我正在构建一个Grails应用程序,并使用spring-security-core-3.2.0和spring-security-rest / 2.0.0。一切正常,我可以登录我的网络应用程序,我也可以使用JWT令牌以RESTful方式进行身份验证/通信。但是,通过REST调用,我仍然获得了JSESSIONID令牌。由于REST是无状态的,我不会期待会话。我似乎无法为此找到配置选项。有没有办法禁止为RESTful调用创建会话?
这就是我看到会议的方式:
curl -D headers.txt -H "Content-Type: application/json" -X POST -d '{"username":"xxxxx","password":"xxxxxx"}' http://xxxx:8080/api/login
检查headers.txt,我看到了:
HTTP/1.1 200
Cache-Control: no-store
Pragma: no-cache
Set-Cookie: JSESSIONID=3004A67F66933E639E68D79FA1E1CA88; Path=/; HttpOnly
Content-Type: application/json;charset=UTF-8
Content-Length: 2247
Date: Sun, 12 Nov 2017 16:57:40 GMT
答案 0 :(得分:0)
我在所有地方的文件中找到了答案。 :-)
所有关于过滤器链和哪些url模式应该是无状态的,哪些不是。我在grails.plugin.springsecurity.filterChain.chainMap中将以下地图添加到application.groovy:
[pattern: '/api/**',
filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
]
完整设置:
grails.plugin.springsecurity.filterChain.chainMap = [
[pattern: '/assets/**', filters: 'none'],
[pattern: '/**/js/**', filters: 'none'],
[pattern: '/**/css/**', filters: 'none'],
[pattern: '/**/images/**', filters: 'none'],
[pattern: '/**/favicon.ico', filters: 'none'],
[pattern: '/api/**',
filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
],
[pattern: '/**', filters: 'JOINED_FILTERS']
]