@@ -84,7 +84,7 @@ Spring 使用`Session`的会话最基本的 API 是`SessionRepository`。这个
一些`SessionRepository`实现方式也可以选择实现`FindByIndexNameSessionRepository`。例如, Spring 的 Redis、JDBC 和 Hazelcast 支持库都实现了`FindByIndexNameSessionRepository`。
`FindByIndexNameSessionRepository`提供了一个方法来查找具有给定的索引名和索引值的所有会话。作为所有提供的`FindByIndexNameSessionRepository`实现所支持的通用用例,你可以使用一种方便的方法来查找特定用户的所有会话。这是通过确保将名称为`FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME`的会话属性填充为用户名来完成的。你有责任确保填充该属性,因为 Spring 会话不知道正在使用的身份验证机制。下面的清单中可以看到如何使用该方法的示例:
`FindByIndexNameSessionRepository`提供了一个方法来查找具有给定的索引名和索引值的所有会话。作为所有提供的`FindByIndexNameSessionRepository`实现所支持的通用用例,你可以使用一种方便的方法来查找特定用户的所有会话。这是通过确保将名称为`FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME`的会话属性填充为用户名来完成的。你有责任确保填充该属性,因为 Spring Session 不知道正在使用的身份验证机制。下面的清单中可以看到如何使用该方法的示例:
实现自定义[`SessionRepository`](#API-SessionRepository)API 应该是一项相当简单的任务。将自定义实现与[`@EnableSpringHttpSession`](#api-enablespringhtpsession)支持相耦合,可以重用现有的 Spring 会话配置设施和基础设施。然而,有几个方面值得更仔细地考虑。
实现自定义[`SessionRepository`](#API-SessionRepository)API 应该是一项相当简单的任务。将自定义实现与[`@EnableSpringHttpSession`](#api-enablespringhtpsession)支持相耦合,可以重用现有的 Spring Session 配置设施和基础设施。然而,有几个方面值得更仔细地考虑。
在 HTTP 请求的生命周期中,`HttpSession`通常会两次持久化到`SessionRepository`。第一个持久化操作是确保一旦客户端访问了会话 ID,会话对客户端是可用的,并且还需要在会话提交后写入,因为可能会对会话进行进一步的修改。考虑到这一点,我们通常建议`SessionRepository`实现跟踪更改,以确保只保存增量。这在高度并发的环境中尤其重要,在这种环境中,多个请求在同一个`HttpSession`上运行,因此会导致竞争条件,因为请求会覆盖彼此对会话属性的更改。 Spring 会话提供的所有`SessionRepository`实现都使用所描述的方法来持久化会话更改,并且可以在实现自定义`SessionRepository`时用于指导。
在 HTTP 请求的生命周期中,`HttpSession`通常会两次持久化到`SessionRepository`。第一个持久化操作是确保一旦客户端访问了会话 ID,会话对客户端是可用的,并且还需要在会话提交后写入,因为可能会对会话进行进一步的修改。考虑到这一点,我们通常建议`SessionRepository`实现跟踪更改,以确保只保存增量。这在高度并发的环境中尤其重要,在这种环境中,多个请求在同一个`HttpSession`上运行,因此会导致竞争条件,因为请求会覆盖彼此对会话属性的更改。 Spring Session 提供的所有`SessionRepository`实现都使用所描述的方法来持久化会话更改,并且可以在实现自定义`SessionRepository`时用于指导。
`FindByIndexNameSessionRepository`如果开发人员指示 Spring 会话什么用户与`Session`相关联,则只能通过用户名找到会话。你可以通过确保将名称`FindByUsernameSessionRepository.PRINCIPAL_NAME_INDEX_NAME`的会话属性填充为用户名来做到这一点。
`FindByIndexNameSessionRepository`如果开发人员指示 Spring Session 什么用户与`Session`相关联,则只能通过用户名找到会话。你可以通过确保将名称`FindByUsernameSessionRepository.PRINCIPAL_NAME_INDEX_NAME`的会话属性填充为用户名来做到这一点。
一般来说,你可以在用户进行身份验证后立即使用以下代码来完成此操作:
...
...
@@ -103,7 +103,7 @@ public void doFilterInternal(HttpServletRequest request, HttpServletResponse res
在使用 Spring 会话之前,你必须更新你的依赖关系。我们假设你正在使用一个有效的启动 Web 应用程序。如果使用 Maven,则必须添加以下依赖项:
在使用 Spring Session 之前,你必须更新你的依赖关系。我们假设你正在使用一个有效的启动 Web 应用程序。如果使用 Maven,则必须添加以下依赖项:
POM.xml
...
...
@@ -24,11 +24,11 @@ POM.xml
</dependencies>
```
Spring 启动为 Spring 会话模块提供了依赖管理,因此不需要显式地声明依赖版本。
Spring 启动为 Spring Session 模块提供了依赖管理,因此不需要显式地声明依赖版本。
## [](#httpsession-jdbc-boot-spring-configuration) Spring 引导配置
在添加了所需的依赖项之后,我们就可以创建我们的 Spring 启动配置了。多亏了一流的自动配置支持,在关系数据库支持下设置 Spring 会话就像在`application.properties`中添加一个配置属性一样简单。下面的清单展示了如何做到这一点:
在添加了所需的依赖项之后,我们就可以创建我们的 Spring 启动配置了。多亏了一流的自动配置支持,在关系数据库支持下设置 Spring Session 就像在`application.properties`中添加一个配置属性一样简单。下面的清单展示了如何做到这一点:
SRC/主/资源/应用程序.properties
...
...
@@ -36,9 +36,9 @@ SRC/主/资源/应用程序.properties
spring.session.store-type=jdbc # Session store type.
```
如果在 Classpath 上存在单个 Spring 会话模块,则 Spring 引导将自动使用该存储实现。如果有多个实现,则必须选择要用来存储会话的 StoreType,如上面所示。
如果在 Classpath 上存在单个 Spring Session 模块,则 Spring 引导将自动使用该存储实现。如果有多个实现,则必须选择要用来存储会话的 StoreType,如上面所示。
在这种情况下, Spring boot 应用的配置相当于手动添加`@EnableJdbcHttpSession`注释。这将创建一个名为`springSessionRepositoryFilter`的 Spring Bean。 Bean 实现`Filter`。过滤器负责替换要由 Spring 会话支持的`HttpSession`实现。
在这种情况下, Spring boot 应用的配置相当于手动添加`@EnableJdbcHttpSession`注释。这将创建一个名为`springSessionRepositoryFilter`的 Spring Bean。 Bean 实现`Filter`。过滤器负责替换要由 Spring Session 支持的`HttpSession`实现。
我们的[Spring Boot Configuration](#httpsession-jdbc-boot-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring 会话支持的自定义实现替换`HttpSession`。
我们的[Spring Boot Configuration](#httpsession-jdbc-boot-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring Session 支持的自定义实现替换`HttpSession`。
为了让我们的`Filter`发挥其魔力, Spring 需要加载我们的`Config`类。最后,我们需要确保我们的 Servlet 容器(即 Tomcat)为每个请求使用我们的`springSessionRepositoryFilter`。幸运的是,Boot 为我们解决了这两个步骤。
我们的[Spring Configuration](#boot-mongo-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring 会话支持的自定义实现替换`HttpSession`。
我们的[Spring Configuration](#boot-mongo-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring Session 支持的自定义实现替换`HttpSession`。
为了让我们的`Filter`发挥其魔力, Spring 需要加载我们的`Config`类。最后,我们需要确保我们的 Servlet 容器(即 Tomcat)对每个请求使用我们的`springSessionRepositoryFilter`。幸运的是,Boot 为我们解决了这两个步骤。
## [](#mongo-sample)MongoDB 示例应用程序
MongoDB 示例应用程序演示了如何在使用 Spring 引导时使用 Spring 会话透明地利用 MongoDB 来支持 Web 应用程序的`HttpSession`。
MongoDB 示例应用程序演示了如何在使用 Spring 引导时使用 Spring Session 透明地利用 MongoDB 来支持 Web 应用程序的`HttpSession`。
在使用 Spring 会话之前,你必须确保你的依赖关系。我们假设你正在使用一个有效的启动 Web 应用程序。如果正在使用 Maven,则必须添加以下依赖项:
在使用 Spring Session 之前,你必须确保你的依赖关系。我们假设你正在使用一个有效的启动 Web 应用程序。如果正在使用 Maven,则必须添加以下依赖项:
POM.xml
...
...
@@ -24,11 +24,11 @@ POM.xml
</dependencies>
```
Spring 启动为 Spring 会话模块提供了依赖管理,因此不需要显式声明依赖版本。
Spring 启动为 Spring Session 模块提供了依赖管理,因此不需要显式声明依赖版本。
## [](#boot-spring-configuration) Spring 引导配置
在添加了所需的依赖项之后,我们就可以创建我们的 Spring 启动配置了。多亏了一流的自动配置支持,由 Redis 支持的设置 Spring 会话非常简单,只需向你的`application.properties`添加一个配置属性,如以下清单所示:
在添加了所需的依赖项之后,我们就可以创建我们的 Spring 启动配置了。多亏了一流的自动配置支持,由 Redis 支持的设置 Spring Session 非常简单,只需向你的`application.properties`添加一个配置属性,如以下清单所示:
SRC/主/资源/应用程序.properties
...
...
@@ -36,7 +36,7 @@ SRC/主/资源/应用程序.properties
spring.session.store-type=redis # Session store type.
```
在这种情况下, Spring boot 应用的配置相当于手动添加`@EnableRedisHttpSession`注释。这将创建一个名为`springSessionRepositoryFilter`的 Spring Bean,实现`Filter`。过滤器负责替换要由 Spring 会话支持的`HttpSession`实现。
在这种情况下, Spring boot 应用的配置相当于手动添加`@EnableRedisHttpSession`注释。这将创建一个名为`springSessionRepositoryFilter`的 Spring Bean,实现`Filter`。过滤器负责替换要由 Spring Session 支持的`HttpSession`实现。
使用`application.properties`还可以进行进一步的定制,如以下清单所示:
...
...
@@ -52,7 +52,7 @@ spring.session.redis.namespace=spring:session # Namespace for keys used to store
## [](#boot-redis-configuration)配置 Redis 连接
Spring 启动会自动创建一个`RedisConnectionFactory`,它将 Spring 会话连接到端口 6379(默认端口)上本地主机上的 Redis 服务器。在生产环境中,你需要更新配置以指向 Redis 服务器。例如,你可以在应用程序中包含以下内容:
Spring 启动会自动创建一个`RedisConnectionFactory`,它将 Spring Session 连接到端口 6379(默认端口)上本地主机上的 Redis 服务器。在生产环境中,你需要更新配置以指向 Redis 服务器。例如,你可以在应用程序中包含以下内容:
SRC/主/资源/应用程序.properties
...
...
@@ -66,13 +66,13 @@ spring.redis.port=6379 # Redis server port.
## [](#boot-servlet-configuration) Servlet 容器初始化
我们的[Spring Boot Configuration](#boot-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring 会话支持的自定义实现替换`HttpSession`。
我们的[Spring Boot Configuration](#boot-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring Session 支持的自定义实现替换`HttpSession`。
为了使我们的`Filter`发挥其魔力, Spring 需要加载我们的`Config`类。最后,我们需要确保我们的 Servlet 容器(即 Tomcat)为每个请求使用我们的`springSessionRepositoryFilter`。幸运的是,Boot 为我们解决了这两个步骤。
## [](#boot-sample)引导示例应用程序
引导示例应用程序演示了如何在使用 Spring 引导时使用 Spring 会话透明地利用 Redis 来支持 Web 应用程序的`HttpSession`。
引导示例应用程序演示了如何在使用 Spring 引导时使用 Spring Session 透明地利用 Redis 来支持 Web 应用程序的`HttpSession`。
## [](#webflux-custom-cookie-spring-configuration) Spring 引导配置
一旦设置了 Spring 会话,就可以通过将`WebSessionIdResolver`公开为 Spring Bean 来自定义会话 cookie 的编写方式。 Spring 默认情况下,会话使用`CookieWebSessionIdResolver`。在使用`@EnableRedisHttpSession`之类的配置时,将`WebSessionIdResolver`公开为 Spring Bean 会增强现有的配置。下面的示例展示了如何自定义 Spring 会话的 cookie:
一旦设置了 Spring Session ,就可以通过将`WebSessionIdResolver`公开为 Spring Bean 来自定义会话 cookie 的编写方式。 Spring 默认情况下,会话使用`CookieWebSessionIdResolver`。在使用`@EnableRedisHttpSession`之类的配置时,将`WebSessionIdResolver`公开为 Spring Bean 会增强现有的配置。下面的示例展示了如何自定义 Spring Session 的 cookie:
*`WebSocketConnectHandlerDecoratorFactory`作为`WebSocketHandlerDecoratorFactory`添加到`WebSocketTransportRegistration`。这确保了一个包含`WebSocketSession`的自定义`SessionConnectEvent`被触发。当 Spring 会话结束时,要结束任何仍处于打开状态的 WebSocket 连接,`WebSocketSession`是必需的。
*`WebSocketConnectHandlerDecoratorFactory`作为`WebSocketHandlerDecoratorFactory`添加到`WebSocketTransportRegistration`。这确保了一个包含`WebSocketSession`的自定义`SessionConnectEvent`被触发。当 Spring Session 结束时,要结束任何仍处于打开状态的 WebSocket 连接,`WebSocketSession`是必需的。
|**2**| We create a new `Session` by using our `SessionRepository` and assign it to a variable of type `S`. |
|**3**| We interact with the `Session`. In our example, we demonstrate saving a `User` to the `Session`. |
|**4**|We now save the `Session`. This is why we needed the generic type `S`. The `SessionRepository` only allows saving `Session` instances that were created or retrieved by using the same `SessionRepository`. This allows for the `SessionRepository` to make implementation specific optimizations (that is, writing only attributes that have changed).|
|**5**| We retrieve the `Session` from the `SessionRepository`. |
|**6**| We obtain the persisted `User` from our `Session` without the need for explicitly casting our attribute. |
The `Session` API also provides attributes related to the `Session` instance’s expiration.
Typical usage might look like the following listing:
```
public class ExpiringRepositoryDemo<S extends Session> {
|**2**| We create a new `Session` by using our `SessionRepository` and assign it to a variable of type `S`. |
|**3**| We interact with the `Session`.<br/>In our example, we demonstrate updating the amount of time the `Session` can be inactive before it expires. |
|**4**|We now save the `Session`.<br/>This is why we needed the generic type, `S`.<br/>The `SessionRepository` allows saving only `Session` instances that were created or retrieved using the same `SessionRepository`.<br/>This allows for the `SessionRepository` to make implementation specific optimizations (that is, writing only attributes that have changed).<br/>The last accessed time is automatically updated when the `Session` is saved.|
|**5**| We retrieve the `Session` from the `SessionRepository`.<br/>If the `Session` were expired, the result would be null. |
A `SessionRepository` is in charge of creating, retrieving, and persisting `Session` instances.
If possible, you should not interact directly with a `SessionRepository` or a `Session`.
Instead, developers should prefer interacting with `SessionRepository` and `Session` indirectly through the [`HttpSession`](http-session.html#httpsession) and [WebSocket](web-socket.html#websocket) integration.
Spring Session’s most basic API for using a `Session` is the `SessionRepository`.
This API is intentionally very simple, so that you can easily provide additional implementations with basic functionality.
Some `SessionRepository` implementations may also choose to implement `FindByIndexNameSessionRepository`.
For example, Spring’s Redis, JDBC, and Hazelcast support libraries all implement `FindByIndexNameSessionRepository`.
The `FindByIndexNameSessionRepository` provides a method to look up all the sessions with a given index name and index value.
As a common use case that is supported by all provided `FindByIndexNameSessionRepository` implementations, you can use a convenient method to look up all the sessions for a particular user.
This is done by ensuring that the session attribute with the name of `FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME` is populated with the username.
It is your responsibility to ensure that the attribute is populated, since Spring Session is not aware of the authentication mechanism being used.
An example of how to use this can be seen in the following listing:
| |Some implementations of `FindByIndexNameSessionRepository` provide hooks to automatically index other session attributes.<br/>For example, many implementations automatically ensure that the current Spring Security user name is indexed with the index name of `FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME`.|
A `ReactiveSessionRepository` is in charge of creating, retrieving, and persisting `Session` instances in a non-blocking and reactive manner.
If possible, you should not interact directly with a `ReactiveSessionRepository` or a `Session`.
Instead, you should prefer interacting with `ReactiveSessionRepository` and `Session` indirectly through the [WebSession](web-session.html#websession) integration.
You can add the `@EnableSpringHttpSession` annotation to a `@Configuration` class to expose the `SessionRepositoryFilter` as a bean named `springSessionRepositoryFilter`.
In order to use the annotation, you must provide a single `SessionRepository` bean.
The following example shows how to do so:
```
@EnableSpringHttpSession
@Configuration
public class SpringHttpSessionConfig {
@Bean
public MapSessionRepository sessionRepository() {
return new MapSessionRepository(new ConcurrentHashMap<>());
}
}
```
Note that no infrastructure for session expirations is configured for you.
This is because things such as session expiration are highly implementation-dependent.
This means that, if you need to clean up expired sessions, you are responsible for cleaning up the expired sessions.
You can add the `@EnableSpringWebSession` annotation to a `@Configuration` class to expose the `WebSessionManager` as a bean named `webSessionManager`.
To use the annotation, you must provide a single `ReactiveSessionRepository` bean.
The following example shows how to do so:
```
@EnableSpringWebSession
public class SpringWebSessionConfig {
@Bean
public ReactiveSessionRepository reactiveSessionRepository() {
return new ReactiveMapSessionRepository(new ConcurrentHashMap<>());
}
}
```
Note that no infrastructure for session expirations is configured for you.
This is because things such as session expiration are highly implementation-dependent.
This means that, if you require cleaning up expired sessions, you are responsible for cleaning up the expired sessions.
In a web environment, the simplest way to create a new `RedisIndexedSessionRepository` is to use `@EnableRedisHttpSession`.
You can find complete example usage in the [Samples and Guides (Start Here)](samples.html#samples).
You can use the following attributes to customize the configuration:
***maxInactiveIntervalInSeconds**: The amount of time before the session expires, in seconds.
***redisNamespace**: Allows configuring an application specific namespace for the sessions. Redis keys and channel IDs start with the prefix of `<redisNamespace>:`.
***flushMode**: Allows specifying when data is written to Redis. The default is only when `save` is invoked on `SessionRepository`.
A value of `FlushMode.IMMEDIATE` writes to Redis as soon as possible.
You can customize the serialization by creating a bean named `springSessionDefaultRedisSerializer` that implements `RedisSerializer<Object>`.
### [](#_redis_taskexecutor)Redis `TaskExecutor`
`RedisIndexedSessionRepository` is subscribed to receive events from Redis by using a `RedisMessageListenerContainer`.
You can customize the way those events are dispatched by creating a bean named `springSessionRedisTaskExecutor`, a bean `springSessionRedisSubscriptionExecutor`, or both.
You can find more details on configuring Redis task executors [here](https://docs.spring.io/spring-data-redis/docs/2.6.2/reference/html/#redis:pubsub:subscribe:containers).
Note that the expiration that is set to five minutes after the session actually expires.
This is necessary so that the value of the session can be accessed when the session expires.
An expiration is set on the session itself five minutes after it actually expires to ensure that it is cleaned up, but only after we perform any necessary processing.
| |The `SessionRepository.findById(String)` method ensures that no expired sessions are returned.<br/>This means that you need not check the expiration before using a session.|
Spring Session relies on the delete and expired [keyspace notifications](https://redis.io/topics/notifications) from Redis to fire a [`SessionDeletedEvent`](#api-redisindexedsessionrepository-sessiondestroyedevent) and a [`SessionExpiredEvent`](#api-redisindexedsessionrepository-sessiondestroyedevent), respectively.`SessionDeletedEvent` or `SessionExpiredEvent` ensure that resources associated with the `Session` are cleaned up.
For example, when you use Spring Session’s WebSocket support, the Redis expired or delete event triggers any WebSocket connections associated with the session to be closed.
Expiration is not tracked directly on the session key itself, since this would mean the session data would no longer be available. Instead, a special session expires key is used. In the preceding example, the expires key is as follows:
When a session expires key is deleted or expires, the keyspace notification triggers a lookup of the actual session, and a `SessionDestroyedEvent` is fired.
One problem with relying on Redis expiration exclusively is that, if the key has not been accessed, Redis makes no guarantee of when the expired event is fired.
Specifically, the background task that Redis uses to clean up expired keys is a low-priority task and may not trigger the key expiration.
For additional details, see the [Timing of Expired Events](https://redis.io/topics/notifications) section in the Redis documentation.
To circumvent the fact that expired events are not guaranteed to happen, we can ensure that each key is accessed when it is expected to expire.
This means that, if the TTL is expired on the key, Redis removes the key and fires the expired event when we try to access the key.
For this reason, each session expiration is also tracked to the nearest minute.
This lets a background task access the potentially expired sessions to ensure that Redis expired events are fired in a more deterministic fashion.
The background task then uses these mappings to explicitly request each key.
By accessing the key, rather than deleting it, we ensure that Redis deletes the key for us only if the TTL is expired.
| |We do not explicitly delete the keys, since, in some instances, there may be a race condition that incorrectly identifies a key as expired when it is not.<br/>Short of using distributed locks (which would kill our performance), there is no way to ensure the consistency of the expiration mapping.<br/>By simply accessing the key, we ensure that the key is only removed if the TTL on that key is expired.|
### [](#api-redisindexedsessionrepository-sessiondestroyedevent)`SessionDeletedEvent` and `SessionExpiredEvent`
`SessionDeletedEvent` and `SessionExpiredEvent` are both types of `SessionDestroyedEvent`.
`RedisIndexedSessionRepository` supports firing a `SessionDeletedEvent` when a `Session` is deleted or a `SessionExpiredEvent` when a `Session` expires.
This is necessary to ensure resources associated with the `Session` are properly cleaned up.
For example, when integrating with WebSockets, the `SessionDestroyedEvent` is in charge of closing any active WebSocket connections.
Firing `SessionDeletedEvent` or `SessionExpiredEvent` is made available through the `SessionMessageListener`, which listens to [Redis Keyspace events](https://redis.io/topics/notifications).
In order for this to work, Redis Keyspace events for Generic commands and Expired events needs to be enabled.
The following example shows how to do so:
```
redis-cli config set notify-keyspace-events Egx
```
If you use `@EnableRedisHttpSession`, managing the `SessionMessageListener` and enabling the necessary Redis Keyspace events is done automatically.
However, in a secured Redis enviornment, the config command is disabled.
This means that Spring Session cannot configure Redis Keyspace events for you.
To disable the automatic configuration, add `ConfigureRedisAction.NO_OP` as a bean.
For example, with Java configuration, you can use the following:
When a session is created, an event is sent to Redis with a channel ID of `spring:session:channel:created:33fdd1b6-b496-4b33-9f7d-df96679d32fe`,
where `33fdd1b6-b496-4b33-9f7d-df96679d32fe` is the session ID. The body of the event is the session that was created.
If registered as a `MessageListener` (the default), `RedisIndexedSessionRepository` then translates the Redis message into a `SessionCreatedEvent`.
### [](#api-redisindexedsessionrepository-cli)Viewing the Session in Redis
After [installing redis-cli](https://redis.io/topics/quickstart), you can inspect the values in Redis [using the redis-cli](https://redis.io/commands#hash).
For example, you can enter the following into a terminal:
In a web environment, the simplest way to create a new `ReactiveRedisSessionRepository` is to use `@EnableRedisWebSession`.
You can use the following attributes to customize the configuration:
***maxInactiveIntervalInSeconds**: The amount of time before the session expires, in seconds
***redisNamespace**: Allows configuring an application specific namespace for the sessions. Redis keys and channel IDs start with q prefix of `<redisNamespace>:`.
***flushMode**: Allows specifying when data is written to Redis. The default is only when `save` is invoked on `ReactiveSessionRepository`.
A value of `FlushMode.IMMEDIATE` writes to Redis as soon as possible.
The `Session` instances managed by `ReactiveRedisSessionRepository` keep track of the properties that have changed and updates only those.
This means that, if an attribute is written once and read many times, we need to write that attribute only once.
### [](#api-reactiveredissessionrepository-cli)Viewing the Session in Redis
After [installing redis-cli](https://redis.io/topics/quickstart), you can inspect the values in Redis [using the redis-cli](https://redis.io/commands#hash).
For example, you can enter the following command into a terminal window:
The following example shows how to create a new instance:
```
SessionRepository<? extends Session> repository = new MapSessionRepository(new ConcurrentHashMap<>());
```
### [](#api-mapsessionrepository-hazelcast)Using Spring Session and Hazlecast
The [Hazelcast Sample](samples.html#samples) is a complete application that demonstrates how to use Spring Session with Hazelcast.
To run it, use the following command:
```
./gradlew :samples:hazelcast:tomcatRun
```
The [Hazelcast Spring Sample](samples.html#samples) is a complete application that demonstrates how to use Spring Session with Hazelcast and Spring Security.
It includes example Hazelcast `MapListener` implementations that support firing `SessionCreatedEvent`, `SessionDeletedEvent`, and `SessionExpiredEvent`.
`JdbcIndexedSessionRepository` is a `SessionRepository` implementation that uses Spring’s `JdbcOperations` to store sessions in a relational database.
In a web environment, this is typically used in combination with `SessionRepositoryFilter`.
Note that this implementation does not support publishing of session events.
### [](#api-jdbcindexedsessionrepository-new)Instantiating a `JdbcIndexedSessionRepository`
The following example shows how to create a new instance:
```
JdbcTemplate jdbcTemplate = new JdbcTemplate();
// ... configure jdbcTemplate ...
TransactionTemplate transactionTemplate = new TransactionTemplate();
// ... configure transactionTemplate ...
SessionRepository<? extends Session> repository = new JdbcIndexedSessionRepository(jdbcTemplate,
transactionTemplate);
```
For additional information on how to create and configure `JdbcTemplate` and `PlatformTransactionManager`, see the [Spring Framework Reference Documentation](https://docs.spring.io/spring/docs/5.3.16/spring-framework-reference/data-access.html).
In a web environment, the simplest way to create a new `JdbcIndexedSessionRepository` is to use `@EnableJdbcHttpSession`.
You can find complete example usage in the [Samples and Guides (Start Here)](samples.html#samples)You can use the following attributes to customize the configuration:
***tableName**: The name of database table used by Spring Session to store sessions
***maxInactiveIntervalInSeconds**: The amount of time before the session will expire in seconds
You can customize the default serialization and deserialization of the session by providing a `ConversionService` instance.
When working in a typical Spring environment, the default `ConversionService` bean (named `conversionService`) is automatically picked up and used for serialization and deserialization.
However, you can override the default `ConversionService` by providing a bean named `springSessionConversionService`.
By default, this implementation uses `SPRING_SESSION` and `SPRING_SESSION_ATTRIBUTES` tables to store sessions.
Note that you can customize the table name, as already described. In that case, the table used to store attributes is named by using the provided table name suffixed with `_ATTRIBUTES`.
If further customizations are needed, you can customize the SQL queries used by the repository by using `set*Query` setter methods. In this case, you need to manually configure the `sessionRepository` bean.
Due to the differences between the various database vendors, especially when it comes to storing binary data, make sure to use SQL scripts specific to your database.
Scripts for most major database vendors are packaged as `org/springframework/session/jdbc/schema-*.sql`, where `*` is the target database type.
For example, with PostgreSQL, you can use the following schema script:
All JDBC operations in `JdbcIndexedSessionRepository` are performed in a transactional manner.
Transactions are performed with propagation set to `REQUIRES_NEW` in order to avoid unexpected behavior due to interference with existing transactions (for example, running a `save` operation in a thread that already participates in a read-only transaction).
HazelcastIndexedSessionRepository repository = new HazelcastIndexedSessionRepository(hazelcastInstance);
```
For additional information on how to create and configure Hazelcast instance, see the [Hazelcast documentation](https://docs.hazelcast.org/docs/3.12.12/manual/html-single/index.html#hazelcast-configuration).
To use [Hazelcast](https://hazelcast.org/) as your backing source for the `SessionRepository`, you can add the `@EnableHazelcastHttpSession` annotation to a `@Configuration` class.
Doing so extends the functionality provided by the `@EnableSpringHttpSession` annotation but makes the `SessionRepository` for you in Hazelcast.
You must provide a single `HazelcastInstance` bean for the configuration to work.
You can find a complete configuration example in the [Samples and Guides (Start Here)](samples.html#samples).
Using a `MapListener` to respond to entries being added, evicted, and removed from the distributed `Map` causes these events to trigger publishing of `SessionCreatedEvent`, `SessionExpiredEvent`, and `SessionDeletedEvent` events (respectively) through the `ApplicationEventPublisher`.
Sessions are stored in a distributed `IMap` in Hazelcast.
The `IMap` interface methods are used to `get()` and `put()` Sessions.
Additionally, the `values()` method supports a `FindByIndexNameSessionRepository#findByIndexNameAndIndexValue` operation, together with appropriate `ValueExtractor` (which needs to be registered with Hazelcast). See the [ Hazelcast Spring Sample](samples.html#samples) for more details on this configuration.
The expiration of a session in the `IMap` is handled by Hazelcast’s support for setting the time to live on an entry when it is `put()` into the `IMap`. Entries (sessions) that have been idle longer than the time to live are automatically removed from the `IMap`.
You should not need to configure any settings such as `max-idle-seconds` or `time-to-live-seconds` for the `IMap` within the Hazelcast configuration.
Note that if you use Hazelcast’s `MapStore` to persist your sessions `IMap`, the following limitations apply when reloading the sessions from `MapStore`:
* Reloading triggers `EntryAddedListener` results in `SessionCreatedEvent` being re-published
* Reloading uses default TTL for a given `IMap` results in sessions losing their original TTL
|**2**| We customize the path of the cookie to be `/` (rather than the default of the context root). |
|**3**|We customize the domain name pattern (a regular expression) to be `^.+?\\.(\\w+\\.[a-z]+)$`.<br/>This allows sharing a session across domains and applications.<br/>If the regular expression does not match, no domain is set and the existing domain is used.<br/>If the regular expression matches, the first [grouping](https://docs.oracle.com/javase/tutorial/essential/regex/groups.html) is used as the domain.<br/>This means that a request to [https://child.example.com](https://child.example.com) sets the domain to `example.com`.<br/>However, a request to [http://localhost:8080/](http://localhost:8080/) or [https://192.168.1.100:8080/](https://192.168.1.100:8080/) leaves the cookie unset and, thus, still works in development without any changes being necessary for production.|
| |You should only match on valid domain characters, since the domain name is reflected in the response.<br/>Doing so prevents a malicious user from performing such attacks as [HTTP Response Splitting](https://en.wikipedia.org/wiki/HTTP_response_splitting).|
You can customize how the session cookie is written by using any of the following configuration options on the `DefaultCookieSerializer`.
*`cookieName`: The name of the cookie to use.
Default: `SESSION`.
*`useSecureCookie`: Specifies whether a secure cookie should be used.
Default: Use the value of `HttpServletRequest.isSecure()` at the time of creation.
*`cookiePath`: The path of the cookie.
Default: The context root.
*`cookieMaxAge`: Specifies the max age of the cookie to be set at the time the session is created.
Default: `-1`, which indicates the cookie should be removed when the browser is closed.
*`jvmRoute`: Specifies a suffix to be appended to the session ID and included in the cookie.
Used to identify which JVM to route to for session affinity.
With some implementations (that is, Redis) this option provides no performance benefit.
However, it can help with tracing logs of a particular user.
*`domainName`: Allows specifying a specific domain name to be used for the cookie.
This option is simple to understand but often requires a different configuration between development and production environments.
See `domainNamePattern` as an alternative.
*`domainNamePattern`: A case-insensitive pattern used to extract the domain name from the `HttpServletRequest#getServerName()`.
The pattern should provide a single grouping that is used to extract the value of the cookie domain.
If the regular expression does not match, no domain is set and the existing domain is used.
If the regular expression matches, the first [grouping](https://docs.oracle.com/javase/tutorial/essential/regex/groups.html) is used as the domain.
*`sameSite`: The value for the `SameSite` cookie directive.
To disable the serialization of the `SameSite` cookie directive, you may set this value to `null`.
Default: `Lax`
| |You should only match on valid domain characters, since the domain name is reflected in the response.<br/>Doing so prevents a malicious user from performing such attacks as [HTTP Response Splitting](https://en.wikipedia.org/wiki/HTTP_response_splitting).|
Implementing a custom [`SessionRepository`](#api-sessionrepository) API should be a fairly straightforward task.
Coupling the custom implementation with [`@EnableSpringHttpSession`](#api-enablespringhttpsession) support lets you reuse existing Spring Session configuration facilities and infrastructure.
There are, however, a couple of aspects that deserve closer consideration.
During the lifecycle of an HTTP request, the `HttpSession` is typically persisted to `SessionRepository` twice.
The first persist operation is to ensure that the session is available to the client as soon as the client has access to the session ID, and it is also necessary to write after the session is committed because further modifications to the session might be made.
Having this in mind, we generally recommend that a `SessionRepository` implementation keep track of changes to ensure that only deltas are saved.
This is particularly important in highly concurrent environments, where multiple requests operate on the same `HttpSession` and, therefore, cause race conditions, with requests overriding each other’s changes to session attributes.
All of the `SessionRepository` implementations provided by Spring Session use the described approach to persist session changes and can be used for guidance when you implement custom `SessionRepository`.
Note that the same recommendations apply for implementing a custom [`ReactiveSessionRepository`](#api-reactivesessionrepository) as well.
In this case, you should use the [`@EnableSpringWebSession`](#api-enablespringwebsession).
To look up a user by their username, you must first choose a `SessionRepository` that implements [`FindByIndexNameSessionRepository`](../#api-findbyindexnamesessionrepository).
Our sample application assumes that the Redis support is already set up, so we are ready to go.
## [](#_mapping_the_user_name)Mapping the User Name
`FindByIndexNameSessionRepository` can find a session only by the user name if the developer instructs Spring Session what user is associated with the `Session`.
You can do so by ensuring that the session attribute with the name `FindByUsernameSessionRepository.PRINCIPAL_NAME_INDEX_NAME` is populated with the username.
Generally speaking, you can do so with the following code immediately after the user authenticates:
We obtain the information we want and then set the `SessionDetails` as an attribute in the `Session`.
When we retrieve the `Session` by user name, we can then use the session to access our `SessionDetails` as we would any other session attribute.
| |You might wonder why Spring Session does not provide `SessionDetails` functionality out of the box.<br/>We have two reasons.<br/>The first reason is that it is very trivial for applications to implement this themselves.<br/>The second reason is that the information that is populated in the session (and how frequently that information is updated) is highly application-dependent.|
This section describes how to use the `findbyusername` sample application.
### [](#_running_the_findbyusername_sample_application)Running the `findbyusername` Sample Application
You can run the sample by obtaining the [source code](https://github.com/spring-projects/spring-session/archive/main.zip) and invoking the following command:
| |For the sample to work, you must [install Redis 2.8+](https://redis.io/download) on localhost and run it with the default port (6379).<br/>Alternatively, you can update the `RedisConnectionFactory` to point to a Redis server.<br/>Another option is to use [Docker](https://www.docker.com/) to run Redis on localhost.<br/>See [Docker Redis repository](https://hub.docker.com/_/redis/) for detailed instructions.|
This guide describes how to use Spring Session to transparently leverage a relational database to back a web application’s `HttpSession` when you use Spring Boot.
| |You can find the completed guide in the [httpsession-jdbc-boot sample application](#httpsession-jdbc-boot-sample).|
After adding the required dependencies, we can create our Spring Boot configuration.
Thanks to first-class auto configuration support, setting up Spring Session backed by a relational database is as simple as adding a single configuration property to your `application.properties`.
The following listing shows how to do so:
src/main/resources/application.properties
```
spring.session.store-type=jdbc # Session store type.
```
If a single Spring Session module is present on the classpath, Spring Boot uses that store implementation automatically.
If you have more than one implementation, you must choose the StoreType that you wish to use to store the sessions, as shows above.
Under the hood, Spring Boot applies configuration that is equivalent to manually adding the `@EnableJdbcHttpSession` annotation.
This creates a Spring bean with the name of `springSessionRepositoryFilter`. That bean implements `Filter`.
The filter is in charge of replacing the `HttpSession` implementation to be backed by Spring Session.
You can further customize by using `application.properties`.
The following listing shows how to do so:
src/main/resources/application.properties
```
server.servlet.session.timeout= # Session timeout. If a duration suffix is not specified, seconds are used.
spring.session.jdbc.schema=classpath:org/springframework/session/jdbc/[email protected]@[email protected]@.sql # Path to the SQL file to use to initialize the database schema.
spring.session.jdbc.table-name=SPRING_SESSION # Name of the database table used to store sessions.
```
For more information, see the [Spring Session](https://docs.spring.io/spring-boot/docs/2.5.6/reference/htmlsingle/#boot-features-session) portion of the Spring Boot documentation.
## [](#httpsession-jdbc-boot-configuration)Configuring the `DataSource`
Spring Boot automatically creates a `DataSource` that connects Spring Session to an embedded instance of an H2 database.
In a production environment, you need to update your configuration to point to your relational database.
For example, you can include the following in your application.properties:
src/main/resources/application.properties
```
spring.datasource.url= # JDBC URL of the database.
spring.datasource.username= # Login username of the database.
spring.datasource.password= # Login password of the database.
```
For more information, see the [Configure a DataSource](https://docs.spring.io/spring-boot/docs/2.5.6/reference/htmlsingle/#boot-features-configure-datasource) portion of the Spring Boot documentation.
Our [Spring Boot Configuration](#httpsession-jdbc-boot-spring-configuration) created a Spring bean named `springSessionRepositoryFilter` that implements `Filter`.
The `springSessionRepositoryFilter` bean is responsible for replacing the `HttpSession` with a custom implementation that is backed by Spring Session.
In order for our `Filter` to do its magic, Spring needs to load our `Config` class.
Last, we need to ensure that our Servlet Container (that is, Tomcat) uses our `springSessionRepositoryFilter` for every request.
Fortunately, Spring Boot takes care of both of these steps for us.
The httpsession-jdbc-boot Sample Application demonstrates how to use Spring Session to transparently leverage an H2 database to back a web application’s `HttpSession` when you use Spring Boot.
### [](#httpsession-jdbc-boot-running)Running the `httpsession-jdbc-boot` Sample Application
You can run the sample by obtaining the [source code](https://github.com/spring-projects/spring-session/archive/main.zip) and invoking the following command:
You should now be able to access the application at [http://localhost:8080/](http://localhost:8080/)
### [](#httpsession-jdbc-boot-explore)Exploring the Security Sample Application
You can now try using the application.
To do so, enter the following to log in:
***Username***user*
***Password***password*
Now click the **Login** button.
You should now see a message indicating that your are logged in with the user entered previously.
The user’s information is stored in the H2 database rather than Tomcat’s `HttpSession` implementation.
### [](#httpsession-jdbc-boot-how)How Does It Work?
Instead of using Tomcat’s `HttpSession`, we persist the values in the H2 database.
Spring Session replaces the `HttpSession` with an implementation that is backed by a relational database.
When Spring Security’s `SecurityContextPersistenceFilter` saves the `SecurityContext` to the `HttpSession`, it is then persisted into the H2 database.
When a new `HttpSession` is created, Spring Session creates a cookie named `SESSION` in your browser. That cookie contains the ID of your session.
You can view the cookies (with [Chrome](https://developers.google.com/web/tools/chrome-devtools/manage-data/cookies) or [Firefox](https://developer.mozilla.org/en-US/docs/Tools/Storage_Inspector)).
You can remove the session by using the H2 web console available at: [http://localhost:8080/h2-console/](http://localhost:8080/h2-console/)(use`jdbc:h2:mem:testdb` for JDBC URL).
Now you can visit the application at [http://localhost:8080/](http://localhost:8080/) and see that we are no longer authenticated.
After adding the required dependencies, we can create our Spring configuration.
The Spring configuration is responsible for creating a Servlet Filter that replaces the `HttpSession` implementation with an implementation backed by Spring Session.
All you have to do is to add the following Spring Configuration:
```
@EnableMongoHttpSession (1)
public class HttpSessionConfig {
@Bean
public JdkMongoSessionConverter jdkMongoSessionConverter() {
return new JdkMongoSessionConverter(Duration.ofMinutes(30)); (2)
}
}
```
|**1**|The `@EnableMongoHttpSession` annotation creates a Spring Bean with the name of `springSessionRepositoryFilter` that implements Filter.<br/>This filter is what replaces the default `HttpSession` with the MongoDB-backed bean.|
|**2**| Configures the session timeout to 30 minutes. |
## [](#boot-mongo-configuration)Configuring the MongoDB Connection
Spring Boot automatically creates a `MongoClient` that connects Spring Session to a MongoDB Server on localhost on port 27017 (default port).
In a production environment you need to ensure to update your configuration to point to your MongoDB server.
For example, you can include the following in your **application.properties**
src/main/resources/application.properties
```
spring.data.mongodb.host=mongo-srv
spring.data.mongodb.port=27018
spring.data.mongodb.database=prod
```
For more information, refer to [Connecting to MongoDB](https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#boot-features-connecting-to-mongodb) portion of the Spring Boot documentation.
Our [Spring Configuration](#boot-mongo-configuration) created a Spring Bean named `springSessionRepositoryFilter` that implements `Filter`.
The `springSessionRepositoryFilter` bean is responsible for replacing the `HttpSession` with a custom implementation that is backed by Spring Session.
In order for our `Filter` to do its magic, Spring needs to load our `Config` class.
Last we need to ensure that our Servlet Container (i.e. Tomcat) uses our `springSessionRepositoryFilter` for every request.
Fortunately, Spring Boot takes care of both of these steps for us.
## [](#mongo-sample)MongoDB Sample Application
The MongoDB Sample Application demonstrates how to use Spring Session to transparently leverage MongoDB to back a web application’s `HttpSession` when using Spring Boot.
### [](#mongo-running)Running the MongoDB Sample Application
You can run the sample by obtaining the [source code](https://github.com/spring-projects/spring-session/archive/main.zip) and invoking the following command:
```
$ ./gradlew :samples:mongo:bootRun
```
You should now be able to access the application at [http://localhost:8080/](http://localhost:8080/)
### [](#boot-explore)Exploring the security Sample Application
Try using the application. Enter the following to log in:
***Username***user*
***Password***password*
Now click the **Login** button.
You should now see a message indicating your are logged in with the user entered previously.
The user’s information is stored in MongoDB rather than Tomcat’s `HttpSession` implementation.
### [](#mongo-how)How does it work?
Instead of using Tomcat’s `HttpSession`, we are actually persisting the values in Mongo.
Spring Session replaces the `HttpSession` with an implementation that is backed by Mongo.
When Spring Security’s `SecurityContextPersistenceFilter` saves the `SecurityContext` to the `HttpSession` it is then persisted into Mongo.
When a new `HttpSession` is created, Spring Session creates a cookie named SESSION in your browser that contains the id of your session.
Go ahead and view the cookies (click for help with [Chrome](https://developer.chrome.com/devtools/docs/resources#cookies) or [Firefox](https://getfirebug.com/wiki/index.php/Cookies_Panel#Cookies_List)).
If you like, you can easily inspect the session using mongo client. For example, on a Linux based system you can type:
| |The sample application uses an embedded MongoDB instance that listens on a randomly allocated port.<br/>The port used by embedded MongoDB together with exact command to connect to it is logged during application startup.|
Alternatively, you can also delete the explicit key. Enter the following into your terminal ensuring to replace `60f17293-839b-477c-bb92-07a9c3658843` with the value of your SESSION cookie:
After adding the required dependencies, we can create our Spring Boot configuration.
Thanks to first-class auto configuration support, setting up Spring Session backed by Redis is as simple as adding a single configuration property to your `application.properties`, as the following listing shows:
src/main/resources/application.properties
```
spring.session.store-type=redis # Session store type.
```
Under the hood, Spring Boot applies configuration that is equivalent to manually adding `@EnableRedisHttpSession` annotation.
This creates a Spring bean with the name of `springSessionRepositoryFilter` that implements `Filter`.
The filter is in charge of replacing the `HttpSession` implementation to be backed by Spring Session.
Further customization is possible by using `application.properties`, as the following listing shows:
src/main/resources/application.properties
```
server.servlet.session.timeout= # Session timeout. If a duration suffix is not specified, seconds is used.
spring.session.redis.namespace=spring:session # Namespace for keys used to store sessions.
```
For more information, see the [Spring Session](https://docs.spring.io/spring-boot/docs/2.5.6/reference/htmlsingle/#boot-features-session) portion of the Spring Boot documentation.
## [](#boot-redis-configuration)Configuring the Redis Connection
Spring Boot automatically creates a `RedisConnectionFactory` that connects Spring Session to a Redis Server on localhost on port 6379 (default port).
In a production environment, you need to update your configuration to point to your Redis server.
For example, you can include the following in your application.properties:
src/main/resources/application.properties
```
spring.redis.host=localhost # Redis server host.
spring.redis.password= # Login password of the redis server.
spring.redis.port=6379 # Redis server port.
```
For more information, see the [Connecting to Redis](https://docs.spring.io/spring-boot/docs/2.5.6/reference/htmlsingle/#boot-features-connecting-to-redis) portion of the Spring Boot documentation.
Our [Spring Boot Configuration](#boot-spring-configuration) created a Spring bean named `springSessionRepositoryFilter` that implements `Filter`.
The `springSessionRepositoryFilter` bean is responsible for replacing the `HttpSession` with a custom implementation that is backed by Spring Session.
In order for our `Filter` to do its magic, Spring needs to load our `Config` class.
Last, we need to ensure that our servlet container (that is, Tomcat) uses our `springSessionRepositoryFilter` for every request.
Fortunately, Spring Boot takes care of both of these steps for us.
## [](#boot-sample)Boot Sample Application
The Boot Sample Application demonstrates how to use Spring Session to transparently leverage Redis to back a web application’s `HttpSession` when you use Spring Boot.
### [](#boot-running)Running the Boot Sample Application
You can run the sample by obtaining the [source code](https://github.com/spring-projects/spring-session/archive/main.zip) and invoking the following command:
| |For the sample to work, you must [install Redis 2.8+](https://redis.io/download) on localhost and run it with the default port (6379).<br/>Alternatively, you can update the `RedisConnectionFactory` to point to a Redis server.<br/>Another option is to use [Docker](https://www.docker.com/) to run Redis on localhost. See [Docker Redis repository](https://hub.docker.com/_/redis/) for detailed instructions.|
You should now be able to access the application at [http://localhost:8080/](http://localhost:8080/)
### [](#boot-explore)Exploring the `security` Sample Application
Now you can try using the application. Enter the following to log in:
***Username***user*
***Password***password*
Now click the **Login** button.
You should now see a message indicating your are logged in with the user entered previously.
The user’s information is stored in Redis rather than Tomcat’s `HttpSession` implementation.
### [](#boot-how)How Does It Work?
Instead of using Tomcat’s `HttpSession`, we persist the values in Redis.
Spring Session replaces the `HttpSession` with an implementation that is backed by Redis.
When Spring Security’s `SecurityContextPersistenceFilter` saves the `SecurityContext` to the `HttpSession`, it is then persisted into Redis.
When a new `HttpSession` is created, Spring Session creates a cookie named `SESSION` in your browser.
That cookie contains the ID of your session.
You can view the cookies (with [Chrome](https://developers.google.com/web/tools/chrome-devtools/manage-data/cookies) or [Firefox](https://developer.mozilla.org/en-US/docs/Tools/Storage_Inspector)).
You can remove the session by using redis-cli.
For example, on a Linux based system you can type the following:
```
$ redis-cli keys '*' | xargs redis-cli del
```
| |The Redis documentation has instructions for [installing redis-cli](https://redis.io/topics/quickstart).|
Alternatively, you can also delete the explicit key.
To do so, enter the following into your terminal, being sure to replace `7e8383a4-082c-4ffe-a4bc-c40fd3363c5e` with the value of your `SESSION` cookie:
```
$ redis-cli del spring:session:sessions:7e8383a4-082c-4ffe-a4bc-c40fd3363c5e
```
Now you can visit the application at [http://localhost:8080/](http://localhost:8080/) and observe that we are no longer authenticated.
This guide describes how to configure Spring Session to use custom cookies in a WebFlux based application.
The guide assumes you have already set up Spring Session in your project using your chosen data store. For example, [HttpSession with Redis](./boot-redis.html).
| |You can find the completed guide in the [WebFlux Custom Cookie sample application](#webflux-custom-cookie-sample).|
This section describes how to work with the `webflux-custom-cookie` sample application.
### [](#_running_the_webflux_custom_cookie_sample_application)Running the `webflux-custom-cookie` Sample Application
You can run the sample by obtaining the [source code](https://github.com/spring-projects/spring-session/archive/main.zip) and invoking the following command:
| |For the sample to work, you must [install Redis 2.8+](https://redis.io/download) on localhost and run it with the default port (6379).<br/>Alternatively, you can update the `RedisConnectionFactory` to point to a Redis server.<br/>Another option is to use [Docker](https://www.docker.com/) to run Redis on localhost. See [Docker Redis repository](https://hub.docker.com/_/redis/) for detailed instructions.|
This guide describes how to use Spring Session to ensure that WebSocket messages keep your HttpSession alive.
| |Spring Session’s WebSocket support works only with Spring’s WebSocket support.<br/>Specifically,it does not work with using [JSR-356](https://www.jcp.org/en/jsr/detail?id=356) directly, because JSR-356 does not have a mechanism for intercepting incoming WebSocket messages.|
The first step is to integrate Spring Session with the HttpSession. These steps are already outlined in the [HttpSession with Redis Guide](./boot-redis.html).
Please make sure you have already integrated Spring Session with HttpSession before proceeding.
The `websocket` sample application demonstrates how to use Spring Session with WebSockets.
### [](#_running_the_websocket_sample_application)Running the `websocket` Sample Application
You can run the sample by obtaining the [source code](https://github.com/spring-projects/spring-session/archive/main.zip) and invoking the following command:
| |For the purposes of testing session expiration, you may want to change the session expiration to be 1 minute (the default is 30 minutes) by adding the following configuration property before starting the application:<br/><br/>src/main/resources/application.properties<br/><br/>```<br/>server.servlet.session.timeout=1m # Session timeout. If a duration suffix is not specified, seconds will be used.<br/>```|
| |For the sample to work, you must [install Redis 2.8+](https://redis.io/download) on localhost and run it with the default port (6379).<br/>Alternatively, you can update the `RedisConnectionFactory` to point to a Redis server.<br/>Another option is to use [Docker](https://www.docker.com/) to run Redis on localhost.<br/>See [Docker Redis repository](https://hub.docker.com/_/redis/) for detailed instructions.|
You should now be able to access the application at [http://localhost:8080/](http://localhost:8080/)
### [](#_exploring_the_websocket_sample_application)Exploring the `websocket` Sample Application
Now you can try using the application. Authenticate with the following information:
***Username***rob*
***Password***password*
Now click the **Login** button. You should now be authenticated as the user **rob**.
Open an incognito window and access [http://localhost:8080/](http://localhost:8080/)
You are prompted with a login form. Authenticate with the following information:
***Username***luke*
***Password***password*
Now send a message from rob to luke. The message should appear.
Wait for two minutes and try sending a message from rob to luke again.
You can see that the message is no longer sent.
| |Why two minutes?<br/><br/>Spring Session expires in 60 seconds, but the notification from Redis is not guaranteed to happen within 60 seconds.<br/>To ensure the socket is closed in a reasonable amount of time, Spring Session runs a background task every minute at 00 seconds that forcibly cleans up any expired sessions.<br/>This means you need to wait at most two minutes before the WebSocket connection is closed.|
You can now try accessing [http://localhost:8080/](http://localhost:8080/)You are prompted to authenticate again.
This demonstrates that the session properly expires.
Now repeat the same exercise, but instead of waiting two minutes, send a message from each of the users every 30 seconds.
You can see that the messages continue to be sent.
Try accessing [http://localhost:8080/](http://localhost:8080/)You are not prompted to authenticate again.
This demonstrates the session is kept alive.
| |Only messages sent from a user keep the session alive.<br/>This is because only messages coming from a user imply user activity.<br/>Received messages do not imply activity and, thus, do not renew the session expiration.|
Spring Session provides transparent integration with `HttpSession`.
This means that developers can switch the `HttpSession` implementation out with an implementation that is backed by Spring Session.
## [](#httpsession-why)Why Spring Session and `HttpSession`?
We have already mentioned that Spring Session provides transparent integration with `HttpSession`, but what benefits do we get out of this?
***Clustered Sessions**: Spring Session makes it trivial to support [clustered sessions](#httpsession-redis) without being tied to an application container specific solution.
***RESTful APIs**: Spring Session lets providing session IDs in headers work with [RESTful APIs](#httpsession-rest)
## [](#httpsession-redis)`HttpSession` with Redis
Using Spring Session with `HttpSession` is enabled by adding a Servlet Filter before anything that uses the `HttpSession`.
You can choose from enabling this by using either:
This section describes how to use Redis to back `HttpSession` by using Java based configuration.
| |The [ HttpSession Sample](samples.html#samples) provides a working sample of how to integrate Spring Session and `HttpSession` by using Java configuration.<br/>You can read the basic steps for integration in the next few sections, but we encourage you to follow along with the detailed HttpSession Guide when integrating with your own application.|
After adding the required dependencies, we can create our Spring configuration.
The Spring configuration is responsible for creating a servlet filter that replaces the `HttpSession` implementation with an implementation backed by Spring Session.
To do so, add the following Spring Configuration:
```
@EnableRedisHttpSession (1)
public class Config {
@Bean
public LettuceConnectionFactory connectionFactory() {
return new LettuceConnectionFactory(); (2)
}
}
```
|**1**| The `@EnableRedisHttpSession` annotation creates a Spring Bean with the name of `springSessionRepositoryFilter` that implements `Filter`.<br/>The filter is in charge of replacing the `HttpSession` implementation to be backed by Spring Session.<br/>In this instance, Spring Session is backed by Redis. |
|**2**|We create a `RedisConnectionFactory` that connects Spring Session to the Redis Server.<br/>We configure the connection to connect to localhost on the default port (6379).<br/>For more information on configuring Spring Data Redis, see the [reference documentation](https://docs.spring.io/spring-data/data-redis/docs/2.6.2/reference/html/).|
|**1**|The first step is to extend `AbstractHttpSessionApplicationInitializer`.<br/>Doing so ensures that the Spring Bean by the name of `springSessionRepositoryFilter` is registered with our Servlet Container for every request.|
This section describes how to use Redis to back `HttpSession` by using XML based configuration.
| |The [ HttpSession XML Sample](samples.html#samples) provides a working sample of how to integrate Spring Session and `HttpSession` using XML configuration.<br/>You can read the basic steps for integration in the next few sections, but we encourage you to follow along with the detailed HttpSession XML Guide when integrating with your own application.|
#### [](#httpsession-xml-spring-configuration)Spring XML Configuration
After adding the required dependencies, we can create our Spring configuration.
The Spring configuration is responsible for creating a servlet filter that replaces the `HttpSession` implementation with an implementation backed by Spring Session.
|**1**|We use the combination of `<context:annotation-config/>` and `RedisHttpSessionConfiguration` because Spring Session does not yet provide XML Namespace support (see [gh-104](https://github.com/spring-projects/spring-session/issues/104)).<br/>This creates a Spring Bean with the name of `springSessionRepositoryFilter` that implements `Filter`.<br/>The filter is in charge of replacing the `HttpSession` implementation to be backed by Spring Session.<br/>In this instance, Spring Session is backed by Redis.|
|**2**| We create a `RedisConnectionFactory` that connects Spring Session to the Redis Server.<br/>We configure the connection to connect to localhost on the default port (6379)<br/>For more information on configuring Spring Data Redis, see the [reference documentation](https://docs.spring.io/spring-data/data-redis/docs/2.6.2/reference/html/). |
Our [Spring Configuration](#httpsession-xml-spring-configuration) created a Spring Bean named `springSessionRepositoryFilter` that implements `Filter`.
The `springSessionRepositoryFilter` bean is responsible for replacing the `HttpSession` with a custom implementation that is backed by Spring Session.
In order for our `Filter` to do its magic, we need to instruct Spring to load our `session.xml` configuration.
The [`ContextLoaderListener`](https://docs.spring.io/spring/docs/5.3.16/spring-framework-reference/core.html#context-create) reads the contextConfigLocation and picks up our session.xml configuration.
Last, we need to ensure that our Servlet Container (that is, Tomcat) uses our `springSessionRepositoryFilter` for every request.
The following snippet performs this last step for us:
The [`DelegatingFilterProxy`](https://docs.spring.io/spring-framework/docs/5.3.16/javadoc-api/org/springframework/web/filter/DelegatingFilterProxy.html) looks up a Bean by the name of `springSessionRepositoryFilter` and cast it to a `Filter`.
For every request that `DelegatingFilterProxy` is invoked, the `springSessionRepositoryFilter` is invoked.
### [](#httpsession-mongo)HttpSession with Mongo
Using Spring Session with `HttpSession` is enabled by adding a Servlet Filter before anything that uses the `HttpSession`.
This section describes how to use Mongo to back `HttpSession` using Java based configuration.
| |The [HttpSession Mongo Sample](#samples) provides a working sample on how to integrate Spring Session and `HttpSession` using Java configuration.<br/>You can read the basic steps for integration below, but you are encouraged to follow along with the detailed HttpSession Guide when integrating with your own application.|
All you have to do is to add the following Spring Configuration:
```
@EnableMongoHttpSession (1)
public class HttpSessionConfig {
@Bean
public JdkMongoSessionConverter jdkMongoSessionConverter() {
return new JdkMongoSessionConverter(Duration.ofMinutes(30)); (2)
}
}
```
|**1**|The `@EnableMongoHttpSession` annotation creates a Spring Bean with the name of `springSessionRepositoryFilter` that implements Filter.<br/>This filter is what replaces the default `HttpSession` with the MongoDB-backed bean.|
…you are able to switch from the default (JDK-based serialization) to using Jackson.
| |If you are integrating with Spring Security (by storing your sessions in MongoDB), this configuration will<br/>register the proper whitelisted components so Spring Security works properly.|
`JdkMongoSessionConverter` uses standard Java serialization to persist session attributes map to MongoDB in a binary form.
However, standard session elements like id, access time, etc are still written as a plain Mongo objects and can be read and queried without additional effort.`JdkMongoSessionConverter` is used if no explicit `AbstractMongoSessionConverter` Bean has been defined.
There is also a constructor taking `Serializer` and `Deserializer` objects, allowing you to pass custom implementations, which is especially important when you want to use non-default classloader.
## [](#httpsession-jdbc)`HttpSession` with JDBC
You can use Spring Session with `HttpSession` by adding a servlet filter before anything that uses the `HttpSession`.
You can choose to do in any of the following ways:
This section describes how to use a relational database to back `HttpSession` when you use Java-based configuration.
| |The [ HttpSession JDBC Sample](samples.html#samples) provides a working sample of how to integrate Spring Session and `HttpSession` by using Java configuration.<br/>You can read the basic steps for integration in the next few sections, but we encouraged you to follow along with the detailed HttpSession JDBC Guide when integrating with your own application.|
After adding the required dependencies, we can create our Spring configuration.
The Spring configuration is responsible for creating a Servlet Filter that replaces the `HttpSession` implementation with an implementation backed by Spring Session.
public PlatformTransactionManager transactionManager(DataSource dataSource) {
return new DataSourceTransactionManager(dataSource); (3)
}
}
```
|**1**|The `@EnableJdbcHttpSession` annotation creates a Spring Bean with the name of `springSessionRepositoryFilter`.<br/>That bean implements `Filter`.<br/>The filter is in charge of replacing the `HttpSession` implementation to be backed by Spring Session.<br/>In this instance, Spring Session is backed by a relational database.|
|**2**| We create a `dataSource` that connects Spring Session to an embedded instance of an H2 database.<br/>We configure the H2 database to create database tables by using the SQL script that is included in Spring Session. |
|**3**| We create a `transactionManager` that manages transactions for previously configured `dataSource`. |
For additional information on how to configure data access related concerns, see the [Spring Framework Reference Documentation](https://docs.spring.io/spring/docs/5.3.16/spring-framework-reference/data-access.html).
Our [Spring Configuration](#httpsession-jdbc-spring-configuration) created a Spring bean named `springSessionRepositoryFilter` that implements `Filter`.
The `springSessionRepositoryFilter` bean is responsible for replacing the `HttpSession` with a custom implementation that is backed by Spring Session.
In order for our `Filter` to do its magic, Spring needs to load our `Config` class.
Last, we need to ensure that our Servlet Container (that is, Tomcat) uses our `springSessionRepositoryFilter` for every request.
Fortunately, Spring Session provides a utility class named `AbstractHttpSessionApplicationInitializer` to make both of these steps easy.
The following example shows how to do so:
src/main/java/sample/Initializer.java
```
public class Initializer extends AbstractHttpSessionApplicationInitializer { (1)
public Initializer() {
super(Config.class); (2)
}
}
```
| |The name of our class (Initializer) does not matter.<br/>What is important is that we extend `AbstractHttpSessionApplicationInitializer`.|
|**1**|The first step is to extend `AbstractHttpSessionApplicationInitializer`.<br/>Doing so ensures that the Spring bean named `springSessionRepositoryFilter` is registered with our Servlet Container for every request.|
Spring Session provides the `@SpringSessionDataSource` qualifier, allowing you to explicitly declare which `DataSource` bean should be injected in `JdbcIndexedSessionRepository`.
This is particularly useful in scenarios with multiple `DataSource` beans present in the application context.
This section describes how to use a relational database to back `HttpSession` when you use XML based configuration.
| |The [ HttpSession JDBC XML Sample](samples.html#samples) provides a working sample of how to integrate Spring Session and `HttpSession` by using XML configuration.<br/>You can read the basic steps for integration in the next few sections, but we encourage you to follow along with the detailed HttpSession JDBC XML Guide when integrating with your own application.|
#### [](#httpsession-jdbc-xml-spring-configuration)Spring XML Configuration
After adding the required dependencies, we can create our Spring configuration.
The Spring configuration is responsible for creating a servlet filter that replaces the `HttpSession` implementation with an implementation backed by Spring Session.
The following listing shows how to add the following Spring Configuration:
|**1**|We use the combination of `<context:annotation-config/>` and `JdbcHttpSessionConfiguration` because Spring Session does not yet provide XML Namespace support (see [gh-104](https://github.com/spring-projects/spring-session/issues/104)).<br/>This creates a Spring bean with the name of `springSessionRepositoryFilter`.<br/>That bean implements `Filter`.<br/>The filter is in charge of replacing the `HttpSession` implementation to be backed by Spring Session.<br/>In this instance, Spring Session is backed by a relational database.|
|**2**| We create a `dataSource` that connects Spring Session to an embedded instance of an H2 database.<br/>We configure the H2 database to create database tables by using the SQL script that is included in Spring Session. |
|**3**| We create a `transactionManager` that manages transactions for previously configured `dataSource`. |
For additional information on how to configure data access-related concerns, see the [Spring Framework Reference Documentation](https://docs.spring.io/spring/docs/5.3.16/spring-framework-reference/data-access.html).
Our [Spring Configuration](#httpsession-jdbc-xml-spring-configuration) created a Spring bean named `springSessionRepositoryFilter` that implements `Filter`.
The `springSessionRepositoryFilter` bean is responsible for replacing the `HttpSession` with a custom implementation that is backed by Spring Session.
In order for our `Filter` to do its magic, we need to instruct Spring to load our `session.xml` configuration.
The [`ContextLoaderListener`](https://docs.spring.io/spring/docs/5.3.16/spring-framework-reference/core.html#context-create) reads the `contextConfigLocation` and picks up our session.xml configuration.
Last, we need to ensure that our Servlet Container (that is, Tomcat) uses our `springSessionRepositoryFilter` for every request.
The following snippet performs this last step for us:
The [`DelegatingFilterProxy`](https://docs.spring.io/spring-framework/docs/5.3.16/javadoc-api/org/springframework/web/filter/DelegatingFilterProxy.html) looks up a bean named `springSessionRepositoryFilter` and casts it to a `Filter`.
For every request on which `DelegatingFilterProxy` is invoked, the `springSessionRepositoryFilter` is invoked.
### [](#httpsession-jdbc-boot)JDBC Spring Boot-based Configuration
This section describes how to use a relational database to back `HttpSession` when you use Spring Boot.
| |The [ HttpSession JDBC Spring Boot Sample](samples.html#samples) provides a working sample of how to integrate Spring Session and `HttpSession` by using Spring Boot.<br/>You can read the basic steps for integration in the next few sections, but we encourage you to follow along with the detailed HttpSession JDBC Spring Boot Guide when integrating with your own application.|
After adding the required dependencies, we can create our Spring Boot configuration.
Thanks to first-class auto configuration support, setting up Spring Session backed by a relational database is as simple as adding a single configuration property to your `application.properties`.
The following listing shows how to do so:
src/main/resources/application.properties
```
spring.session.store-type=jdbc # Session store type.
```
If a single Spring Session module is present on the classpath, Spring Boot uses that store implementation automatically.
If you have more than one implementation, you must choose the StoreType that you wish to use to store the sessions, as shows above.
Under the hood, Spring Boot applies configuration that is equivalent to manually adding the `@EnableJdbcHttpSession` annotation.
This creates a Spring bean with the name of `springSessionRepositoryFilter`. That bean implements `Filter`.
The filter is in charge of replacing the `HttpSession` implementation to be backed by Spring Session.
You can further customize by using `application.properties`.
The following listing shows how to do so:
src/main/resources/application.properties
```
server.servlet.session.timeout= # Session timeout. If a duration suffix is not specified, seconds are used.
spring.session.jdbc.schema=classpath:org/springframework/session/jdbc/[email protected]@[email protected]@.sql # Path to the SQL file to use to initialize the database schema.
spring.session.jdbc.table-name=SPRING_SESSION # Name of the database table used to store sessions.
```
For more information, see the [Spring Session](https://docs.spring.io/spring-boot/docs/2.5.6/reference/htmlsingle/#boot-features-session) portion of the Spring Boot documentation.
#### [](#httpsession-jdbc-boot-configuration)Configuring the `DataSource`
Spring Boot automatically creates a `DataSource` that connects Spring Session to an embedded instance of an H2 database.
In a production environment, you need to update your configuration to point to your relational database.
For example, you can include the following in your application.properties:
src/main/resources/application.properties
```
spring.datasource.url= # JDBC URL of the database.
spring.datasource.username= # Login username of the database.
spring.datasource.password= # Login password of the database.
```
For more information, see the [Configure a DataSource](https://docs.spring.io/spring-boot/docs/2.5.6/reference/htmlsingle/#boot-features-configure-datasource) portion of the Spring Boot documentation.
Our [Spring Boot Configuration](#httpsession-jdbc-boot-spring-configuration) created a Spring bean named `springSessionRepositoryFilter` that implements `Filter`.
The `springSessionRepositoryFilter` bean is responsible for replacing the `HttpSession` with a custom implementation that is backed by Spring Session.
In order for our `Filter` to do its magic, Spring needs to load our `Config` class.
Last, we need to ensure that our Servlet Container (that is, Tomcat) uses our `springSessionRepositoryFilter` for every request.
Fortunately, Spring Boot takes care of both of these steps for us.
## [](#httpsession-hazelcast)HttpSession with Hazelcast
Using Spring Session with `HttpSession` is enabled by adding a Servlet Filter before anything that uses the `HttpSession`.
This section describes how to use Hazelcast to back `HttpSession` by using Java-based configuration.
| |The [ Hazelcast Spring Sample](samples.html#samples) provides a working sample of how to integrate Spring Session and `HttpSession` by using Java configuration.<br/>You can read the basic steps for integration in the next few sections, but we encourage you to follow along with the detailed Hazelcast Spring Guide when integrating with your own application.|
After adding the required dependencies, we can create our Spring configuration.
The Spring configuration is responsible for creating a servlet filter that replaces the `HttpSession` implementation with an implementation backed by Spring Session.
To do so, add the following Spring Configuration:
```
@EnableHazelcastHttpSession (1)
@Configuration
public class HazelcastHttpSessionConfig {
@Bean
public HazelcastInstance hazelcastInstance() {
Config config = new Config();
MapAttributeConfig attributeConfig = new MapAttributeConfig()
|**1**| The `@EnableHazelcastHttpSession` annotation creates a Spring bean named `springSessionRepositoryFilter` that implements `Filter`.<br/>The filter is in charge of replacing the `HttpSession` implementation to be backed by Spring Session.<br/>In this instance, Spring Session is backed by Hazelcast. |
|**2**| In order to support retrieval of sessions by principal name index, an appropriate `ValueExtractor` needs to be registered.<br/>Spring Session provides `PrincipalNameExtractor` for this purpose. |
|**3**| In order to serialize `MapSession` objects efficiently, `HazelcastSessionSerializer` needs to be registered. If this<br/>is not set, Hazelcast will serialize sessions using native Java serialization. |
|**4**|We create a `HazelcastInstance` that connects Spring Session to Hazelcast.<br/>By default, the application starts and connects to an embedded instance of Hazelcast.<br/>For more information on configuring Hazelcast, see the [reference documentation](https://docs.hazelcast.org/docs/3.12.12/manual/html-single/index.html#hazelcast-configuration).|
| |If `HazelcastSessionSerializer` is preferred, it needs to be configured for all Hazelcast cluster members before they start.<br/>In a Hazelcast cluster, all members should use the same serialization method for sessions. Also, if Hazelcast Client/Server topology<br/>is used, then both members and clients must use the same serialization method. The serializer can be registered via `ClientConfig`with the same `SerializerConfiguration` of members.|
Our [Spring Configuration](guides/java-security.html#security-spring-configuration) created a Spring bean named `springSessionRepositoryFilter` that implements `Filter`.
The `springSessionRepositoryFilter` bean is responsible for replacing the `HttpSession` with a custom implementation that is backed by Spring Session.
In order for our `Filter` to do its magic, Spring needs to load our `SessionConfig` class.
Since our application is already loading Spring configuration by using our `SecurityInitializer` class, we can add our `SessionConfig` class to it.
The following listing shows how to do so:
src/main/java/sample/SecurityInitializer.java
```
public class SecurityInitializer extends AbstractSecurityWebApplicationInitializer {
public SecurityInitializer() {
super(SecurityConfig.class, SessionConfig.class);
}
}
```
Last, we need to ensure that our Servlet Container (that is, Tomcat) uses our `springSessionRepositoryFilter` for every request.
It is extremely important that Spring Session’s `springSessionRepositoryFilter` is invoked before Spring Security’s `springSecurityFilterChain`.
Doing so ensures that the `HttpSession` that Spring Security uses is backed by Spring Session.
Fortunately, Spring Session provides a utility class named `AbstractHttpSessionApplicationInitializer` that makes this doing so easy.
The following example shows how to do so:
src/main/java/sample/Initializer.java
```
public class Initializer extends AbstractHttpSessionApplicationInitializer {
}
```
| |The name of our class (`Initializer`) does not matter. What is important is that we extend `AbstractHttpSessionApplicationInitializer`.|
By extending `AbstractHttpSessionApplicationInitializer`, we ensure that the Spring Bean named `springSessionRepositoryFilter` is registered with our servlet container for every request before Spring Security’s `springSecurityFilterChain`.
## [](#httpsession-how)How `HttpSession` Integration Works
Fortunately, both `HttpSession` and `HttpServletRequest` (the API for obtaining an `HttpSession`) are both interfaces.
This means that we can provide our own implementations for each of these APIs.
| |This section describes how Spring Session provides transparent integration with `HttpSession`. We offer this content so that you can understand what is happening under the covers. This functionality is already integrated and you do NOT need to implement this logic yourself.|
By passing a custom `HttpServletRequest` implementation into the `FilterChain`, we ensure that anything invoked after our `Filter` uses the custom `HttpSession` implementation.
This highlights why it is important that Spring Session’s `SessionRepositoryFilter` be placed before anything that interacts with the `HttpSession`.
## [](#httpsession-rest)`HttpSession` and RESTful APIs
Spring Session can work with RESTful APIs by letting the session be provided in a header.
| |The [ REST Sample](samples.html#samples) provides a working sample of how to use Spring Session in a REST application to support authenticating with a header.<br/>You can follow the basic steps for integration described in the next few sections, but we encourage you to follow along with the detailed REST Guide when integrating with your own application.|
After adding the required dependencies, we can create our Spring configuration.
The Spring configuration is responsible for creating a servlet filter that replaces the `HttpSession` implementation with an implementation backed by Spring Session.
To do so, add the following Spring Configuration:
```
@Configuration
@EnableRedisHttpSession (1)
public class HttpSessionConfig {
@Bean
public LettuceConnectionFactory connectionFactory() {
return new LettuceConnectionFactory(); (2)
}
@Bean
public HttpSessionIdResolver httpSessionIdResolver() {
|**1**| The `@EnableRedisHttpSession` annotation creates a Spring bean named `springSessionRepositoryFilter` that implements `Filter`.<br/>The filter is in charge of replacing the `HttpSession` implementation to be backed by Spring Session.<br/>In this instance, Spring Session is backed by Redis. |
|**2**|We create a `RedisConnectionFactory` that connects Spring Session to the Redis Server.<br/>We configure the connection to connect to localhost on the default port (6379).<br/>For more information on configuring Spring Data Redis, see the [reference documentation](https://docs.spring.io/spring-data/data-redis/docs/2.6.2/reference/html/).|
|**3**| We customize Spring Session’s HttpSession integration to use HTTP headers to convey the current session information instead of cookies. |
Our [Spring Configuration](#rest-spring-configuration) created a Spring Bean named `springSessionRepositoryFilter` that implements `Filter`.
The `springSessionRepositoryFilter` bean is responsible for replacing the `HttpSession` with a custom implementation that is backed by Spring Session.
In order for our `Filter` to do its magic, Spring needs to load our `Config` class.
We provide the configuration in our Spring `MvcInitializer`, as the following example shows:
src/main/java/sample/mvc/MvcInitializer.java
```
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[] { SecurityConfig.class, HttpSessionConfig.class };
}
```
Last, we need to ensure that our Servlet Container (that is, Tomcat) uses our `springSessionRepositoryFilter` for every request.
Fortunately, Spring Session provides a utility class named `AbstractHttpSessionApplicationInitializer` that makes doing so easy. To do so, extend the class with the default constructor, as the following example shows:
src/main/java/sample/Initializer.java
```
public class Initializer extends AbstractHttpSessionApplicationInitializer {
}
```
| |The name of our class (`Initializer`) does not matter. What is important is that we extend `AbstractHttpSessionApplicationInitializer`.|
Spring Session supports `HttpSessionListener` by translating `SessionDestroyedEvent` and `SessionCreatedEvent` into `HttpSessionEvent` by declaring `SessionEventHttpSessionListenerAdapter`.
To use this support, you need to:
* Ensure your `SessionRepository` implementation supports and is configured to fire `SessionDestroyedEvent` and `SessionCreatedEvent`.
* Configure `SessionEventHttpSessionListenerAdapter` as a Spring bean.
* Inject every `HttpSessionListener` into the `SessionEventHttpSessionListenerAdapter`
If you use the configuration support documented in [`HttpSession` with Redis](#httpsession-redis), all you need to do is register every `HttpSessionListener` as a bean.
For example, assume you want to support Spring Security’s concurrency control and need to use `HttpSessionEventPublisher`. In that case, you can add `HttpSessionEventPublisher` as a bean.
In Java configuration, this might look like the following:
```
@Configuration
@EnableRedisHttpSession
public class RedisHttpSessionConfig {
@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
return new HttpSessionEventPublisher();
}
// ...
}
```
In XML configuration, this might look like the following:
Spring Session provides an API and implementations for managing a user’s session information.
Spring Session provides an API and implementations for managing a user’s session information while also making it trivial to support clustered sessions without being tied to an application container-specific solution.
It also provides transparent integration with:
*[HttpSession](http-session.html#httpsession): Allows replacing the `HttpSession` in an application container-neutral way, with support for providing session IDs in headers to work with RESTful APIs.
*[WebSocket](web-socket.html#websocket): Provides the ability to keep the `HttpSession` alive when receiving WebSocket messages
*[WebSession](web-session.html#websession): Allows replacing the Spring WebFlux’s `WebSession` in an application container-neutral way.
## [](#community)Spring Session Community
We are glad to consider you a part of our community.
The following sections provide additional about how to interact with the Spring Session community.
### [](#community-support)Support
You can get help by asking questions on [Stack Overflow with the `spring-session` tag](https://stackoverflow.com/questions/tagged/spring-session).
Similarly, we encourage helping others by answering questions on Stack Overflow.
### [](#community-source)Source Code
You can find the source code on GitHub at [https://github.com/spring-projects/spring-session/](https://github.com/spring-projects/spring-session/)
### [](#community-issues)Issue Tracking
We track issues in GitHub issues at [https://github.com/spring-projects/spring-session/issues](https://github.com/spring-projects/spring-session/issues)
### [](#community-contributing)Contributing
We appreciate [pull requests](https://help.github.com/articles/using-pull-requests/).
### [](#community-license)License
Spring Session is Open Source software released under the [Apache 2.0 license](https://www.apache.org/licenses/LICENSE-2.0).
* If you run in a Servlet Container (not required), Servlet 3.1+.
* If you use other Spring libraries (not required), the minimum required version is Spring 5.0.x.
*`@EnableRedisHttpSession` requires Redis 2.8+. This is necessary to support [Session Expiration](api.html#api-redisindexedsessionrepository-expiration)
*`@EnableHazelcastHttpSession` requires Hazelcast 3.6+. This is necessary to support [`FindByIndexNameSessionRepository`](api.html#api-enablehazelcasthttpsession-storage)
| |At its core, Spring Session has a required dependency only on `spring-jcl`.<br/>For an example of using Spring Session without any other Spring dependencies, see the [hazelcast sample](samples.html#samples) application.|
* Hosts the Spring Session Data Geode modules. Spring Session Data Geode has its own user guide, which you can find at the [[https://spring.io/projects/spring-session-data-geode#learn](https://spring.io/projects/spring-session-data-geode#learn) site].
Finally, Spring Session also provides a Maven BOM (“bill of materials”) module in order to help users with version management concerns:
| [HttpSession with Redis](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-redis) | Demonstrates how to use Spring Session to replace the `HttpSession` with Redis. | [HttpSession with Redis Guide](guides/boot-redis.html) |
| [HttpSession with JDBC](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-jdbc) | Demonstrates how to use Spring Session to replace the `HttpSession` with a relational database store. | [HttpSession with JDBC Guide](guides/boot-jdbc.html) |
| [HttpSession with Hazelcast](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-hazelcast) | Demonstrates how to use Spring Session to replace the `HttpSession` with Hazelcast. | |
| [Find by Username](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-findbyusername) | Demonstrates how to use Spring Session to find sessions by username. | [Find by Username Guide](guides/boot-findbyusername.html) |
| [WebSockets](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-websocket) | Demonstrates how to use Spring Session with WebSockets. | [WebSockets Guide](guides/boot-websocket.html) |
| [WebFlux](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-webflux) | Demonstrates how to use Spring Session to replace the Spring WebFlux’s `WebSession` with Redis. | |
| [WebFlux with Custom Cookie](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-webflux-custom-cookie) | Demonstrates how to use Spring Session to customize the Session cookie in a WebFlux based application. |[WebFlux with Custom Cookie Guide](guides/boot-webflux-custom-cookie.html)|
| [HttpSession with Redis JSON serialization](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-redis-json) | Demonstrates how to use Spring Session to replace the `HttpSession` with Redis using JSON serialization. | |
| [HttpSession with simple Redis `SessionRepository`](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-redis-simple) |Demonstrates how to use Spring Session to replace the `HttpSession` with Redis using `RedisSessionRepository`.| |
|[Spring Session with MongoDB Repositories (servlet-based)](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-mongodb-traditional)| Demonstrates how to back Spring Session with traditional MongoDB repositories. | [Spring Session with MongoDB Repositories](guides/boot-mongo.html) |
| [Spring Session with MongoDB Repositories (reactive)](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-mongodb-reactive) | Demonstrates how to back Spring Session with reactive MongoDB repositories. | [Spring Session with MongoDB Repositories](guides/boot-mongo.html) |
| [HttpSession with Redis](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-javaconfig-redis) | Demonstrates how to use Spring Session to replace the `HttpSession` with Redis. | [HttpSession with Redis Guide](guides/java-redis.html) |
| [HttpSession with JDBC](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-javaconfig-jdbc) |Demonstrates how to use Spring Session to replace the `HttpSession` with a relational database store.| [HttpSession with JDBC Guide](guides/java-jdbc.html) |
|[HttpSession with Hazelcast](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-javaconfig-hazelcast)| Demonstrates how to use Spring Session to replace the `HttpSession` with Hazelcast. |[HttpSession with Hazelcast Guide](guides/java-hazelcast.html)|
| [Custom Cookie](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-javaconfig-custom-cookie) | Demonstrates how to use Spring Session and customize the cookie. | [Custom Cookie Guide](guides/java-custom-cookie.html) |
| [Spring Security](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-javaconfig-security) | Demonstrates how to use Spring Session with an existing Spring Security application. | [Spring Security Guide](guides/java-security.html) |
| [REST](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-javaconfig-rest) |Demonstrates how to use Spring Session in a REST application to support authenticating with a header.| [REST Guide](guides/java-rest.html) |
|[HttpSession with Redis](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-xml-redis)| Demonstrates how to use Spring Session to replace the `HttpSession` with a Redis store. |[HttpSession with Redis Guide](guides/xml-redis.html)|
| [HttpSession with JDBC](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-xml-jdbc) |Demonstrates how to use Spring Session to replace the `HttpSession` with a relational database store.| [HttpSession with JDBC Guide](guides/xml-jdbc.html) |
|[Hazelcast](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-misc-hazelcast)|Demonstrates how to use Spring Session with Hazelcast in a Java EE application.| |
Spring Session provides integration with Spring Security.
## [](#spring-security-rememberme)Spring Security Remember-me Support
Spring Session provides integration with [Spring Security’s Remember-me Authentication](https://docs.spring.io/spring-security/site/docs/5.6.2/reference/html5/#servlet-rememberme).
The support:
* Changes the session expiration length
* Ensures that the session cookie expires at `Integer.MAX_VALUE`.
The cookie expiration is set to the largest possible value, because the cookie is set only when the session is created.
If it were set to the same value as the session expiration, the session would get renewed when the user used it but the cookie expiration would not be updated (causing the expiration to be fixed).
To configure Spring Session with Spring Security in Java Configuration, you can use the following listing as a guide:
## [](#spring-security-concurrent-sessions)Spring Security Concurrent Session Control
Spring Session provides integration with Spring Security to support its concurrent session control.
This allows limiting the number of active sessions that a single user can have concurrently, but, unlike the default
Spring Security support, this also works in a clustered environment. This is done by providing a custom
implementation of Spring Security’s `SessionRegistry` interface.
When using Spring Security’s Java config DSL, you can configure the custom `SessionRegistry` through the`SessionManagementConfigurer`, as the following listing shows:
```
@Configuration
public class SecurityConfiguration<S extends Session> extends WebSecurityConfigurerAdapter {
This assumes that your Spring Session `SessionRegistry` bean is called `sessionRegistry`, which is the name used by all`SpringHttpSessionConfiguration` subclasses.
Spring Session’s implementation of Spring Security’s `SessionRegistry` interface does not support the `getAllPrincipals`method, as this information cannot be retrieved by using Spring Session. This method is never called by Spring Security,
so this affects only applications that access the `SessionRegistry` themselves.
With the new major release version, the Spring Session team took the opportunity to make some non-passive changes.
The focus of these changes is to improve and harmonize Spring Session’s APIs as well as remove the deprecated components.
## [](#_baseline_update)Baseline Update
Spring Session 2.0 requires Java 8 and Spring Framework 5.0 as a baseline, since its entire codebase is now based on Java 8 source code.
See [Upgrading to Spring Framework 5.x](https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-5.x) for more on upgrading Spring Framework.
## [](#_replaced_and_removed_modules)Replaced and Removed Modules
As a part of the project’s splitting of the modules, the existing `spring-session` has been replaced with the `spring-session-core` module.
The `spring-session-core` module holds only the common set of APIs and components, while other modules contain the implementation of the appropriate `SessionRepository` and functionality related to that data store.
This applies to several existing modules that were previously a simple dependency aggregator helper module.
With new module arrangement, the following modules actually carry the implementation:
* Spring Session for MongoDB
* Spring Session for Redis
* Spring Session JDBC
* Spring Session Hazelcast
Also, the following were removed from the main project repository:
## [](#_replaced_and_removed_packages_classes_and_methods)Replaced and Removed Packages, Classes, and Methods
The following changes were made to packages, classes, and methods:
*`ExpiringSession` API has been merged into the `Session` API.
* The `Session` API has been enhanced to make full use of Java 8.
* The `Session` API has been extended with `changeSessionId` support.
* The `SessionRepository` API has been updated to better align with Spring Data method naming conventions.
*`AbstractSessionEvent` and its subclasses are no longer constructable without an underlying `Session` object.
* The Redis namespace used by `RedisOperationsSessionRepository` is now fully configurable, instead of being partially configurable.
* Redis configuration support has been updated to avoid registering a Spring Session-specific `RedisTemplate` bean.
* JDBC configuration support has been updated to avoid registering a Spring Session-specific `JdbcTemplate` bean.
* Previously deprecated classes and methods have been removed across the codebase
## [](#_dropped_support)Dropped Support
As a part of the changes to `HttpSessionStrategy` and its alignment to the counterpart from the reactive world, the support for managing multiple users' sessions in a single browser instance has been removed.
The introduction of a new API to replace this functionality is under consideration for future releases.
Spring Session provides transparent integration with Spring WebFlux’s `WebSession`.
This means that you can switch the `WebSession` implementation out with an implementation that is backed by Spring Session.
## [](#websession-why)Why Spring Session and WebSession?
We have already mentioned that Spring Session provides transparent integration with Spring WebFlux’s `WebSession`, but what benefits do we get out of this?
As with `HttpSession`, Spring Session makes it trivial to support [clustered sessions](#websession-redis) without being tied to an application container specific solution.
## [](#websession-redis)WebSession with Redis
Using Spring Session with `WebSession` is enabled by registering a `WebSessionManager` implementation backed by Spring Session’s `ReactiveSessionRepository`.
The Spring configuration is responsible for creating a `WebSessionManager` that replaces the `WebSession` implementation with an implementation backed by Spring Session.
To do so, add the following Spring Configuration:
```
@EnableRedisWebSession (1)
public class SessionConfiguration {
@Bean
public LettuceConnectionFactory redisConnectionFactory() {
return new LettuceConnectionFactory(); (2)
}
}
```
|**1**| The `@EnableRedisWebSession` annotation creates a Spring bean with the name of `webSessionManager`. That bean implements the `WebSessionManager`.<br/>This is what is in charge of replacing the `WebSession` implementation to be backed by Spring Session.<br/>In this instance, Spring Session is backed by Redis. |
|**2**|We create a `RedisConnectionFactory` that connects Spring Session to the Redis Server.<br/>We configure the connection to connect to localhost on the default port (6379)<br/>For more information on configuring Spring Data Redis, see the [reference documentation](https://docs.spring.io/spring-data/data-redis/docs/2.6.2/reference/html/).|
## [](#websession-how)How WebSession Integration Works
It is considerably easier for Spring Session to integrate with Spring WebFlux and its `WebSession`, compared to Servlet API and its `HttpSession`.
Spring WebFlux provides the `WebSessionStore` API, which presents a strategy for persisting `WebSession`.
| |This section describes how Spring Session provides transparent integration with `WebSession`. We offer this content so that you can understand what is happening under the covers. This functionality is already integrated and you do NOT need to implement this logic yourself.|
// ... other methods delegate to the original Session
}
```
Next, we create a custom `WebSessionStore` that delegates to the `ReactiveSessionRepository` and wraps `Session` into custom `WebSession` implementation, as the following listing shows:
```
public class SpringSessionWebSessionStore<S extends Session> implements WebSessionStore {
private final ReactiveSessionRepository<S> sessions;
public SpringSessionWebSessionStore(ReactiveSessionRepository<S> reactiveSessionRepository) {
this.sessions = reactiveSessionRepository;
}
// ...
}
```
To be detected by Spring WebFlux, this custom `WebSessionStore` needs to be registered with `ApplicationContext` as a bean named `webSessionManager`.
For additional information on Spring WebFlux, see the [Spring Framework Reference Documentation](https://docs.spring.io/spring-framework/docs/5.3.16/reference/html/web-reactive.html).
Spring Session provides transparent integration with Spring’s WebSocket support.
| |Spring Session’s WebSocket support works only with Spring’s WebSocket support.<br/>Specifically,it does not work with using [JSR-356](https://www.jcp.org/en/jsr/detail?id=356) directly, because JSR-356 does not have a mechanism for intercepting incoming WebSocket messages.|
## [](#websocket-why)Why Spring Session and WebSockets?
So why do we need Spring Session when we use WebSockets?
Consider an email application that does much of its work through HTTP requests.
However, there is also a chat application embedded within it that works over WebSocket APIs.
If a user is actively chatting with someone, we should not timeout the `HttpSession`, since this would be a pretty poor user experience.
However, this is exactly what [JSR-356](https://java.net/jira/browse/WEBSOCKET_SPEC-175) does.
Another issue is that, according to JSR-356, if the `HttpSession` times out, any WebSocket that was created with that `HttpSession` and an authenticated user should be forcibly closed.
This means that, if we are actively chatting in our application and are not using the HttpSession, we also do disconnect from our conversation.
## [](#websocket-usage)WebSocket Usage
The [ WebSocket Sample](samples.html#samples) provides a working sample of how to integrate Spring Session with WebSockets.
You can follow the basic steps for integration described in the next few headings, but we encourage you to follow along with the detailed WebSocket Guide when integrating with your own application.
Check also the Spring Session BOM [release notes](https://github.com/spring-projects/spring-session-bom/wiki#release-notes)for a list of new and noteworthy features, as well as upgrade instructions for each release.
#### [](#httpsession-spring-configuration) Spring Java 配置
在添加了所需的依赖关系之后,我们就可以创建我们的 Spring 配置了。 Spring 配置负责创建一个 Servlet 过滤器,该过滤器将`HttpSession`实现替换为由 Spring 会话支持的实现。为此,添加以下 Spring 配置:
在添加了所需的依赖关系之后,我们就可以创建我们的 Spring 配置了。 Spring 配置负责创建一个 Servlet 过滤器,该过滤器将`HttpSession`实现替换为由 Spring Session 支持的实现。为此,添加以下 Spring 配置:
```
@EnableRedisHttpSession (1)
...
...
@@ -41,15 +41,15 @@ public class Config {
}
```
|**1**|`@EnableRedisHttpSession`注释创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。<br/>过滤器负责替换要由 Spring 会话支持的`HttpSession`实现。<br/>在此实例中, Spring 会话由 Redis 支持。|
|**1**|`@EnableRedisHttpSession`注释创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。<br/>过滤器负责替换要由 Spring Session 支持的`HttpSession`实现。<br/>在此实例中, Spring Session 由 Redis 支持。|
|**2**|我们创建一个`RedisConnectionFactory`将 Spring 会话连接到 Redis 服务器。<br/>我们将连接配置为在默认端口(6379)上连接到 localhost。<br/>有关配置 Spring 数据 Redis 的更多信息,请参见[参考文献](https://docs.spring.io/spring-data/data-redis/docs/2.6.2/reference/html/)。|
|**2**|我们创建一个`RedisConnectionFactory`将 Spring Session 连接到 Redis 服务器。<br/>我们将连接配置为在默认端口(6379)上连接到 localhost。<br/>有关配置 Spring 数据 Redis 的更多信息,请参见[参考文献](https://docs.spring.io/spring-data/data-redis/docs/2.6.2/reference/html/)。|
我们的[Spring Configuration](#httpsession-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring 会话支持的自定义实现替换`HttpSession`。
我们的[Spring Configuration](#httpsession-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring Session 支持的自定义实现替换`HttpSession`。
为了让我们的`Filter`发挥其魔力, Spring 需要加载我们的`Config`类。最后,我们需要确保我们的 Servlet 容器(即 Tomcat)为每个请求使用我们的`springSessionRepositoryFilter`。幸运的是, Spring 会话提供了一个名为`AbstractHttpSessionApplicationInitializer`的实用程序类,以使这两个步骤都变得容易。以下是一个例子:
为了让我们的`Filter`发挥其魔力, Spring 需要加载我们的`Config`类。最后,我们需要确保我们的 Servlet 容器(即 Tomcat)为每个请求使用我们的`springSessionRepositoryFilter`。幸运的是, Spring Session 提供了一个名为`AbstractHttpSessionApplicationInitializer`的实用程序类,以使这两个步骤都变得容易。以下是一个例子:
SRC/main/java/sample/initializer.java
...
...
@@ -74,12 +74,12 @@ public class Initializer extends AbstractHttpSessionApplicationInitializer { (1)
本节介绍如何使用基于 XML 的配置使用 Redis 来支持`HttpSession`。
| |[HttpSession XML 示例](samples.html#samples)提供了如何使用 XML 配置集成 Spring 会话和`HttpSession`的工作示例,<br/>你可以在接下来的几个部分中阅读集成的基本步骤,但是,我们鼓励你在与自己的应用程序集成时遵循详细的 HttpSession XML 指南。|
| |[HttpSession XML 示例](samples.html#samples)提供了如何使用 XML 配置集成 Spring Session 和`HttpSession`的工作示例,<br/>你可以在接下来的几个部分中阅读集成的基本步骤,但是,我们鼓励你在与自己的应用程序集成时遵循详细的 HttpSession XML 指南。|
|**1**|我们使用`<context:annotation-config/>`和`RedisHttpSessionConfiguration`的组合,因为 Spring 会话尚未提供 XML 名称空间支持(参见[gh-104](https://github.com/spring-projects/spring-session/issues/104))。<br/>这将创建一个名称为`springSessionRepositoryFilter`的 Spring Bean 实现`Filter`。<br/>过滤器负责替换要由 Spring 会话支持的`HttpSession`实现。<br/>在此实例中, Spring 会话由 Redis 支持。|
|**1**|我们使用`<context:annotation-config/>`和`RedisHttpSessionConfiguration`的组合,因为 Spring Session 尚未提供 XML 名称空间支持(参见[gh-104](https://github.com/spring-projects/spring-session/issues/104))。<br/>这将创建一个名称为`springSessionRepositoryFilter`的 Spring Bean 实现`Filter`。<br/>过滤器负责替换要由 Spring Session 支持的`HttpSession`实现。<br/>在此实例中, Spring Session 由 Redis 支持。|
|**2**|我们创建一个`RedisConnectionFactory`将 Spring 会话连接到 Redis 服务器。<br/>我们将连接配置为在默认端口(6379)<br/>上连接到 localhost。有关配置 Spring 数据 Redis 的更多信息,请参见[参考文献](https://docs.spring.io/spring-data/data-redis/docs/2.6.2/reference/html/)。|
|**2**|我们创建一个`RedisConnectionFactory`将 Spring Session 连接到 Redis 服务器。<br/>我们将连接配置为在默认端口(6379)<br/>上连接到 localhost。有关配置 Spring 数据 Redis 的更多信息,请参见[参考文献](https://docs.spring.io/spring-data/data-redis/docs/2.6.2/reference/html/)。|
我们的[Spring Configuration](#httpsession-xml-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring 会话支持的自定义实现替换`HttpSession`。
我们的[Spring Configuration](#httpsession-xml-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring Session 支持的自定义实现替换`HttpSession`。
为了使我们的`Filter`发挥其魔力,我们需要指示 Spring 加载我们的`session.xml`配置。我们可以通过以下配置来实现这一点:
#### [](#httpsession-jdbc-spring-configuration) Spring Java 配置
在添加了所需的依赖关系之后,我们就可以创建我们的 Spring 配置了。 Spring 配置负责创建一个 Servlet 过滤器,该过滤器用 Spring 会话支持的实现替换`HttpSession`实现。为此,添加以下 Spring 配置:
在添加了所需的依赖关系之后,我们就可以创建我们的 Spring 配置了。 Spring 配置负责创建一个 Servlet 过滤器,该过滤器用 Spring Session 支持的实现替换`HttpSession`实现。为此,添加以下 Spring 配置:
```
@EnableJdbcHttpSession (1)
...
...
@@ -259,18 +259,18 @@ public class Config {
}
```
|**1**|`@EnableJdbcHttpSession`注释创建了一个名为`springSessionRepositoryFilter`的 Spring Bean。<br/>该 Bean 实现了`Filter`。<br/>过滤器负责替换要由 Spring 会话支持的`HttpSession`实现。<br/>在此实例中, Spring 会话是由关系数据库支持的。|
|**1**|`@EnableJdbcHttpSession`注释创建了一个名为`springSessionRepositoryFilter`的 Spring Bean。<br/>该 Bean 实现了`Filter`。<br/>过滤器负责替换要由 Spring Session 支持的`HttpSession`实现。<br/>在此实例中, Spring Session 是由关系数据库支持的。|
我们的[Spring Configuration](#httpsession-jdbc-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring 会话支持的自定义实现替换`HttpSession`。
我们的[Spring Configuration](#httpsession-jdbc-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring Session 支持的自定义实现替换`HttpSession`。
为了让我们的`Filter`发挥其魔力, Spring 需要加载我们的`Config`类。最后,我们需要确保我们的 Servlet 容器(即 Tomcat)为每个请求使用我们的`springSessionRepositoryFilter`。幸运的是, Spring 会话提供了一个名为`AbstractHttpSessionApplicationInitializer`的实用程序类,以使这两个步骤都变得容易。下面的示例展示了如何做到这一点:
为了让我们的`Filter`发挥其魔力, Spring 需要加载我们的`Config`类。最后,我们需要确保我们的 Servlet 容器(即 Tomcat)为每个请求使用我们的`springSessionRepositoryFilter`。幸运的是, Spring Session 提供了一个名为`AbstractHttpSessionApplicationInitializer`的实用程序类,以使这两个步骤都变得容易。下面的示例展示了如何做到这一点:
SRC/main/java/sample/initializer.java
...
...
@@ -293,7 +293,7 @@ public class Initializer extends AbstractHttpSessionApplicationInitializer { (1)
#### [](#_multiple_datasources)多个数据源
Spring 会话提供了`@SpringSessionDataSource`限定符,允许你显式地声明应该在`JdbcIndexedSessionRepository`中注入哪个`DataSource` Bean。这在应用程序上下文中存在多个`DataSource`bean 的场景中特别有用。
Spring Session 提供了`@SpringSessionDataSource`限定符,允许你显式地声明应该在`JdbcIndexedSessionRepository`中注入哪个`DataSource` Bean。这在应用程序上下文中存在多个`DataSource`bean 的场景中特别有用。
下面的示例展示了如何做到这一点:
...
...
@@ -317,19 +317,19 @@ public class Config {
}
```
|**1**|此限定符声明 Spring 会话将使用 FirstDataSource。|
|**1**|此限定符声明 Spring Session 将使用 FirstDataSource。|
| |[HttpSession JDBC XML 示例](samples.html#samples)提供了如何通过使用 XML 配置来集成 Spring 会话和`HttpSession`的工作示例,<br/>你可以在接下来的几个部分中阅读集成的基本步骤,但是,我们鼓励你在与自己的应用程序集成时遵循详细的 HttpSession JDBC XML 指南。|
| |[HttpSession JDBC XML 示例](samples.html#samples)提供了如何通过使用 XML 配置来集成 Spring Session 和`HttpSession`的工作示例,<br/>你可以在接下来的几个部分中阅读集成的基本步骤,但是,我们鼓励你在与自己的应用程序集成时遵循详细的 HttpSession JDBC XML 指南。|
|**1**|我们使用`<context:annotation-config/>`的组合和`JdbcHttpSessionConfiguration`因为 Spring session 尚未提供 XML 名称空间支持(参见[gh-104](https://github.com/spring-projects/spring-session/issues/104))。<br/>这将创建一个名为`springSessionRepositoryFilter`的 Spring Bean。<br/> Bean 实现`Filter`。<br/>过滤器负责替换要由 Spring session 支持的`HttpSession`实现。<br/>在此实例中, Spring 会话由关系数据库支持。|
|**1**|我们使用`<context:annotation-config/>`的组合和`JdbcHttpSessionConfiguration`因为 Spring session 尚未提供 XML 名称空间支持(参见[gh-104](https://github.com/spring-projects/spring-session/issues/104))。<br/>这将创建一个名为`springSessionRepositoryFilter`的 Spring Bean。<br/> Bean 实现`Filter`。<br/>过滤器负责替换要由 Spring session 支持的`HttpSession`实现。<br/>在此实例中, Spring Session 由关系数据库支持。|
我们的[Spring Configuration](#httpsession-jdbc-xml-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring 会话支持的自定义实现替换`HttpSession`。
我们的[Spring Configuration](#httpsession-jdbc-xml-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring Session 支持的自定义实现替换`HttpSession`。
为了使我们的`Filter`发挥其魔力,我们需要指示 Spring 加载我们的`session.xml`配置。我们的配置如下:
| |[ HttpSession JDBC Spring Boot Sample](samples.html#samples)提供了如何使用 Spring boot 集成 Spring 会话和`HttpSession`的工作示例,<br/>你可以在接下来的几个部分中阅读集成的基本步骤,但是,我们鼓励你在与自己的应用程序集成时遵循详细的 HttpSession JDBC Spring 引导指南。|
| |[ HttpSession JDBC Spring Boot Sample](samples.html#samples)提供了如何使用 Spring boot 集成 Spring Session 和`HttpSession`的工作示例,<br/>你可以在接下来的几个部分中阅读集成的基本步骤,但是,我们鼓励你在与自己的应用程序集成时遵循详细的 HttpSession JDBC Spring 引导指南。|
#### [](#httpsession-jdbc-boot-spring-configuration) Spring 引导配置
在添加了所需的依赖项之后,我们可以创建我们的 Spring 引导配置。多亏了一流的自动配置支持,在关系数据库支持下设置 Spring 会话就像向`application.properties`添加一个配置属性一样简单。下面的清单展示了如何做到这一点:
在添加了所需的依赖项之后,我们可以创建我们的 Spring 引导配置。多亏了一流的自动配置支持,在关系数据库支持下设置 Spring Session 就像向`application.properties`添加一个配置属性一样简单。下面的清单展示了如何做到这一点:
SRC/主/资源/应用程序.properties
...
...
@@ -416,9 +416,9 @@ SRC/主/资源/应用程序.properties
spring.session.store-type=jdbc # Session store type.
```
如果在 Classpath 上存在单个 Spring 会话模块,则 Spring 引导自动使用该存储实现。如果有多个实现,则必须选择要用来存储会话的 StoreType,如上面所示。
如果在 Classpath 上存在单个 Spring Session 模块,则 Spring 引导自动使用该存储实现。如果有多个实现,则必须选择要用来存储会话的 StoreType,如上面所示。
Spring Boot 应用的配置相当于手动添加`@EnableJdbcHttpSession`注释。这将创建一个名为`springSessionRepositoryFilter`的 Spring Bean。 Bean 实现`Filter`。过滤器负责替换要由 Spring 会话支持的`HttpSession`实现。
Spring Boot 应用的配置相当于手动添加`@EnableJdbcHttpSession`注释。这将创建一个名为`springSessionRepositoryFilter`的 Spring Bean。 Bean 实现`Filter`。过滤器负责替换要由 Spring Session 支持的`HttpSession`实现。
我们的[Spring Boot Configuration](#httpsession-jdbc-boot-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring 会话支持的自定义实现替换`HttpSession`。
我们的[Spring Boot Configuration](#httpsession-jdbc-boot-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring Session 支持的自定义实现替换`HttpSession`。
为了让我们的`Filter`发挥其魔力, Spring 需要加载我们的`Config`类。最后,我们需要确保我们的 Servlet 容器(即 Tomcat)为每个请求使用我们的`springSessionRepositoryFilter`。幸运的是,Boot 为我们解决了这两个步骤。
...
...
@@ -459,12 +459,12 @@ spring.datasource.password= # Login password of the database.
本节介绍如何使用基于 Java 的配置使用 HazelCast 来支持`HttpSession`。
| |[ Hazelcast Spring Sample](samples.html#samples)提供了如何通过使用 Java 配置来集成 Spring 会话和`HttpSession`的工作示例,<br/>你可以在接下来的几个部分中阅读集成的基本步骤,但是,我们鼓励你在与自己的应用程序集成时遵循详细的 Hazelcast Spring 指南。|
| |[ Hazelcast Spring Sample](samples.html#samples)提供了如何通过使用 Java 配置来集成 Spring Session 和`HttpSession`的工作示例,<br/>你可以在接下来的几个部分中阅读集成的基本步骤,但是,我们鼓励你在与自己的应用程序集成时遵循详细的 Hazelcast Spring 指南。|
在添加了所需的依赖关系之后,我们可以创建我们的 Spring 配置。 Spring 配置负责创建 Servlet 过滤器,该过滤器用 Spring 会话支持的实现替换`HttpSession`实现。为此,添加以下 Spring 配置:
在添加了所需的依赖关系之后,我们可以创建我们的 Spring 配置。 Spring 配置负责创建 Servlet 过滤器,该过滤器用 Spring Session 支持的实现替换`HttpSession`实现。为此,添加以下 Spring 配置:
```
@EnableHazelcastHttpSession (1)
...
...
@@ -489,18 +489,18 @@ public class HazelcastHttpSessionConfig {
}
```
|**1**|`@EnableHazelcastHttpSession`注释创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。<br/>过滤器负责替换要由 Spring 会话支持的`HttpSession`实现。<br/>在此实例中, Spring 会话由 Hazelcast 支持。|
|**1**|`@EnableHazelcastHttpSession`注释创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。<br/>过滤器负责替换要由 Spring Session 支持的`HttpSession`实现。<br/>在此实例中, Spring Session 由 Hazelcast 支持。|
我们的[Spring Configuration](guides/java-security.html#security-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring 会话支持的自定义实现替换`HttpSession`。
我们的[Spring Configuration](guides/java-security.html#security-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring Session 支持的自定义实现替换`HttpSession`。
为了让我们的`Filter`发挥其魔力, Spring 需要加载我们的`SessionConfig`类。由于我们的应用程序已经通过使用`SecurityInitializer`类加载了 Spring 配置,因此我们可以将`SessionConfig`类添加到其中。下面的清单展示了如何做到这一点:
...
...
@@ -516,7 +516,7 @@ public class SecurityInitializer extends AbstractSecurityWebApplicationInitializ
}
```
最后,我们需要确保我们的 Servlet 容器(即 Tomcat)为每个请求使用我们的`springSessionRepositoryFilter`。在 Spring security 的`springSecurityFilterChain`之前调用 Spring session 的`springSessionRepositoryFilter`是极其重要的。这样做可以确保 Spring 安全性使用的`HttpSession`得到 Spring 会话的支持。幸运的是, Spring Session 提供了一个名为`AbstractHttpSessionApplicationInitializer`的实用程序类,这使得这样做很容易。下面的示例展示了如何做到这一点:
最后,我们需要确保我们的 Servlet 容器(即 Tomcat)为每个请求使用我们的`springSessionRepositoryFilter`。在 Spring security 的`springSecurityFilterChain`之前调用 Spring session 的`springSessionRepositoryFilter`是极其重要的。这样做可以确保 Spring 安全性使用的`HttpSession`得到 Spring Session 的支持。幸运的是, Spring Session 提供了一个名为`AbstractHttpSessionApplicationInitializer`的实用程序类,这使得这样做很容易。下面的示例展示了如何做到这一点:
SRC/main/java/sample/initializer.java
...
...
@@ -535,7 +535,7 @@ public class Initializer extends AbstractHttpSessionApplicationInitializer {
幸运的是,`HttpSession`和`HttpServletRequest`(获取`HttpSession`的 API)都是接口。这意味着我们可以为这些 API 中的每一个提供我们自己的实现。
| |本节描述 Spring 会话如何提供与`HttpSession`的透明集成。我们提供这些内容,这样你就可以了解幕后发生了什么。这个功能已经集成了,你不需要自己实现这个逻辑。|
| |本节描述 Spring Session 如何提供与`HttpSession`的透明集成。我们提供这些内容,这样你就可以了解幕后发生了什么。这个功能已经集成了,你不需要自己实现这个逻辑。|
@@ -578,18 +578,18 @@ public class SessionRepositoryFilter implements Filter {
}
```
通过将自定义`HttpServletRequest`实现传递到`FilterChain`中,我们确保在`Filter`之后调用的任何内容都使用自定义`HttpSession`实现。这突出了为什么将 Spring 会话的`SessionRepositoryFilter`放在与`HttpSession`交互的任何事物之前是很重要的。
通过将自定义`HttpServletRequest`实现传递到`FilterChain`中,我们确保在`Filter`之后调用的任何内容都使用自定义`HttpSession`实现。这突出了为什么将 Spring Session 的`SessionRepositoryFilter`放在与`HttpSession`交互的任何事物之前是很重要的。
## [](#httpsession-rest)`HttpSession`和 RESTful API
Spring 会话可以通过让会话在头文件中提供而与 RESTful API 一起工作。
Spring Session 可以通过让会话在头文件中提供而与 RESTful API 一起工作。
| |[剩余样本](samples.html#samples)提供了一个工作示例,说明如何在 REST 应用程序中使用 Spring 会话来支持使用头部进行身份验证,<br/>你可以遵循下面几节中描述的集成的基本步骤,但是,我们鼓励你在与自己的应用程序集成时遵循详细的 REST 指南。|
| |[剩余样本](samples.html#samples)提供了一个工作示例,说明如何在 REST 应用程序中使用 Spring Session 来支持使用头部进行身份验证,<br/>你可以遵循下面几节中描述的集成的基本步骤,但是,我们鼓励你在与自己的应用程序集成时遵循详细的 REST 指南。|
在添加了所需的依赖关系之后,我们可以创建我们的 Spring 配置。 Spring 配置负责创建一个 Servlet 过滤器,该过滤器将`HttpSession`实现替换为由 Spring 会话支持的实现。为此,添加以下 Spring 配置:
在添加了所需的依赖关系之后,我们可以创建我们的 Spring 配置。 Spring 配置负责创建一个 Servlet 过滤器,该过滤器将`HttpSession`实现替换为由 Spring Session 支持的实现。为此,添加以下 Spring 配置:
```
@Configuration
...
...
@@ -609,14 +609,14 @@ public class HttpSessionConfig {
}
```
|**1**|`@EnableRedisHttpSession`注释创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。<br/>过滤器负责替换要由 Spring 会话支持的`HttpSession`实现。<br/>在此实例中, Spring 会话由 Redis 支持。|
|**1**|`@EnableRedisHttpSession`注释创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。<br/>过滤器负责替换要由 Spring Session 支持的`HttpSession`实现。<br/>在此实例中, Spring Session 由 Redis 支持。|
|**2**|我们创建一个`RedisConnectionFactory`将 Spring 会话连接到 Redis 服务器。<br/>我们将连接配置为在默认端口(6379)上连接到 localhost。<br/>有关配置 Spring 数据 Redis 的更多信息,请参见[参考文献](https://docs.spring.io/spring-data/data-redis/docs/2.6.2/reference/html/)。|
|**3**|我们定制了 Spring 会话的 HttpSession 集成,以使用 HTTP 头来传递当前会话信息,而不是 Cookie。|
|**2**|我们创建一个`RedisConnectionFactory`将 Spring Session 连接到 Redis 服务器。<br/>我们将连接配置为在默认端口(6379)上连接到 localhost。<br/>有关配置 Spring 数据 Redis 的更多信息,请参见[参考文献](https://docs.spring.io/spring-data/data-redis/docs/2.6.2/reference/html/)。|
|**3**|我们定制了 Spring Session 的 HttpSession 集成,以使用 HTTP 头来传递当前会话信息,而不是 Cookie。|
我们的[Spring Configuration](#rest-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring 会话支持的自定义实现替换`HttpSession`。
我们的[Spring Configuration](#rest-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring Session 支持的自定义实现替换`HttpSession`。
为了使我们的`Filter`发挥其魔力, Spring 需要加载我们的`Config`类。我们在我们的 Spring `MvcInitializer`中提供了配置,如下例所示:
在 Spring session1.x 中, Spring session 的所有`SessionRepository`实现都在`spring-session`工件中可用。虽然方便,但这种方法不能长期持续,因为项目中增加了更多的特性和`SessionRepository`实现。
在 Spring Session2.0 中,将几个模块拆分成独立的模块和托管存储库。 Spring MongoDB 的会话已退役,但后来作为一个单独的模块重新激活。从 Spring 会话 2.6 开始,MongoDB 的 Spring 会话被合并回 Spring 会话。
在 Spring Session2.0 中,将几个模块拆分成独立的模块和托管存储库。 Spring MongoDB 的会话已退役,但后来作为一个单独的模块重新激活。从 Spring Session 2.6 开始,MongoDB 的 Spring Session 被合并回 Spring Session 。
* 托管 Spring 会话数据 Geode 模块。 Spring 会话数据 Geode 有其自己的用户指南,你可以在[[https://spring.io/projects/spring-session-data-geode#learn](https://spring.io/projects/spring-session-data-geode#learn)站点]上找到它。
* 托管 Spring Session 数据 Geode 模块。 Spring Session 数据 Geode 有其自己的用户指南,你可以在[[https://spring.io/projects/spring-session-data-geode#learn](https://spring.io/projects/spring-session-data-geode#learn)站点]上找到它。
最后, Spring Session 还提供了一个 Maven BOM(“物料清单”)模块,以帮助用户处理版本管理问题:
## [](#spring-security-rememberme) Spring 安全 Remember-Me 支持
Spring 会话提供了与[Spring Security’s Remember-me Authentication](https://docs.spring.io/spring-security/site/docs/5.6.2/reference/html5/#servlet-rememberme)的集成。支持:
Spring Session 提供了与[Spring Security’s Remember-me Authentication](https://docs.spring.io/spring-security/site/docs/5.6.2/reference/html5/#servlet-rememberme)的集成。支持:
要在 Java 配置中配置具有 Spring 安全性的 Spring 会话,可以使用以下清单作为指导:
要在 Java 配置中配置具有 Spring 安全性的 Spring Session ,可以使用以下清单作为指导:
```
@Override
...
...
@@ -48,7 +48,7 @@ public SpringSessionRememberMeServices rememberMeServices() {
## [](#spring-security-concurrent-sessions) Spring 安全并发会话控制
Spring 会话提供与 Spring 安全性的集成,以支持其并发的会话控制。这允许限制单个用户可以并发的活动会话的数量,但是,与默认的 Spring 安全支持不同,这也适用于集群环境。这是通过提供 Spring Security 的`SessionRegistry`接口的自定义实现来完成的。
Spring Session 提供与 Spring 安全性的集成,以支持其并发的会话控制。这允许限制单个用户可以并发的活动会话的数量,但是,与默认的 Spring 安全支持不同,这也适用于集群环境。这是通过提供 Spring Security 的`SessionRegistry`接口的自定义实现来完成的。
当使用 Spring Security 的 Java Config DSL 时,你可以通过`SessionManagementConfigurer`配置自定义`SessionRegistry`,如下所示:
...
...
@@ -79,7 +79,7 @@ public class SecurityConfiguration<S extends Session> extends WebSecurityConfigu
}
```
这假定你还配置了 Spring 会话,以提供一个`FindByIndexNameSessionRepository`,返回`Session`实例。
这假定你还配置了 Spring Session ,以提供一个`FindByIndexNameSessionRepository`,返回`Session`实例。
当使用 XML 配置时,它看起来类似于以下清单:
...
...
@@ -97,7 +97,7 @@ public class SecurityConfiguration<S extends Session> extends WebSecurityConfigu
</bean>
```
这假定你的 Spring 会话`SessionRegistry` Bean 被称为`sessionRegistry`,这是所有`SpringHttpSessionConfiguration`子类使用的名称。
这假定你的 Spring Session `SessionRegistry` Bean 被称为`sessionRegistry`,这是所有`SpringHttpSessionConfiguration`子类使用的名称。
有了新的主要版本, Spring 会话团队利用这个机会进行了一些非被动的更改。这些更改的重点是改进和协调 Spring Session 的 API,以及删除不受欢迎的组件。
有了新的主要版本, Spring Session 团队利用这个机会进行了一些非被动的更改。这些更改的重点是改进和协调 Spring Session 的 API,以及删除不受欢迎的组件。
## [](#_baseline_update)基线更新
Spring 会话 2.0 需要 Java8 和 Spring Framework5.0 作为基线,因为其整个代码库现在基于 Java8 源代码。有关升级 Spring 框架的更多信息,请参见[Upgrading to Spring Framework 5.x](https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-5.x)。
Spring Session 2.0 需要 Java8 和 Spring Framework5.0 作为基线,因为其整个代码库现在基于 Java8 源代码。有关升级 Spring 框架的更多信息,请参见[Upgrading to Spring Framework 5.x](https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-5.x)。
## [](#_replaced_and_removed_modules)替换和移除模块
...
...
@@ -14,13 +14,13 @@ Spring 会话 2.0 需要 Java8 和 Spring Framework5.0 作为基线,因为其
Spring 会话提供了与 Spring WebFlux 的`WebSession`的透明集成。这意味着你可以使用 Spring 会话支持的实现来切换`WebSession`实现。
Spring Session 提供了与 Spring WebFlux 的`WebSession`的透明集成。这意味着你可以使用 Spring Session 支持的实现来切换`WebSession`实现。
## [](#websession-why)为什么要进行会话和 WebSession?
我们已经提到, Spring 会话提供了与 Spring WebFlux 的`WebSession`的透明集成,但是我们从中得到了什么好处呢?与`HttpSession`一样, Spring 会话使得在不绑定到特定于应用程序容器的解决方案的情况下支持[群集会话](#websession-redis)变得非常简单。
我们已经提到, Spring Session 提供了与 Spring WebFlux 的`WebSession`的透明集成,但是我们从中得到了什么好处呢?与`HttpSession`一样, Spring Session 使得在不绑定到特定于应用程序容器的解决方案的情况下支持[群集会话](#websession-redis)变得非常简单。
## [](#websession-redis)与 Redis 的 WebSession
使用 Spring session with`WebSession`是通过注册一个`WebSessionManager`实现来启用的,该实现由 Spring session 的`ReactiveSessionRepository`支持。 Spring 配置负责创建一个`WebSessionManager`,该实现用 Spring 会话支持的实现替换`WebSession`实现。要做到这一点,请添加以下 Spring 配置:
使用 Spring session with`WebSession`是通过注册一个`WebSessionManager`实现来启用的,该实现由 Spring session 的`ReactiveSessionRepository`支持。 Spring 配置负责创建一个`WebSessionManager`,该实现用 Spring Session 支持的实现替换`WebSession`实现。要做到这一点,请添加以下 Spring 配置:
```
@EnableRedisWebSession (1)
...
...
@@ -22,18 +22,18 @@ public class SessionConfiguration {
}
```
|**1**|`@EnableRedisWebSession`注释创建了一个名为`webSessionManager`的 Spring Bean。这个 Bean 实现了`WebSessionManager`。<br/>这就是负责替换要由 Spring 会话支持的`WebSession`实现的内容。<br/>在这个实例中, Spring 会话是由 Redis 支持的。|
|**1**|`@EnableRedisWebSession`注释创建了一个名为`webSessionManager`的 Spring Bean。这个 Bean 实现了`WebSessionManager`。<br/>这就是负责替换要由 Spring Session 支持的`WebSession`实现的内容。<br/>在这个实例中, Spring Session 是由 Redis 支持的。|
|**2**|我们创建一个`RedisConnectionFactory`将 Spring 会话连接到 Redis 服务器。<br/>我们将连接配置为在默认端口(6379)<br/>上连接到 localhost。有关配置 Spring 数据 Redis 的更多信息,请参见[参考文献](https://docs.spring.io/spring-data/data-redis/docs/2.6.2/reference/html/)。|
|**2**|我们创建一个`RedisConnectionFactory`将 Spring Session 连接到 Redis 服务器。<br/>我们将连接配置为在默认端口(6379)<br/>上连接到 localhost。有关配置 Spring 数据 Redis 的更多信息,请参见[参考文献](https://docs.spring.io/spring-data/data-redis/docs/2.6.2/reference/html/)。|
## [](#websession-how)WebSession 集成如何工作
与 Servlet API 及其`HttpSession`相比, Spring 会话与 Spring WebFlux 及其`WebSession`集成要容易得多。 Spring WebFlux 提供了`WebSessionStore`API,该 API 提供了用于持久化`WebSession`的策略。
与 Servlet API 及其`HttpSession`相比, Spring Session 与 Spring WebFlux 及其`WebSession`集成要容易得多。 Spring WebFlux 提供了`WebSessionStore`API,该 API 提供了用于持久化`WebSession`的策略。
| |本节描述 Spring 会话如何使用`WebSession`提供透明的集成。我们提供这些内容,这样你就可以了解幕后发生了什么。这个功能已经集成了,你不需要自己实现这个逻辑。|
| |本节描述 Spring Session 如何使用`WebSession`提供透明的集成。我们提供这些内容,这样你就可以了解幕后发生了什么。这个功能已经集成了,你不需要自己实现这个逻辑。|
*`WebSocketConnectHandlerDecoratorFactory`作为`WebSocketHandlerDecoratorFactory`添加到`WebSocketTransportRegistration`。这确保了一个包含`WebSocketSession`的自定义`SessionConnectEvent`被触发。当 Spring 会话结束时,要结束任何 WebSocket 仍处于打开状态的连接,`WebSocketSession`是必需的。
*`WebSocketConnectHandlerDecoratorFactory`作为`WebSocketHandlerDecoratorFactory`添加到`WebSocketTransportRegistration`。这确保了一个包含`WebSocketSession`的自定义`SessionConnectEvent`被触发。当 Spring Session 结束时,要结束任何 WebSocket 仍处于打开状态的连接,`WebSocketSession`是必需的。