spring 创建会话无状态使用
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/8800855/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
create-session stateless usage
提问by bertie
I was hoping that changing into create-session="stateless"would be the end of it to achieve stateless spring security in my webapp, but it is not so.
我希望更改为create-session="stateless"在我的 web 应用程序中实现无状态 Spring 安全性的结束,但事实并非如此。
With that change, the spring security seems to be not working, since (my assumption) spring security doesnt store anything in the session, and cannot do authentication to secured web requests.
有了这个更改,spring security 似乎不起作用,因为(我的假设)spring security 不在会话中存储任何内容,并且无法对受保护的 Web 请求进行身份验证。
How do i make use of this statelessfeature ?
我如何利用这个无状态功能?
I cannot seem to find any relevant examples yet on how to achieve stateless spring security for a stateless webapp.
我似乎还找不到任何有关如何为无状态 web 应用程序实现无状态 Spring 安全性的相关示例。
Thank you !
谢谢 !
回答by Shaun the Sheep
Donal's answer is basically correct, and for a browser you probably don't want to be using a stateless app.
Donal 的回答基本上是正确的,对于浏览器,您可能不想使用无状态应用程序。
For reference, create-session="stateless"is a better option if you really do have a stateless app such as a RESTful client. This option was introduced in Spring Security 3.1. It will avoid adding parts of Spring Security's infrastructure which make use of the session (e.g. HttpSessionSecurityContextRepository, SessionManagementFilter, RequestCacheFilter), so you get a leaner setup.
作为参考,create-session="stateless"如果您确实拥有无状态应用程序(例如 RESTful 客户端),这是一个更好的选择。这个选项是在 Spring Security 3.1 中引入的。它将避免添加使用会话的 Spring Security 基础结构的部分(例如HttpSessionSecurityContextRepository、SessionManagementFilter、RequestCacheFilter),因此您可以获得更精简的设置。
With create-session="never", Spring Security will never create a session itself, but will make use of one if your app does. In practice, many users aren't even aware that they are creating sessions, so if you really don't want a session, ever, then statelessis the best option.
使用create-session="never",Spring Security 永远不会自己创建会话,但如果您的应用程序创建,则会使用一个会话。在实践中,许多用户甚至不知道他们正在创建会话,因此如果您真的不想要会话,那么这stateless是最好的选择。
回答by Donal Fellows
I have a Spring-based webapp which has fully stateless security, and the only way to make it work like that is to disable session creation completely (with create-session="never"). That forces re-authentication with each request, so you'll be wanting to also configure the webapp to use HTTP Basic Auth or Digest Auth (over HTTPS, of course) as those don't require a particularly complex negotiation (by contrast, form-based login and OAuth both requirea session because they have a much more complicated process for establishing the authentication context). That means you'll want to put an element like <security:http-basic />inside your <security:http>element.
我有一个基于 Spring 的 webapp,它具有完全无状态的安全性,而让它像这样工作的唯一方法是完全禁用会话创建(使用create-session="never")。这会强制对每个请求进行重新身份验证,因此您还需要将 web 应用程序配置为使用 HTTP 基本身份验证或摘要式身份验证(当然是通过 HTTPS),因为它们不需要特别复杂的协商(相比之下,表单基于登录和 OAuth 都需要会话,因为它们建立身份验证上下文的过程要复杂得多)。这意味着您需要在元素<security:http-basic />内部放置一个类似的<security:http>元素。
(The advantage of doing it this way is that it enables extremely simple client libraries as they don't have to do cookie/session management. The cost is some processing overhead — the establishment of what set of roles the user is participating as will have to be recomputed on each request — and some limitations on which authentication mechanisms you can use.)
(这样做的好处是它启用了极其简单的客户端库,因为它们不必进行 cookie/会话管理。成本是一些处理开销——建立用户将参与的角色集将具有对每个请求重新计算 - 以及您可以使用的身份验证机制的一些限制。)
