DarrenJiang1990
commented
5 years ago reopen it for guidence
Open DarrenJiang1990 opened 5 years ago
DarrenJiang1990
commented
5 years ago reopen it for guidence
WayneCommand
commented
4 years ago FormLoginSpec 有 private ServerSecurityContextRepository securityContextRepository = new WebSessionServerSecurityContextRepository();
解决方法似乎并不能解决。
我觉得要对FormLoginSpec做一些修改才行
spring security 的formLogin认证方式在认证成功后Security会缓存请求浏览器的session信息(WebSessionServerSecurityContextRepository),并将session以set-cookie的方式返回给客户端浏览器,这样浏览器在访问其他接口资源时实际无需再提供认证凭据也可(security会将浏览器发送的cookie和自身的session比较,如果相同,不会再继续认证,即使配置了httpbasic),这样默认Webflux Security 的formLogin认证是通过cookie和session来实现的,有状态的。
不同于HttpSecurity,Webflux Security 并未提供sessionmanagement配置接口使认证无状态。
解决办法: .and().securityContextRepository(NoOpServerSecurityContextRepository.getInstance())
权威解释: The security context in a WebFlux application is stored in a ServerSecurityContextRepository. Its WebSessionServerSecurityContextRepository implementation, which is used by default, stores the context in session. Configuring a NoOpServerSecurityContextRepository instead would make our application stateless. To do so, just add the above lines to the SecurityWebFilterChain configuration。