如何在没有会话的情况下使用 Spring Security?
我正在使用 Spring Security 构建一个 Web 应用程序,该应用程序将运行在 Amazon EC2 上并使用 Amazon 的弹性负载均衡器.不幸的是,ELB 不支持粘性会话,所以我需要确保我的应用程序在没有会话的情况下正常工作.
I am building a web application with Spring Security that will live on Amazon EC2 and use Amazon's Elastic Load Balancers. Unfortunately, ELB does not support sticky sessions, so I need to ensure my application works properly without sessions.
到目前为止,我已经设置了 RememberMeServices 以通过 cookie 分配令牌,这工作正常,但我希望 cookie 随着浏览器会话而过期(例如,当浏览器关闭时).
So far, I have setup RememberMeServices to assign a token via a cookie, and this works fine, but I want the cookie to expire with the browser session (e.g. when the browser closes).
我必须想象我不是第一个想要在没有会话的情况下使用 Spring Security 的人......有什么建议吗?
I have to imagine I'm not the first one to want to use Spring Security without sessions... any suggestions?
在 Spring Securitiy 3.0 中似乎更容易.如果您使用命名空间配置,您可以简单地执行以下操作:
It seems to be even easier in Spring Securitiy 3.0. If you're using namespace configuration, you can simply do as follows:
<http create-session="never">
<!-- config -->
</http>
或者您可以将 SecurityContextRepository 配置为 null,这样就不会保存任何内容 以及.
Or you could configure the SecurityContextRepository as null, and nothing would ever get saved that way as well.