摘自 : https://www.cnblogs.com/imyjy/p/9187168.html
背景:
Springboot 2.0 (spring-session-data-redis + spring-boot-starter-web)
需求:
通過cookies中取到的 sessionid 獲取到 session
預期效果:
@Autowired
private SessionRepositry sessionRepositry;
…
Session session = sessionRespositry.findById(sessionId);
真實結果: 獲取到的session是null, 然而通過 request.getSession(); 可以獲取到session, 說明 session是存在的.
問題追蹤後發現問題:
cookie中的sessionId 與 session.getId() 不一樣!!!
DEBUG:
1. 先看一看SpringSession是如何從Cookie中獲取sessionid的! (相關類: org.springframework.session.web.http.DefaultCookieSerializer)
2. 再看一看 useBase64Encoding 的值是啥, 首先看默認值
3. 看看這些配置是在哪裏被(賦值)確認的, 一路追蹤到 org.springframework.session.config.annotation.web.http.SpringHttpSessionConfiguration 配置類中
看看 createDefaultCookieSerializer() 是如何實現的
4. 從上面可以得出結論, 我們無法 通過配置文件 中 server.servlet.session.** 來配置 useBase64Encoding. 使 cookie中的 sessionid 與 session.getId() 保持一致
5. 期間發現的另一個問題: 雖然 sessionCookieConfig 有httpOnly相關配置, 但這裏並未將配置設入 cookieSerializer 中, 導致配置文件中的 server.servlet.session.cookie.httpOnly = false 不起作用
解決方案:
第一種方案: 通過配置 自定義的 CookieSerializer 來指定配置信息(如果覺得麻煩請直接看第二種方案), 如下
a) 首先因爲 SessionCookieConfig 接口中並沒有定義 isUseBase64Encoding() 等接口, 導致缺少了部分配置, 所以我 自定義了一個 MySessionCookieConfig 接口繼承了 SessionCookieConfig, 並寫了一個默認實現 MyDefaultSessionCookieConfig
MySessionCookieConfig
package com.cardgame.demo.center.config;
import javax.servlet.SessionCookieConfig;
/**
*
* 補充 SessionCookie 中未定義的配置項
* @author yjy
* 2018-06-15 13:30
*/
public interface MySessionCookieConfig extends SessionCookieConfig {
String getDomainPattern();
void setDomainPattern(String domainPattern);
String getJvmRoute();
void setJvmRoute(String jvmRoute);
boolean isUseBase64Encoding();
void setUseBase64Encoding(boolean useBase64Encoding);
}
MyDefaultSessionCookieConfig
package com.cardgame.demo.center.config;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;
/**
*
* 涵蓋 CookieSerializer 所有配置項
* @author yjy
* 2018-06-15 13:31
*/
@Component
@ConfigurationProperties(prefix = "server.servlet.session.cookie")
public class MyDefaultSessionCookieConfig implements MySessionCookieConfig {
private String name = "SESSION";
private String path;
private String domain;
private String comment;
private int maxAge = -1;
private String domainPattern;
private String jvmRoute;
private boolean httpOnly = true;
private boolean secure = false;
private boolean useBase64Encoding = false;
@Override
public String getDomainPattern() {
return domainPattern;
}
@Override
public void setDomainPattern(String domainPattern) {
this.domainPattern = domainPattern;
}
@Override
public String getJvmRoute() {
return jvmRoute;
}
@Override
public void setJvmRoute(String jvmRoute) {
this.jvmRoute = jvmRoute;
}
@Override
public boolean isUseBase64Encoding() {
return useBase64Encoding;
}
@Override
public void setUseBase64Encoding(boolean useBase64Encoding) {
this.useBase64Encoding = useBase64Encoding;
}
@Override
public String getName() {
return name;
}
@Override
public void setName(String name) {
this.name = name;
}
@Override
public String getPath() {
return path;
}
@Override
public void setPath(String path) {
this.path = path;
}
@Override
public String getDomain() {
return domain;
}
@Override
public void setDomain(String domain) {
this.domain = domain;
}
@Override
public String getComment() {
return comment;
}
@Override
public void setComment(String comment) {
this.comment = comment;
}
@Override
public boolean isHttpOnly() {
return httpOnly;
}
@Override
public void setHttpOnly(boolean httpOnly) {
this.httpOnly = httpOnly;
}
@Override
public boolean isSecure() {
return secure;
}
@Override
public void setSecure(boolean secure) {
this.secure = secure;
}
@Override
public int getMaxAge() {
return maxAge;
}
@Override
public void setMaxAge(int maxAge) {
this.maxAge = maxAge;
}
}
b) 利用 MyDefaultSessionCookieConfig 攜帶的配置, 自定義 CookieSerializer Bean
package com.cardgame.demo.center.config;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.session.data.redis.config.annotation.web.http.EnableRedisHttpSession;
import org.springframework.session.security.web.authentication.SpringSessionRememberMeServices;
import org.springframework.session.web.http.CookieSerializer;
import org.springframework.session.web.http.DefaultCookieSerializer;
import org.springframework.util.ClassUtils;
import org.springframework.util.ObjectUtils;
import javax.servlet.ServletContext;
import javax.servlet.SessionCookieConfig;
/**
*
* @author yjy
* 2018-06-08 14:53
*/
@Slf4j
@Configuration
@EnableRedisHttpSession(maxInactiveIntervalInSeconds = 3600, redisNamespace = "center")
public class RedisSessionConfig implements ApplicationContextAware {
@Bean
public CookieSerializer cookieSerializer(ServletContext servletContext, MySessionCookieConfig sessionCookieConfig) {
DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
if (servletContext != null) {
if (sessionCookieConfig != null) {
if (sessionCookieConfig.getName() != null)
cookieSerializer.setCookieName(sessionCookieConfig.getName());
if (sessionCookieConfig.getDomain() != null)
cookieSerializer.setDomainName(sessionCookieConfig.getDomain());
if (sessionCookieConfig.getPath() != null)
cookieSerializer.setCookiePath(sessionCookieConfig.getPath());
if (sessionCookieConfig.getMaxAge() != -1)
cookieSerializer.setCookieMaxAge(sessionCookieConfig.getMaxAge());
if (sessionCookieConfig.getDomainPattern() != null)
cookieSerializer.setDomainNamePattern(sessionCookieConfig.getDomainPattern());
if (sessionCookieConfig.getJvmRoute() != null)
cookieSerializer.setJvmRoute(sessionCookieConfig.getJvmRoute());
cookieSerializer.setUseSecureCookie(sessionCookieConfig.isSecure());
cookieSerializer.setUseBase64Encoding(sessionCookieConfig.isUseBase64Encoding());
cookieSerializer.setUseHttpOnlyCookie(sessionCookieConfig.isHttpOnly());
}
}
if (ClassUtils.isPresent(
"org.springframework.security.web.authentication.RememberMeServices",
null)) {
boolean usesSpringSessionRememberMeServices = !ObjectUtils
.isEmpty(this.context
.getBeanNamesForType(SpringSessionRememberMeServices.class));
if (usesSpringSessionRememberMeServices) {
cookieSerializer.setRememberMeRequestAttribute(
SpringSessionRememberMeServices.REMEMBER_ME_LOGIN_ATTR);
}
}
return cookieSerializer;
}
private ApplicationContext context;
@Override
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
this.context = applicationContext;
}
}
c) 修改配置文件配置
d) 配置完成後重新啓動, 再看 SpringHttpSessionConfiguration 加載的時候, 拿到了我們自定義的 CookieSerializer, 我想要的配置都有了!! 打開瀏覽器測試通過!!
第二種方案: 拿到 Cookie 中的 sessionId 後, 手動解碼, 再 通過 sessionRespositry.findById(sessionId); 獲取session
a) 解碼的方案 從 DefaultSerializer 類中 copy 一個 , 如下:
/**
* Decode the value using Base64.
* @param base64Value the Base64 String to decode
* @return the Base64 decoded value
* @since 1.2.2
*/
private String base64Decode(String base64Value) {
try {
byte[] decodedCookieBytes = Base64.getDecoder().decode(base64Value);
return new String(decodedCookieBytes);
}
catch (Exception e) {
return null;
}
}
b) 獲取步驟:
String cookieSessionId = “XXX”;
String sessionId = base64Decode(cookieSessionId);
Session session = sessionRespositry.findById(sessionId);
c) 搞定! (此方案未解決 httpOnly 不起效的問題, 如果要解決 httpOnly = false , 請看方案一)