发表新帖
发表新帖

How to make spring boot never issue session cookie?

前端 未结
关注
3 1668
粉色の甜心
粉色の甜心 2020-12-05 22:59

I\'m developing Restful API server by using spring boot. I configured my project to use basic authentication as below.

@ComponentScan
@EnableAutoConfiguratio
相关标签:
3条回答
  • 太阳男子
    2020-12-05 23:17

    I used the following options

    .csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.formLogin().disable()
.httpBasic().disable()
.logout().disable()

    Getting the error localhost redirected you too many time

    I tried after clearing the cookies. But the moment I remove the following option/line .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()... It works good. This is for oauth2login(). May be oauth2login() requires this session state. What could be the explanation?

    And when I do not have this .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()... Then, it uses the cookie. I use google auth, so, once I logged in, it allows subsequent calls without the need to authenticate. All of this behavior sound reasonable and as expected.

    For security reasons, I was told by an expert, to turn off cookies. I do not know what this means other than turning off the session...

    0 讨论(0)
  • 小鲜肉
    2020-12-05 23:30

    its work for me "So I would suggest that you clear all your cookies, switch it to STATELESS and try again. It could be that you had already an HttpSession when you switched to NEVER."

    @Override
protected void configure(HttpSecurity http) throws Exception {
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .csrf().disable()
            .authorizeRequests()
            .anyRequest()
            .authenticated().and().httpBasic();

}
    0 讨论(0)
  • 盖世英雄少女心
    2020-12-05 23:34

    Have you tried using SessionCreationPolicy.STATELESS. There is a subtle difference between STATELESS and NEVER in the spring docs:

    STATELESS: Spring Security will never create an HttpSession and it will never use it to obtain the SecurityContext.

    NEVER: Spring Security will never create an HttpSession, but will use the HttpSession if it already exists.

    So I would suggest that you clear all your cookies, switch it to STATELESS and try again. It could be that you had already an HttpSession when you switched to NEVER.

    0 讨论(0)
 看不清?
提交回复
热议问题