问题
I have a J2EE REST-based app using Spring Security 4.0.1.RELEASE. Needless to say, Spring documentation on sessionCreationPolicy
and sessionFixation
is sparse, aside from targeted questions here on StackOverflow.
I'm using a Java-based config for Spring Security like this:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(secureEnabled=true, prePostEnabled=true, jsr250Enabled=true, order=1)
public class DefaultSecurityBeansConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.sessionFixation().migrateSession()
.and()...; // additional config omitted for brevity
}
}
I'd really just like to know what behavior to expect from Spring, as it relates to JSESSIONID
, given all possible combinations of sessionCreationPolicy
and sessionFixation
.
Possible values in the SessionCreationPolicy
enum are ALWAYS
, NEVER
, IF_REQUIRED
, and STATELESS
.
Possible values for session fixation are newSession
, migrateSession
, changeSessionId
, and none
.
Thank you.
NOTE: What prompted this question is that I am not seeing a new JSESSIONID
on every request when I have sessionCreationPolicy
set to IF_REQUIRED
and sessionFixation
set to changeSessionId
. A JSESSIONID
is correctly created, but is maintained across requests thereafter. I generalized my question about all combinations to hopefully help others in a similar situation with slightly different settings.
回答1:
It's important to keep in mind that Spring Security doesn't always have full control of the HttpSession
. It can create one itself, but it can also be provided a Session
object by the container.
For SessionCreationPolicy.IF_REQUIRED
, the docs state:
Spring Security will only create an HttpSession if required
In your particular case, you're not seeing a new JSESSIONID for every request for at least 2 possible reasons:
With your current configuration, Spring has the option of creating a
Session
if it needs one.SessionCreationPolicy.IF_REQUIRED
also appears to allow Spring Security to use theSession
it is provided with. Your container might be providing this object if this is the case, and so the session is maintained across multiple requests (as is expected if you're in a session).
If you wanto to disable #1, use SessionCreationPolicy.NEVER
:
Spring Security will never create an HttpSession, but will use the HttpSession if it already exists
The only SessionCreationPolicy
that will ensure that Spring Security uses NO SESSIONS is SessionCreationPolicy.STATELESS
.
As regards SessionFixation, it only comes into play when you have multiple sessions for one user, after authentication. At this point, the SessionCreationPolicy
is somewhat irrelevant.
SessionCreationPolicy
: used to decide when (if ever) to create a new session
SessionFixation: once you have a session for a user, what to do with the session if the user logs in again
Hope this helps!
来源:https://stackoverflow.com/questions/50840971/how-does-spring-security-handle-jsessionid-with-various-session-creation-and-ses