使用以下代码,每次有人访问我的网站时都会创建一个新的WebSession。 WebSession的状态设置为NEW,不包含任何属性。由于某种原因,此会话永远不会被删除。
@Bean
public SecurityWebFilterChain securityWebFilterChainCatchAll(ServerHttpSecurity http) {
return http
.csrf().disable()
.authorizeExchange()
.pathMatchers("/", "/static/**")
.permitAll()
.anyExchange()
.denyAll()
.and()
.exceptionHandling()
.authenticationEntryPoint(this::returnPage)
.accessDeniedHandler(this::returnPage)
.and()
.formLogin().disable()
.httpBasic().disable()
.build();
}
private Mono<Void> returnPage(ServerWebExchange exchange, RuntimeException denied) {
Resource indexHtml = new ClassPathResource("/static/index.html");
return ok().contentType(MediaType.TEXT_HTML).syncBody(indexHtml).flatMap(d -> d.writeTo(exchange, new HandlerStrategiesResponseContext(HandlerStrategies.withDefaults())));
}
class HandlerStrategiesResponseContext implements ServerResponse.Context
{
private final HandlerStrategies strategies;
HandlerStrategiesResponseContext(HandlerStrategies strategies) {
this.strategies = strategies;
}
@Override
public List<HttpMessageWriter<?>> messageWriters() {
return this.strategies.messageWriters();
}
@Override
public List<ViewResolver> viewResolvers() {
return this.strategies.viewResolvers();
}
}
这是一个包罗万象的ServerHttpSecurity,我的/api端点具有更特定的配置,但是当WebSession设置为STARTED状态且该属性的SPRING_SECURITY_CONTEXT。
对此我有两个问题。
WebSession处于新状态意味着什么,为什么?
未删除,仅删除STARTED状态。