版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/zhangminemail/article/details/83686803
1、配置security.sessions策略
#安全配置
security:
sessions: stateless
basic:
enabled: true #启用SpringSecurity的安全配置
user:
name: wendy #认证用户名
password: wendy1 #认证密码
role: #授权
- USER
2、security.sessions策略如下:
always:保存session状态(每次会话都保存,可能会导致内存溢出【Always create an {@link HttpSession}】)
never:不会创建HttpSession,但是会使用已经存在的HttpSession[Spring Security will never create an {@link HttpSession}]
if_required:仅在需要HttpSession创建【Spring Security will only create an {@link HttpSession} if required】
stateless:不会保存session状态【 Spring Security will never create an {@link HttpSession} and it will never use it
* to obtain the {@link SecurityContext}】
注意:stateless策略推荐使用,也是默认配置
3、具体跟查看源代码SecurityProperties.java的配置项
/**
* Session creation policy (always, never, if_required, stateless).
*/
private SessionCreationPolicy sessions = SessionCreationPolicy.STATELESS;
/*
* Copyright 2002-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.http;
import javax.servlet.http.HttpSession;
import org.springframework.security.core.context.SecurityContext;
/**
* Specifies the various session creation policies for Spring Security.
*
* @author Luke Taylor
* @since 3.1
*/
public enum SessionCreationPolicy {
/** Always create an {@link HttpSession} */
ALWAYS,
/**
* Spring Security will never create an {@link HttpSession}, but will use the
* {@link HttpSession} if it already exists
*/
NEVER,
/** Spring Security will only create an {@link HttpSession} if required */
IF_REQUIRED,
/**
* Spring Security will never create an {@link HttpSession} and it will never use it
* to obtain the {@link SecurityContext}
*/
STATELESS
}
扫描二维码关注公众号,回复:
4361347 查看本文章