0

Currently I'm trying to make simple application that using spring session(with spring security on spring boot)

it almost works well. but I'm stuck at one point

spring session's guide said "Spring Session will automatically include the session alias in any URL"

but in my jsp , it doesn't works .

so I have to write including alias code by hand

<c:url value="/index" var="indexUrl" >
    <c:if test="${param._s != null }">
        <c:param name="_s" value="${param._s}" />
    </c:if> 
</c:url>
<a id="indexLink" href="${indexUrl}">To Index</a>

in the my IDE(spring tool suite),multi users sample code working well same as a guide, and I'm using a same version of jstl at my app

well ... perhaps I have to write more information about my question

sorry but I can't guess which component to affect this problem maybe some part of function of spring session or boot

anybody can advise me which component blocking "Automatic Session Alias Inclusion" or need some setting for use ?

4

1 回答 1

0

这是 Spring Security 和 Spring Session 之间的冲突。Spring Security 正在防止 URL 被编码以防止 JSESSIONID 意外暴露。要允许编码,您可以使用:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .sessionManagement()
                .enableSessionUrlRewriting(true)
                .and()
            // ...
    }
}
于 2015-12-08T14:52:13.920 回答