exists.
所以我建议您清除所有 cookie,将其切换到 STATELESS
并重试.可能是您在切换到 NEVER
时已经有了 HttpSession
.
So I would suggest that you clear all your cookies, switch it to STATELESS
and try again. It could be that you had already an HttpSession
when you switched to NEVER
.
这篇关于如何让 Spring Boot 从不发出会话 cookie?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!