1、需求
rest客户端访问rest服务端默认状态的配置策略是:无状态的;
假如默认配置策略不是无状态配置,则需要配置为无状态;
若不配置无状态,则rest服务端会爆掉,堆积海量的sessionId;
2、Session状态策略:org.springframework.security.config.http.SessionCreationPolicy
public enum SessionCreationPolicy {
/** Always create an {@link HttpSession} */
ALWAYS,
/**
* Spring Security will never create an {@link HttpSession}, but will use the
* {@link HttpSession} if it already exists
*/
NEVER,
/** Spring Security will only create an {@link HttpSession} if required */
IF_REQUIRED,
/**
* Spring Security will never create an {@link HttpSession} and it will never use it
* to obtain the {@link SecurityContext}
*/
STATELESS
}
3、程序配置如下:
package com.zemel.security.config;
import javax.annotation.Resource;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Resource
public void configGloabl(AuthenticationManagerBuilder auth)throws Exception{
auth.inMemoryAuthentication().withUser("wendy").password("wendy").roles("USER")
.and().withUser("admin").password("hello").roles("USER", "ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// 表示所有的访问都必须认证,认证处理后才可以正常进行
http.httpBasic().and().authorizeRequests().anyRequest().fullyAuthenticated();
// 所有的rest服务一定要设置为无状态,以提升操作效率和性能
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
4、配置文件配置session策略
security.sessions: stateless