spring 从 URL 中删除 jsessionid
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/11327631/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Remove jsessionid from URL
提问by Cijo
I'm working on a project with the following technologies:
我正在使用以下技术进行项目:
- Spring
- ShiroFilter
- PrettyFaces
- Tomcat server
- 春天
- 四郎过滤器
- 漂亮脸蛋
- Tomcat服务器
While I'm deploying it on tomcat server, I'm getting a "JSESSIONID 456jghd787aa"added at the end of the URL.
当我在 tomcat 服务器上部署它时,我"JSESSIONID 456jghd787aa"在 URL 的末尾添加了一个。
I was trying to resolve this but I'm not able to do that.
我试图解决这个问题,但我无法做到这一点。
回答by NimChimpsky
For tomcat 7 add this to web.xml
对于 tomcat 7,将此添加到 web.xml
<session-config>
<!-- Disables URL-based sessions (no more 'jsessionid' in the URL using Tomcat) -->
<tracking-mode>COOKIE</tracking-mode>
</session-config>
回答by veman
The following filter may solve your problem (from http://randomcoder.org/maven/site/randomcoder-website/cobertura/org.randomcoder.security.DisableUrlSessionFilter.html)
以下过滤器可能会解决您的问题(来自http://randomcoder.org/maven/site/randomcoder-website/cobertura/org.randomcoder.security.DisableUrlSessionFilter.html)
package com.companyname.projectname.web.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import javax.servlet.http.HttpSession;
/**
* Servlet filter which disables URL-encoded session identifiers.
*
* <pre>
* Copyright (c) 2006, Craig Condit. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
* </pre>
*/
public class DisableUrlSessionFilter implements Filter {
/* private static Log logger = LogFactory.getLog(DisableUrlSessionFilter.class);
*/
/**
* Filters requests to disable URL-based session identifiers.
*/
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
// skip non-http requests
if (!(request instanceof HttpServletRequest)) {
chain.doFilter(request, response);
return;
}
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
// clear session if session id in URL
if (httpRequest.isRequestedSessionIdFromURL()) {
HttpSession session = httpRequest.getSession();
if (session != null) {
session.invalidate();
}
}
// wrap response to remove URL encoding
HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(
httpResponse) {
@Override
public String encodeRedirectUrl(String url) {
return url;
}
@Override
public String encodeRedirectURL(String url) {
return url;
}
@Override
public String encodeUrl(String url) {
return url;
}
@Override
public String encodeURL(String url) {
return url;
}
};
// process next request in chain
chain.doFilter(request, wrappedResponse);
}
/**
* Unused.
*/
public void init(FilterConfig config) throws ServletException {
}
/**
* Unused.
*/
public void destroy() {
}
}
回答by Pras
Tomcat 6, add disableURLRewriting="true" in your context.xml
Tomcat 7 and ServletFilter have already been discussed
Or programmatically :
Tomcat 6,在你的 context.xml 中添加 disableURLRewriting="true"
Tomcat 7 和 ServletFilter 已经讨论过了
或以编程方式:
servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));
servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));
回答by kamaci
You can add that settings into your http tag as follows:
您可以将该设置添加到您的 http 标签中,如下所示:
<http auto-config="false" disable-url-rewriting="true">
回答by Stephen M -on strike-
You'll want to take it out of Tomcat, as others have suggested, but you'll still have problems with Shiro appending it to the end on redirects if you don't have a cookie set yet. There are two open tickets on the problem:
正如其他人所建议的那样,您可能希望将其从 Tomcat 中移除,但是如果您还没有设置 cookie,那么 Shiro 将其附加到重定向的末尾时仍然会遇到问题。关于这个问题有两张未解决的票:
https://issues.apache.org/jira/browse/SHIRO-360
https://issues.apache.org/jira/browse/SHIRO-360
https://issues.apache.org/jira/browse/SHIRO-361
https://issues.apache.org/jira/browse/SHIRO-361
I tried to get Tuckey's URL Re-write to work and had partial success after a while. The problem is Shiro doesn't call response.encodeURL() and therefore trip the outbound rules. I was able to redirect inbound requests to remove the session id with these two rules:
我试图让 Tuckey 的 URL 重写工作并在一段时间后取得了部分成功。问题是 Shiro 没有调用 response.encodeURL() 并因此触发出站规则。我能够使用以下两个规则重定向入站请求以删除会话 ID:
<rule>
<note>Remove jsessionid from embedded urls - for urls WITH query parameters</note>
<from>^/(.*);JSESSIONID=.*[?](.*)$</from>
<to type="redirect">/?</to>
</rule>
<rule>
<note>Remove jsessionid from embedded urls - for urls WITHOUT query parameters</note>
<from>^/(.*);JSESSIONID=.*[^?]$</from>
<to type="redirect">/</to>
</rule>
That at least makes it not show up in the browser, but it doesn't completely solve the problem, because the session ID was sent on the URL and the redirected to the location without it. It would be better if it never showed up at all.
这至少使它不会出现在浏览器中,但它并没有完全解决问题,因为会话 ID 是在 URL 上发送的,并且重定向到没有它的位置。如果它从来没有出现过会更好。
UPDATE:
更新:
SHIRO-360 and SHIRO-361 have been fixed and the fixes are in Shiro 1.3.0. According Brian Demers in SHIRO-361:
SHIRO-360 和 SHIRO-361 已修复,修复在 Shiro 1.3.0 中。根据 SHIRO-361 中的 Brian Demers 的说法:
Set
sessionManager.sessionIdUrlRewritingEnabled = falseto disable appending JSESSIONID to the URL.NOTE: if a user has disabled cookies, they will NOT be able to login if this is disable.
设置
sessionManager.sessionIdUrlRewritingEnabled = false为禁止将 JSESSIONID 附加到 URL。注意:如果用户禁用了 cookie,如果禁用,他们将无法登录。
回答by ThomasRS
Jetty WebappContext:
Jetty WebappContext:
Set<SessionTrackingMode> trackingModes = new HashSet<>();
trackingModes.add(SessionTrackingMode.COOKIE);
context.getSessionHandler().getSessionManager().setSessionTrackingModes(trackingModes);
回答by Lincoln
If you are not using Servlet 3.0, you can also achieve this using a PrettyFaces Rewrite Rule: http://ocpsoft.org/support/topic/url-rewrite-removing-the-jsessionid-from-the-url#post-410
如果您不使用 Servlet 3.0,您也可以使用 PrettyFaces 重写规则来实现此目的:http://ocpsoft.org/support/topic/url-rewrite-removing-the-jsessionid-from-the-url#post-410
