问题
I am currently developing a REST API with Spring Boot for an Angular2 frontend app.
I use Spring Security to manage user authentification but I need to store some information in browser session. The problem is that a new JSESSIONID is created at each request.
Example:
- Authentification
POSTIt returnsSet-Cookie:JSESSIONID=C367245309E4E80606066FDCFBE0EE43in response header. A new session is created with user's information
- Protected REST resource
GET: Session is empty andJSESSIONIDCookie is not in request header. It returnsSet-Cookie:JSESSIONID=163B28B7AC2042F9EFF1046F9E14A600
My Spring Security configuration is:
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
// Unable x-frame-options from same origin
httpSecurity.headers().frameOptions().sameOrigin();
/*
* the secret key used to signe the JWT token is known exclusively by
* the server. With Nimbus JOSE implementation, it must be at least 256
* characters longs.
*/
String secret = IOUtils.toString(getClass().getClassLoader().getResourceAsStream("secret.key"),
Charset.defaultCharset());
httpSecurity.addFilterAfter(jwtTokenAuthenticationFilter("/**", secret), ExceptionTranslationFilter.class)
.addFilterBefore(new SimpleCORSFilter(), CorsFilter.class)
/*
* Exception management is handled by the
* authenticationEntryPoint (for exceptions related to
* authentications) and by the AccessDeniedHandler (for
* exceptions related to access rights)
*/
.exceptionHandling().authenticationEntryPoint(new SecurityAuthenticationEntryPoint())
.accessDeniedHandler(new RestAccessDeniedHandler()).and()
/*
* anonymous() consider no authentication as being anonymous
* instead of null in the security context.
*/
.anonymous().and()
/* No Http session is used to get the security context */
//
.sessionManagement().maximumSessions(1).and().sessionFixation().none()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS).and().authorizeRequests()
/*
* All access to the authentication service are permitted
* without authentication (actually as anonymous)
*/
.antMatchers("/auth/**").permitAll().antMatchers("/css/**").permitAll().antMatchers("/js/**")
.permitAll().antMatchers("/accueil").permitAll()
// .antMatchers("/**").permitAll()
/*
* All the other requests need an authentication. Role access is
* done on Methods using annotations like @PreAuthorize
*/
.anyRequest().authenticated().and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class).csrf()
.csrfTokenRepository(csrfTokenRepository()).disable();
}
Can you help me to fix my session issue please?
回答1:
It seems to be an angular2 issue which doesn't send cookie; I set this code in my constructor before calling my REST api :
constructor(private _http: Http) {
let _build = (<any>_http)._backend._browserXHR.build;
(<any>_http)._backend._browserXHR.build = () => {
let _xhr = _build();
_xhr.withCredentials = true;
return _xhr;
};
}
And now my JSESSIONID is sending in every request.
来源:https://stackoverflow.com/questions/40108053/spring-security-session-jsessionid