在具有基本身份验证的 springboot 应用程序中,我尝试授权从格式为“;jsessionid=xxx”的 url 获取 sessionID 的请求 我知道将会话放入 URI 中并不是一个好的做法,但这是一个要求。
我正在使用 Spring-session-jdbc。
我尝试制作一个名为 JSessionIDFilter 的过滤器
http
.addFilterBefore(new JSessionIDFilter(), UsernamePasswordAuthenticationFilter.class)
在过滤器中:
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
// Get sessionID from URI
String requestURI = request.getRequestURI();
String sessionID = "";
int index = requestURI.indexOf(";jsessionid=");
if (index >= 0)
{
sessionID = requestURI.substring(index+12);
//If session ID is valid I would like to retrive the Authentication by sessionid and associate to the current request
Authentication authentication = ....
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
经过一番研究,我找到了解决我的问题的方法,我将分享:
我没有使用过滤器,但我在 SpringBoot 配置中创建了一个不同的自定义 HttpSessionIdResolver:
@Bean
public HttpSessionIdResolver httpSessionIdResolver() {
return new CustomCookieAndHeaderHttpSessionIdResolver();
}
这是新课程:
public class CustomCookieAndHeaderHttpSessionIdResolver implements HttpSessionIdResolver {
CookieHttpSessionIdResolver cookieHttpSessionIdResolver = new CookieHttpSessionIdResolver();
@Override
public List<String> resolveSessionIds(HttpServletRequest request) {
List<String> myList = cookieHttpSessionIdResolver.resolveSessionIds(request);
String requestURI = request.getRequestURI();
String sessionFromUri = "";
if(myList.size() == 0)
{
int index = requestURI.indexOf(";jsessionid=");
if (index >= 0)
{
sessionFromUri = requestURI.substring(index+12);
byte[] decodedBytes = Base64.getDecoder().decode(sessionFromUri);
String sessionFromUri_Guid = new String(decodedBytes);
myList.add(sessionFromUri_Guid);
}
}
return myList;
}
@Override
public void setSessionId(HttpServletRequest request, HttpServletResponse response, String sessionId) {
this.cookieHttpSessionIdResolver.setSessionId(request, response, sessionId);
}
@Override
public void expireSession(HttpServletRequest request, HttpServletResponse response) {
this.cookieHttpSessionIdResolver.expireSession(request, response);
}
}