@@ -84,7 +84,7 @@ Spring 使用`Session`的会话最基本的 API 是`SessionRepository`。这个
一些`SessionRepository`实现方式也可以选择实现`FindByIndexNameSessionRepository`。例如, Spring 的 Redis、JDBC 和 Hazelcast 支持库都实现了`FindByIndexNameSessionRepository`。
`FindByIndexNameSessionRepository`提供了一个方法来查找具有给定的索引名和索引值的所有会话。作为所有提供的`FindByIndexNameSessionRepository`实现所支持的通用用例,你可以使用一种方便的方法来查找特定用户的所有会话。这是通过确保将名称为`FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME`的会话属性填充为用户名来完成的。你有责任确保填充该属性,因为 Spring 会话不知道正在使用的身份验证机制。下面的清单中可以看到如何使用该方法的示例:
`FindByIndexNameSessionRepository`提供了一个方法来查找具有给定的索引名和索引值的所有会话。作为所有提供的`FindByIndexNameSessionRepository`实现所支持的通用用例,你可以使用一种方便的方法来查找特定用户的所有会话。这是通过确保将名称为`FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME`的会话属性填充为用户名来完成的。你有责任确保填充该属性,因为 Spring Session 不知道正在使用的身份验证机制。下面的清单中可以看到如何使用该方法的示例:
实现自定义[`SessionRepository`](#API-SessionRepository)API 应该是一项相当简单的任务。将自定义实现与[`@EnableSpringHttpSession`](#api-enablespringhtpsession)支持相耦合,可以重用现有的 Spring 会话配置设施和基础设施。然而,有几个方面值得更仔细地考虑。
实现自定义[`SessionRepository`](#API-SessionRepository)API 应该是一项相当简单的任务。将自定义实现与[`@EnableSpringHttpSession`](#api-enablespringhtpsession)支持相耦合,可以重用现有的 Spring Session 配置设施和基础设施。然而,有几个方面值得更仔细地考虑。
在 HTTP 请求的生命周期中,`HttpSession`通常会两次持久化到`SessionRepository`。第一个持久化操作是确保一旦客户端访问了会话 ID,会话对客户端是可用的,并且还需要在会话提交后写入,因为可能会对会话进行进一步的修改。考虑到这一点,我们通常建议`SessionRepository`实现跟踪更改,以确保只保存增量。这在高度并发的环境中尤其重要,在这种环境中,多个请求在同一个`HttpSession`上运行,因此会导致竞争条件,因为请求会覆盖彼此对会话属性的更改。 Spring 会话提供的所有`SessionRepository`实现都使用所描述的方法来持久化会话更改,并且可以在实现自定义`SessionRepository`时用于指导。
在 HTTP 请求的生命周期中,`HttpSession`通常会两次持久化到`SessionRepository`。第一个持久化操作是确保一旦客户端访问了会话 ID,会话对客户端是可用的,并且还需要在会话提交后写入,因为可能会对会话进行进一步的修改。考虑到这一点,我们通常建议`SessionRepository`实现跟踪更改,以确保只保存增量。这在高度并发的环境中尤其重要,在这种环境中,多个请求在同一个`HttpSession`上运行,因此会导致竞争条件,因为请求会覆盖彼此对会话属性的更改。 Spring Session 提供的所有`SessionRepository`实现都使用所描述的方法来持久化会话更改,并且可以在实现自定义`SessionRepository`时用于指导。
`FindByIndexNameSessionRepository`如果开发人员指示 Spring 会话什么用户与`Session`相关联,则只能通过用户名找到会话。你可以通过确保将名称`FindByUsernameSessionRepository.PRINCIPAL_NAME_INDEX_NAME`的会话属性填充为用户名来做到这一点。
`FindByIndexNameSessionRepository`如果开发人员指示 Spring Session 什么用户与`Session`相关联,则只能通过用户名找到会话。你可以通过确保将名称`FindByUsernameSessionRepository.PRINCIPAL_NAME_INDEX_NAME`的会话属性填充为用户名来做到这一点。
一般来说,你可以在用户进行身份验证后立即使用以下代码来完成此操作:
...
...
@@ -103,7 +103,7 @@ public void doFilterInternal(HttpServletRequest request, HttpServletResponse res
在使用 Spring 会话之前,你必须更新你的依赖关系。我们假设你正在使用一个有效的启动 Web 应用程序。如果使用 Maven,则必须添加以下依赖项:
在使用 Spring Session 之前,你必须更新你的依赖关系。我们假设你正在使用一个有效的启动 Web 应用程序。如果使用 Maven,则必须添加以下依赖项:
POM.xml
...
...
@@ -24,11 +24,11 @@ POM.xml
</dependencies>
```
Spring 启动为 Spring 会话模块提供了依赖管理,因此不需要显式地声明依赖版本。
Spring 启动为 Spring Session 模块提供了依赖管理,因此不需要显式地声明依赖版本。
## [](#httpsession-jdbc-boot-spring-configuration) Spring 引导配置
在添加了所需的依赖项之后,我们就可以创建我们的 Spring 启动配置了。多亏了一流的自动配置支持,在关系数据库支持下设置 Spring 会话就像在`application.properties`中添加一个配置属性一样简单。下面的清单展示了如何做到这一点:
在添加了所需的依赖项之后,我们就可以创建我们的 Spring 启动配置了。多亏了一流的自动配置支持,在关系数据库支持下设置 Spring Session 就像在`application.properties`中添加一个配置属性一样简单。下面的清单展示了如何做到这一点:
SRC/主/资源/应用程序.properties
...
...
@@ -36,9 +36,9 @@ SRC/主/资源/应用程序.properties
spring.session.store-type=jdbc # Session store type.
```
如果在 Classpath 上存在单个 Spring 会话模块,则 Spring 引导将自动使用该存储实现。如果有多个实现,则必须选择要用来存储会话的 StoreType,如上面所示。
如果在 Classpath 上存在单个 Spring Session 模块,则 Spring 引导将自动使用该存储实现。如果有多个实现,则必须选择要用来存储会话的 StoreType,如上面所示。
在这种情况下, Spring boot 应用的配置相当于手动添加`@EnableJdbcHttpSession`注释。这将创建一个名为`springSessionRepositoryFilter`的 Spring Bean。 Bean 实现`Filter`。过滤器负责替换要由 Spring 会话支持的`HttpSession`实现。
在这种情况下, Spring boot 应用的配置相当于手动添加`@EnableJdbcHttpSession`注释。这将创建一个名为`springSessionRepositoryFilter`的 Spring Bean。 Bean 实现`Filter`。过滤器负责替换要由 Spring Session 支持的`HttpSession`实现。
我们的[Spring Boot Configuration](#httpsession-jdbc-boot-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring 会话支持的自定义实现替换`HttpSession`。
我们的[Spring Boot Configuration](#httpsession-jdbc-boot-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring Session 支持的自定义实现替换`HttpSession`。
为了让我们的`Filter`发挥其魔力, Spring 需要加载我们的`Config`类。最后,我们需要确保我们的 Servlet 容器(即 Tomcat)为每个请求使用我们的`springSessionRepositoryFilter`。幸运的是,Boot 为我们解决了这两个步骤。
我们的[Spring Configuration](#boot-mongo-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring 会话支持的自定义实现替换`HttpSession`。
我们的[Spring Configuration](#boot-mongo-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring Session 支持的自定义实现替换`HttpSession`。
为了让我们的`Filter`发挥其魔力, Spring 需要加载我们的`Config`类。最后,我们需要确保我们的 Servlet 容器(即 Tomcat)对每个请求使用我们的`springSessionRepositoryFilter`。幸运的是,Boot 为我们解决了这两个步骤。
## [](#mongo-sample)MongoDB 示例应用程序
MongoDB 示例应用程序演示了如何在使用 Spring 引导时使用 Spring 会话透明地利用 MongoDB 来支持 Web 应用程序的`HttpSession`。
MongoDB 示例应用程序演示了如何在使用 Spring 引导时使用 Spring Session 透明地利用 MongoDB 来支持 Web 应用程序的`HttpSession`。
在使用 Spring 会话之前,你必须确保你的依赖关系。我们假设你正在使用一个有效的启动 Web 应用程序。如果正在使用 Maven,则必须添加以下依赖项:
在使用 Spring Session 之前,你必须确保你的依赖关系。我们假设你正在使用一个有效的启动 Web 应用程序。如果正在使用 Maven,则必须添加以下依赖项:
POM.xml
...
...
@@ -24,11 +24,11 @@ POM.xml
</dependencies>
```
Spring 启动为 Spring 会话模块提供了依赖管理,因此不需要显式声明依赖版本。
Spring 启动为 Spring Session 模块提供了依赖管理,因此不需要显式声明依赖版本。
## [](#boot-spring-configuration) Spring 引导配置
在添加了所需的依赖项之后,我们就可以创建我们的 Spring 启动配置了。多亏了一流的自动配置支持,由 Redis 支持的设置 Spring 会话非常简单,只需向你的`application.properties`添加一个配置属性,如以下清单所示:
在添加了所需的依赖项之后,我们就可以创建我们的 Spring 启动配置了。多亏了一流的自动配置支持,由 Redis 支持的设置 Spring Session 非常简单,只需向你的`application.properties`添加一个配置属性,如以下清单所示:
SRC/主/资源/应用程序.properties
...
...
@@ -36,7 +36,7 @@ SRC/主/资源/应用程序.properties
spring.session.store-type=redis # Session store type.
```
在这种情况下, Spring boot 应用的配置相当于手动添加`@EnableRedisHttpSession`注释。这将创建一个名为`springSessionRepositoryFilter`的 Spring Bean,实现`Filter`。过滤器负责替换要由 Spring 会话支持的`HttpSession`实现。
在这种情况下, Spring boot 应用的配置相当于手动添加`@EnableRedisHttpSession`注释。这将创建一个名为`springSessionRepositoryFilter`的 Spring Bean,实现`Filter`。过滤器负责替换要由 Spring Session 支持的`HttpSession`实现。
使用`application.properties`还可以进行进一步的定制,如以下清单所示:
...
...
@@ -52,7 +52,7 @@ spring.session.redis.namespace=spring:session # Namespace for keys used to store
## [](#boot-redis-configuration)配置 Redis 连接
Spring 启动会自动创建一个`RedisConnectionFactory`,它将 Spring 会话连接到端口 6379(默认端口)上本地主机上的 Redis 服务器。在生产环境中,你需要更新配置以指向 Redis 服务器。例如,你可以在应用程序中包含以下内容:
Spring 启动会自动创建一个`RedisConnectionFactory`,它将 Spring Session 连接到端口 6379(默认端口)上本地主机上的 Redis 服务器。在生产环境中,你需要更新配置以指向 Redis 服务器。例如,你可以在应用程序中包含以下内容:
SRC/主/资源/应用程序.properties
...
...
@@ -66,13 +66,13 @@ spring.redis.port=6379 # Redis server port.
## [](#boot-servlet-configuration) Servlet 容器初始化
我们的[Spring Boot Configuration](#boot-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring 会话支持的自定义实现替换`HttpSession`。
我们的[Spring Boot Configuration](#boot-spring-configuration)创建了一个名为`springSessionRepositoryFilter`的 Spring Bean,它实现了`Filter`。`springSessionRepositoryFilter` Bean 负责用 Spring Session 支持的自定义实现替换`HttpSession`。
为了使我们的`Filter`发挥其魔力, Spring 需要加载我们的`Config`类。最后,我们需要确保我们的 Servlet 容器(即 Tomcat)为每个请求使用我们的`springSessionRepositoryFilter`。幸运的是,Boot 为我们解决了这两个步骤。
## [](#boot-sample)引导示例应用程序
引导示例应用程序演示了如何在使用 Spring 引导时使用 Spring 会话透明地利用 Redis 来支持 Web 应用程序的`HttpSession`。
引导示例应用程序演示了如何在使用 Spring 引导时使用 Spring Session 透明地利用 Redis 来支持 Web 应用程序的`HttpSession`。
## [](#webflux-custom-cookie-spring-configuration) Spring 引导配置
一旦设置了 Spring 会话,就可以通过将`WebSessionIdResolver`公开为 Spring Bean 来自定义会话 cookie 的编写方式。 Spring 默认情况下,会话使用`CookieWebSessionIdResolver`。在使用`@EnableRedisHttpSession`之类的配置时,将`WebSessionIdResolver`公开为 Spring Bean 会增强现有的配置。下面的示例展示了如何自定义 Spring 会话的 cookie:
一旦设置了 Spring Session ,就可以通过将`WebSessionIdResolver`公开为 Spring Bean 来自定义会话 cookie 的编写方式。 Spring 默认情况下,会话使用`CookieWebSessionIdResolver`。在使用`@EnableRedisHttpSession`之类的配置时,将`WebSessionIdResolver`公开为 Spring Bean 会增强现有的配置。下面的示例展示了如何自定义 Spring Session 的 cookie:
*`WebSocketConnectHandlerDecoratorFactory`作为`WebSocketHandlerDecoratorFactory`添加到`WebSocketTransportRegistration`。这确保了一个包含`WebSocketSession`的自定义`SessionConnectEvent`被触发。当 Spring 会话结束时,要结束任何仍处于打开状态的 WebSocket 连接,`WebSocketSession`是必需的。
*`WebSocketConnectHandlerDecoratorFactory`作为`WebSocketHandlerDecoratorFactory`添加到`WebSocketTransportRegistration`。这确保了一个包含`WebSocketSession`的自定义`SessionConnectEvent`被触发。当 Spring Session 结束时,要结束任何仍处于打开状态的 WebSocket 连接,`WebSocketSession`是必需的。
To look up a user by their username, you must first choose a `SessionRepository` that implements [`FindByIndexNameSessionRepository`](../#api-findbyindexnamesessionrepository).
Our sample application assumes that the Redis support is already set up, so we are ready to go.
## [](#_mapping_the_user_name)Mapping the User Name
`FindByIndexNameSessionRepository` can find a session only by the user name if the developer instructs Spring Session what user is associated with the `Session`.
You can do so by ensuring that the session attribute with the name `FindByUsernameSessionRepository.PRINCIPAL_NAME_INDEX_NAME` is populated with the username.
Generally speaking, you can do so with the following code immediately after the user authenticates:
We obtain the information we want and then set the `SessionDetails` as an attribute in the `Session`.
When we retrieve the `Session` by user name, we can then use the session to access our `SessionDetails` as we would any other session attribute.
| |You might wonder why Spring Session does not provide `SessionDetails` functionality out of the box.<br/>We have two reasons.<br/>The first reason is that it is very trivial for applications to implement this themselves.<br/>The second reason is that the information that is populated in the session (and how frequently that information is updated) is highly application-dependent.|
This section describes how to use the `findbyusername` sample application.
### [](#_running_the_findbyusername_sample_application)Running the `findbyusername` Sample Application
You can run the sample by obtaining the [source code](https://github.com/spring-projects/spring-session/archive/main.zip) and invoking the following command:
| |For the sample to work, you must [install Redis 2.8+](https://redis.io/download) on localhost and run it with the default port (6379).<br/>Alternatively, you can update the `RedisConnectionFactory` to point to a Redis server.<br/>Another option is to use [Docker](https://www.docker.com/) to run Redis on localhost.<br/>See [Docker Redis repository](https://hub.docker.com/_/redis/) for detailed instructions.|
This guide describes how to use Spring Session to transparently leverage a relational database to back a web application’s `HttpSession` when you use Spring Boot.
| |You can find the completed guide in the [httpsession-jdbc-boot sample application](#httpsession-jdbc-boot-sample).|
After adding the required dependencies, we can create our Spring Boot configuration.
Thanks to first-class auto configuration support, setting up Spring Session backed by a relational database is as simple as adding a single configuration property to your `application.properties`.
The following listing shows how to do so:
src/main/resources/application.properties
```
spring.session.store-type=jdbc # Session store type.
```
If a single Spring Session module is present on the classpath, Spring Boot uses that store implementation automatically.
If you have more than one implementation, you must choose the StoreType that you wish to use to store the sessions, as shows above.
Under the hood, Spring Boot applies configuration that is equivalent to manually adding the `@EnableJdbcHttpSession` annotation.
This creates a Spring bean with the name of `springSessionRepositoryFilter`. That bean implements `Filter`.
The filter is in charge of replacing the `HttpSession` implementation to be backed by Spring Session.
You can further customize by using `application.properties`.
The following listing shows how to do so:
src/main/resources/application.properties
```
server.servlet.session.timeout= # Session timeout. If a duration suffix is not specified, seconds are used.
spring.session.jdbc.schema=classpath:org/springframework/session/jdbc/[email protected]@[email protected]@.sql # Path to the SQL file to use to initialize the database schema.
spring.session.jdbc.table-name=SPRING_SESSION # Name of the database table used to store sessions.
```
For more information, see the [Spring Session](https://docs.spring.io/spring-boot/docs/2.5.6/reference/htmlsingle/#boot-features-session) portion of the Spring Boot documentation.
## [](#httpsession-jdbc-boot-configuration)Configuring the `DataSource`
Spring Boot automatically creates a `DataSource` that connects Spring Session to an embedded instance of an H2 database.
In a production environment, you need to update your configuration to point to your relational database.
For example, you can include the following in your application.properties:
src/main/resources/application.properties
```
spring.datasource.url= # JDBC URL of the database.
spring.datasource.username= # Login username of the database.
spring.datasource.password= # Login password of the database.
```
For more information, see the [Configure a DataSource](https://docs.spring.io/spring-boot/docs/2.5.6/reference/htmlsingle/#boot-features-configure-datasource) portion of the Spring Boot documentation.
Our [Spring Boot Configuration](#httpsession-jdbc-boot-spring-configuration) created a Spring bean named `springSessionRepositoryFilter` that implements `Filter`.
The `springSessionRepositoryFilter` bean is responsible for replacing the `HttpSession` with a custom implementation that is backed by Spring Session.
In order for our `Filter` to do its magic, Spring needs to load our `Config` class.
Last, we need to ensure that our Servlet Container (that is, Tomcat) uses our `springSessionRepositoryFilter` for every request.
Fortunately, Spring Boot takes care of both of these steps for us.
The httpsession-jdbc-boot Sample Application demonstrates how to use Spring Session to transparently leverage an H2 database to back a web application’s `HttpSession` when you use Spring Boot.
### [](#httpsession-jdbc-boot-running)Running the `httpsession-jdbc-boot` Sample Application
You can run the sample by obtaining the [source code](https://github.com/spring-projects/spring-session/archive/main.zip) and invoking the following command:
You should now be able to access the application at [http://localhost:8080/](http://localhost:8080/)
### [](#httpsession-jdbc-boot-explore)Exploring the Security Sample Application
You can now try using the application.
To do so, enter the following to log in:
***Username***user*
***Password***password*
Now click the **Login** button.
You should now see a message indicating that your are logged in with the user entered previously.
The user’s information is stored in the H2 database rather than Tomcat’s `HttpSession` implementation.
### [](#httpsession-jdbc-boot-how)How Does It Work?
Instead of using Tomcat’s `HttpSession`, we persist the values in the H2 database.
Spring Session replaces the `HttpSession` with an implementation that is backed by a relational database.
When Spring Security’s `SecurityContextPersistenceFilter` saves the `SecurityContext` to the `HttpSession`, it is then persisted into the H2 database.
When a new `HttpSession` is created, Spring Session creates a cookie named `SESSION` in your browser. That cookie contains the ID of your session.
You can view the cookies (with [Chrome](https://developers.google.com/web/tools/chrome-devtools/manage-data/cookies) or [Firefox](https://developer.mozilla.org/en-US/docs/Tools/Storage_Inspector)).
You can remove the session by using the H2 web console available at: [http://localhost:8080/h2-console/](http://localhost:8080/h2-console/)(use`jdbc:h2:mem:testdb` for JDBC URL).
Now you can visit the application at [http://localhost:8080/](http://localhost:8080/) and see that we are no longer authenticated.
After adding the required dependencies, we can create our Spring configuration.
The Spring configuration is responsible for creating a Servlet Filter that replaces the `HttpSession` implementation with an implementation backed by Spring Session.
All you have to do is to add the following Spring Configuration:
```
@EnableMongoHttpSession (1)
public class HttpSessionConfig {
@Bean
public JdkMongoSessionConverter jdkMongoSessionConverter() {
return new JdkMongoSessionConverter(Duration.ofMinutes(30)); (2)
}
}
```
|**1**|The `@EnableMongoHttpSession` annotation creates a Spring Bean with the name of `springSessionRepositoryFilter` that implements Filter.<br/>This filter is what replaces the default `HttpSession` with the MongoDB-backed bean.|
|**2**| Configures the session timeout to 30 minutes. |
## [](#boot-mongo-configuration)Configuring the MongoDB Connection
Spring Boot automatically creates a `MongoClient` that connects Spring Session to a MongoDB Server on localhost on port 27017 (default port).
In a production environment you need to ensure to update your configuration to point to your MongoDB server.
For example, you can include the following in your **application.properties**
src/main/resources/application.properties
```
spring.data.mongodb.host=mongo-srv
spring.data.mongodb.port=27018
spring.data.mongodb.database=prod
```
For more information, refer to [Connecting to MongoDB](https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#boot-features-connecting-to-mongodb) portion of the Spring Boot documentation.
Our [Spring Configuration](#boot-mongo-configuration) created a Spring Bean named `springSessionRepositoryFilter` that implements `Filter`.
The `springSessionRepositoryFilter` bean is responsible for replacing the `HttpSession` with a custom implementation that is backed by Spring Session.
In order for our `Filter` to do its magic, Spring needs to load our `Config` class.
Last we need to ensure that our Servlet Container (i.e. Tomcat) uses our `springSessionRepositoryFilter` for every request.
Fortunately, Spring Boot takes care of both of these steps for us.
## [](#mongo-sample)MongoDB Sample Application
The MongoDB Sample Application demonstrates how to use Spring Session to transparently leverage MongoDB to back a web application’s `HttpSession` when using Spring Boot.
### [](#mongo-running)Running the MongoDB Sample Application
You can run the sample by obtaining the [source code](https://github.com/spring-projects/spring-session/archive/main.zip) and invoking the following command:
```
$ ./gradlew :samples:mongo:bootRun
```
You should now be able to access the application at [http://localhost:8080/](http://localhost:8080/)
### [](#boot-explore)Exploring the security Sample Application
Try using the application. Enter the following to log in:
***Username***user*
***Password***password*
Now click the **Login** button.
You should now see a message indicating your are logged in with the user entered previously.
The user’s information is stored in MongoDB rather than Tomcat’s `HttpSession` implementation.
### [](#mongo-how)How does it work?
Instead of using Tomcat’s `HttpSession`, we are actually persisting the values in Mongo.
Spring Session replaces the `HttpSession` with an implementation that is backed by Mongo.
When Spring Security’s `SecurityContextPersistenceFilter` saves the `SecurityContext` to the `HttpSession` it is then persisted into Mongo.
When a new `HttpSession` is created, Spring Session creates a cookie named SESSION in your browser that contains the id of your session.
Go ahead and view the cookies (click for help with [Chrome](https://developer.chrome.com/devtools/docs/resources#cookies) or [Firefox](https://getfirebug.com/wiki/index.php/Cookies_Panel#Cookies_List)).
If you like, you can easily inspect the session using mongo client. For example, on a Linux based system you can type:
| |The sample application uses an embedded MongoDB instance that listens on a randomly allocated port.<br/>The port used by embedded MongoDB together with exact command to connect to it is logged during application startup.|
Alternatively, you can also delete the explicit key. Enter the following into your terminal ensuring to replace `60f17293-839b-477c-bb92-07a9c3658843` with the value of your SESSION cookie:
After adding the required dependencies, we can create our Spring Boot configuration.
Thanks to first-class auto configuration support, setting up Spring Session backed by Redis is as simple as adding a single configuration property to your `application.properties`, as the following listing shows:
src/main/resources/application.properties
```
spring.session.store-type=redis # Session store type.
```
Under the hood, Spring Boot applies configuration that is equivalent to manually adding `@EnableRedisHttpSession` annotation.
This creates a Spring bean with the name of `springSessionRepositoryFilter` that implements `Filter`.
The filter is in charge of replacing the `HttpSession` implementation to be backed by Spring Session.
Further customization is possible by using `application.properties`, as the following listing shows:
src/main/resources/application.properties
```
server.servlet.session.timeout= # Session timeout. If a duration suffix is not specified, seconds is used.
spring.session.redis.namespace=spring:session # Namespace for keys used to store sessions.
```
For more information, see the [Spring Session](https://docs.spring.io/spring-boot/docs/2.5.6/reference/htmlsingle/#boot-features-session) portion of the Spring Boot documentation.
## [](#boot-redis-configuration)Configuring the Redis Connection
Spring Boot automatically creates a `RedisConnectionFactory` that connects Spring Session to a Redis Server on localhost on port 6379 (default port).
In a production environment, you need to update your configuration to point to your Redis server.
For example, you can include the following in your application.properties:
src/main/resources/application.properties
```
spring.redis.host=localhost # Redis server host.
spring.redis.password= # Login password of the redis server.
spring.redis.port=6379 # Redis server port.
```
For more information, see the [Connecting to Redis](https://docs.spring.io/spring-boot/docs/2.5.6/reference/htmlsingle/#boot-features-connecting-to-redis) portion of the Spring Boot documentation.
Our [Spring Boot Configuration](#boot-spring-configuration) created a Spring bean named `springSessionRepositoryFilter` that implements `Filter`.
The `springSessionRepositoryFilter` bean is responsible for replacing the `HttpSession` with a custom implementation that is backed by Spring Session.
In order for our `Filter` to do its magic, Spring needs to load our `Config` class.
Last, we need to ensure that our servlet container (that is, Tomcat) uses our `springSessionRepositoryFilter` for every request.
Fortunately, Spring Boot takes care of both of these steps for us.
## [](#boot-sample)Boot Sample Application
The Boot Sample Application demonstrates how to use Spring Session to transparently leverage Redis to back a web application’s `HttpSession` when you use Spring Boot.
### [](#boot-running)Running the Boot Sample Application
You can run the sample by obtaining the [source code](https://github.com/spring-projects/spring-session/archive/main.zip) and invoking the following command:
| |For the sample to work, you must [install Redis 2.8+](https://redis.io/download) on localhost and run it with the default port (6379).<br/>Alternatively, you can update the `RedisConnectionFactory` to point to a Redis server.<br/>Another option is to use [Docker](https://www.docker.com/) to run Redis on localhost. See [Docker Redis repository](https://hub.docker.com/_/redis/) for detailed instructions.|
You should now be able to access the application at [http://localhost:8080/](http://localhost:8080/)
### [](#boot-explore)Exploring the `security` Sample Application
Now you can try using the application. Enter the following to log in:
***Username***user*
***Password***password*
Now click the **Login** button.
You should now see a message indicating your are logged in with the user entered previously.
The user’s information is stored in Redis rather than Tomcat’s `HttpSession` implementation.
### [](#boot-how)How Does It Work?
Instead of using Tomcat’s `HttpSession`, we persist the values in Redis.
Spring Session replaces the `HttpSession` with an implementation that is backed by Redis.
When Spring Security’s `SecurityContextPersistenceFilter` saves the `SecurityContext` to the `HttpSession`, it is then persisted into Redis.
When a new `HttpSession` is created, Spring Session creates a cookie named `SESSION` in your browser.
That cookie contains the ID of your session.
You can view the cookies (with [Chrome](https://developers.google.com/web/tools/chrome-devtools/manage-data/cookies) or [Firefox](https://developer.mozilla.org/en-US/docs/Tools/Storage_Inspector)).
You can remove the session by using redis-cli.
For example, on a Linux based system you can type the following:
```
$ redis-cli keys '*' | xargs redis-cli del
```
| |The Redis documentation has instructions for [installing redis-cli](https://redis.io/topics/quickstart).|
Alternatively, you can also delete the explicit key.
To do so, enter the following into your terminal, being sure to replace `7e8383a4-082c-4ffe-a4bc-c40fd3363c5e` with the value of your `SESSION` cookie:
```
$ redis-cli del spring:session:sessions:7e8383a4-082c-4ffe-a4bc-c40fd3363c5e
```
Now you can visit the application at [http://localhost:8080/](http://localhost:8080/) and observe that we are no longer authenticated.
This guide describes how to configure Spring Session to use custom cookies in a WebFlux based application.
The guide assumes you have already set up Spring Session in your project using your chosen data store. For example, [HttpSession with Redis](./boot-redis.html).
| |You can find the completed guide in the [WebFlux Custom Cookie sample application](#webflux-custom-cookie-sample).|
This section describes how to work with the `webflux-custom-cookie` sample application.
### [](#_running_the_webflux_custom_cookie_sample_application)Running the `webflux-custom-cookie` Sample Application
You can run the sample by obtaining the [source code](https://github.com/spring-projects/spring-session/archive/main.zip) and invoking the following command:
| |For the sample to work, you must [install Redis 2.8+](https://redis.io/download) on localhost and run it with the default port (6379).<br/>Alternatively, you can update the `RedisConnectionFactory` to point to a Redis server.<br/>Another option is to use [Docker](https://www.docker.com/) to run Redis on localhost. See [Docker Redis repository](https://hub.docker.com/_/redis/) for detailed instructions.|
This guide describes how to use Spring Session to ensure that WebSocket messages keep your HttpSession alive.
| |Spring Session’s WebSocket support works only with Spring’s WebSocket support.<br/>Specifically,it does not work with using [JSR-356](https://www.jcp.org/en/jsr/detail?id=356) directly, because JSR-356 does not have a mechanism for intercepting incoming WebSocket messages.|
The first step is to integrate Spring Session with the HttpSession. These steps are already outlined in the [HttpSession with Redis Guide](./boot-redis.html).
Please make sure you have already integrated Spring Session with HttpSession before proceeding.
The `websocket` sample application demonstrates how to use Spring Session with WebSockets.
### [](#_running_the_websocket_sample_application)Running the `websocket` Sample Application
You can run the sample by obtaining the [source code](https://github.com/spring-projects/spring-session/archive/main.zip) and invoking the following command:
| |For the purposes of testing session expiration, you may want to change the session expiration to be 1 minute (the default is 30 minutes) by adding the following configuration property before starting the application:<br/><br/>src/main/resources/application.properties<br/><br/>```<br/>server.servlet.session.timeout=1m # Session timeout. If a duration suffix is not specified, seconds will be used.<br/>```|
| |For the sample to work, you must [install Redis 2.8+](https://redis.io/download) on localhost and run it with the default port (6379).<br/>Alternatively, you can update the `RedisConnectionFactory` to point to a Redis server.<br/>Another option is to use [Docker](https://www.docker.com/) to run Redis on localhost.<br/>See [Docker Redis repository](https://hub.docker.com/_/redis/) for detailed instructions.|
You should now be able to access the application at [http://localhost:8080/](http://localhost:8080/)
### [](#_exploring_the_websocket_sample_application)Exploring the `websocket` Sample Application
Now you can try using the application. Authenticate with the following information:
***Username***rob*
***Password***password*
Now click the **Login** button. You should now be authenticated as the user **rob**.
Open an incognito window and access [http://localhost:8080/](http://localhost:8080/)
You are prompted with a login form. Authenticate with the following information:
***Username***luke*
***Password***password*
Now send a message from rob to luke. The message should appear.
Wait for two minutes and try sending a message from rob to luke again.
You can see that the message is no longer sent.
| |Why two minutes?<br/><br/>Spring Session expires in 60 seconds, but the notification from Redis is not guaranteed to happen within 60 seconds.<br/>To ensure the socket is closed in a reasonable amount of time, Spring Session runs a background task every minute at 00 seconds that forcibly cleans up any expired sessions.<br/>This means you need to wait at most two minutes before the WebSocket connection is closed.|
You can now try accessing [http://localhost:8080/](http://localhost:8080/)You are prompted to authenticate again.
This demonstrates that the session properly expires.
Now repeat the same exercise, but instead of waiting two minutes, send a message from each of the users every 30 seconds.
You can see that the messages continue to be sent.
Try accessing [http://localhost:8080/](http://localhost:8080/)You are not prompted to authenticate again.
This demonstrates the session is kept alive.
| |Only messages sent from a user keep the session alive.<br/>This is because only messages coming from a user imply user activity.<br/>Received messages do not imply activity and, thus, do not renew the session expiration.|
Spring Session provides an API and implementations for managing a user’s session information.
Spring Session provides an API and implementations for managing a user’s session information while also making it trivial to support clustered sessions without being tied to an application container-specific solution.
It also provides transparent integration with:
*[HttpSession](http-session.html#httpsession): Allows replacing the `HttpSession` in an application container-neutral way, with support for providing session IDs in headers to work with RESTful APIs.
*[WebSocket](web-socket.html#websocket): Provides the ability to keep the `HttpSession` alive when receiving WebSocket messages
*[WebSession](web-session.html#websession): Allows replacing the Spring WebFlux’s `WebSession` in an application container-neutral way.
## [](#community)Spring Session Community
We are glad to consider you a part of our community.
The following sections provide additional about how to interact with the Spring Session community.
### [](#community-support)Support
You can get help by asking questions on [Stack Overflow with the `spring-session` tag](https://stackoverflow.com/questions/tagged/spring-session).
Similarly, we encourage helping others by answering questions on Stack Overflow.
### [](#community-source)Source Code
You can find the source code on GitHub at [https://github.com/spring-projects/spring-session/](https://github.com/spring-projects/spring-session/)
### [](#community-issues)Issue Tracking
We track issues in GitHub issues at [https://github.com/spring-projects/spring-session/issues](https://github.com/spring-projects/spring-session/issues)
### [](#community-contributing)Contributing
We appreciate [pull requests](https://help.github.com/articles/using-pull-requests/).
### [](#community-license)License
Spring Session is Open Source software released under the [Apache 2.0 license](https://www.apache.org/licenses/LICENSE-2.0).
* If you run in a Servlet Container (not required), Servlet 3.1+.
* If you use other Spring libraries (not required), the minimum required version is Spring 5.0.x.
*`@EnableRedisHttpSession` requires Redis 2.8+. This is necessary to support [Session Expiration](api.html#api-redisindexedsessionrepository-expiration)
*`@EnableHazelcastHttpSession` requires Hazelcast 3.6+. This is necessary to support [`FindByIndexNameSessionRepository`](api.html#api-enablehazelcasthttpsession-storage)
| |At its core, Spring Session has a required dependency only on `spring-jcl`.<br/>For an example of using Spring Session without any other Spring dependencies, see the [hazelcast sample](samples.html#samples) application.|
* Hosts the Spring Session Data Geode modules. Spring Session Data Geode has its own user guide, which you can find at the [[https://spring.io/projects/spring-session-data-geode#learn](https://spring.io/projects/spring-session-data-geode#learn) site].
Finally, Spring Session also provides a Maven BOM (“bill of materials”) module in order to help users with version management concerns:
| [HttpSession with Redis](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-redis) | Demonstrates how to use Spring Session to replace the `HttpSession` with Redis. | [HttpSession with Redis Guide](guides/boot-redis.html) |
| [HttpSession with JDBC](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-jdbc) | Demonstrates how to use Spring Session to replace the `HttpSession` with a relational database store. | [HttpSession with JDBC Guide](guides/boot-jdbc.html) |
| [HttpSession with Hazelcast](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-hazelcast) | Demonstrates how to use Spring Session to replace the `HttpSession` with Hazelcast. | |
| [Find by Username](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-findbyusername) | Demonstrates how to use Spring Session to find sessions by username. | [Find by Username Guide](guides/boot-findbyusername.html) |
| [WebSockets](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-websocket) | Demonstrates how to use Spring Session with WebSockets. | [WebSockets Guide](guides/boot-websocket.html) |
| [WebFlux](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-webflux) | Demonstrates how to use Spring Session to replace the Spring WebFlux’s `WebSession` with Redis. | |
| [WebFlux with Custom Cookie](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-webflux-custom-cookie) | Demonstrates how to use Spring Session to customize the Session cookie in a WebFlux based application. |[WebFlux with Custom Cookie Guide](guides/boot-webflux-custom-cookie.html)|
| [HttpSession with Redis JSON serialization](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-redis-json) | Demonstrates how to use Spring Session to replace the `HttpSession` with Redis using JSON serialization. | |
| [HttpSession with simple Redis `SessionRepository`](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-redis-simple) |Demonstrates how to use Spring Session to replace the `HttpSession` with Redis using `RedisSessionRepository`.| |
|[Spring Session with MongoDB Repositories (servlet-based)](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-mongodb-traditional)| Demonstrates how to back Spring Session with traditional MongoDB repositories. | [Spring Session with MongoDB Repositories](guides/boot-mongo.html) |
| [Spring Session with MongoDB Repositories (reactive)](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-boot-mongodb-reactive) | Demonstrates how to back Spring Session with reactive MongoDB repositories. | [Spring Session with MongoDB Repositories](guides/boot-mongo.html) |
| [HttpSession with Redis](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-javaconfig-redis) | Demonstrates how to use Spring Session to replace the `HttpSession` with Redis. | [HttpSession with Redis Guide](guides/java-redis.html) |
| [HttpSession with JDBC](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-javaconfig-jdbc) |Demonstrates how to use Spring Session to replace the `HttpSession` with a relational database store.| [HttpSession with JDBC Guide](guides/java-jdbc.html) |
|[HttpSession with Hazelcast](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-javaconfig-hazelcast)| Demonstrates how to use Spring Session to replace the `HttpSession` with Hazelcast. |[HttpSession with Hazelcast Guide](guides/java-hazelcast.html)|
| [Custom Cookie](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-javaconfig-custom-cookie) | Demonstrates how to use Spring Session and customize the cookie. | [Custom Cookie Guide](guides/java-custom-cookie.html) |
| [Spring Security](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-javaconfig-security) | Demonstrates how to use Spring Session with an existing Spring Security application. | [Spring Security Guide](guides/java-security.html) |
| [REST](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-javaconfig-rest) |Demonstrates how to use Spring Session in a REST application to support authenticating with a header.| [REST Guide](guides/java-rest.html) |
|[HttpSession with Redis](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-xml-redis)| Demonstrates how to use Spring Session to replace the `HttpSession` with a Redis store. |[HttpSession with Redis Guide](guides/xml-redis.html)|
| [HttpSession with JDBC](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-xml-jdbc) |Demonstrates how to use Spring Session to replace the `HttpSession` with a relational database store.| [HttpSession with JDBC Guide](guides/xml-jdbc.html) |
|[Hazelcast](https://github.com/spring-projects/spring-session/tree/main/spring-session-samples/spring-session-sample-misc-hazelcast)|Demonstrates how to use Spring Session with Hazelcast in a Java EE application.| |
Spring Session provides integration with Spring Security.
## [](#spring-security-rememberme)Spring Security Remember-me Support
Spring Session provides integration with [Spring Security’s Remember-me Authentication](https://docs.spring.io/spring-security/site/docs/5.6.2/reference/html5/#servlet-rememberme).
The support:
* Changes the session expiration length
* Ensures that the session cookie expires at `Integer.MAX_VALUE`.
The cookie expiration is set to the largest possible value, because the cookie is set only when the session is created.
If it were set to the same value as the session expiration, the session would get renewed when the user used it but the cookie expiration would not be updated (causing the expiration to be fixed).
To configure Spring Session with Spring Security in Java Configuration, you can use the following listing as a guide:
## [](#spring-security-concurrent-sessions)Spring Security Concurrent Session Control
Spring Session provides integration with Spring Security to support its concurrent session control.
This allows limiting the number of active sessions that a single user can have concurrently, but, unlike the default
Spring Security support, this also works in a clustered environment. This is done by providing a custom
implementation of Spring Security’s `SessionRegistry` interface.
When using Spring Security’s Java config DSL, you can configure the custom `SessionRegistry` through the`SessionManagementConfigurer`, as the following listing shows:
```
@Configuration
public class SecurityConfiguration<S extends Session> extends WebSecurityConfigurerAdapter {
This assumes that your Spring Session `SessionRegistry` bean is called `sessionRegistry`, which is the name used by all`SpringHttpSessionConfiguration` subclasses.
Spring Session’s implementation of Spring Security’s `SessionRegistry` interface does not support the `getAllPrincipals`method, as this information cannot be retrieved by using Spring Session. This method is never called by Spring Security,
so this affects only applications that access the `SessionRegistry` themselves.
With the new major release version, the Spring Session team took the opportunity to make some non-passive changes.
The focus of these changes is to improve and harmonize Spring Session’s APIs as well as remove the deprecated components.
## [](#_baseline_update)Baseline Update
Spring Session 2.0 requires Java 8 and Spring Framework 5.0 as a baseline, since its entire codebase is now based on Java 8 source code.
See [Upgrading to Spring Framework 5.x](https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-5.x) for more on upgrading Spring Framework.
## [](#_replaced_and_removed_modules)Replaced and Removed Modules
As a part of the project’s splitting of the modules, the existing `spring-session` has been replaced with the `spring-session-core` module.
The `spring-session-core` module holds only the common set of APIs and components, while other modules contain the implementation of the appropriate `SessionRepository` and functionality related to that data store.
This applies to several existing modules that were previously a simple dependency aggregator helper module.
With new module arrangement, the following modules actually carry the implementation:
* Spring Session for MongoDB
* Spring Session for Redis
* Spring Session JDBC
* Spring Session Hazelcast
Also, the following were removed from the main project repository:
## [](#_replaced_and_removed_packages_classes_and_methods)Replaced and Removed Packages, Classes, and Methods
The following changes were made to packages, classes, and methods:
*`ExpiringSession` API has been merged into the `Session` API.
* The `Session` API has been enhanced to make full use of Java 8.
* The `Session` API has been extended with `changeSessionId` support.
* The `SessionRepository` API has been updated to better align with Spring Data method naming conventions.
*`AbstractSessionEvent` and its subclasses are no longer constructable without an underlying `Session` object.
* The Redis namespace used by `RedisOperationsSessionRepository` is now fully configurable, instead of being partially configurable.
* Redis configuration support has been updated to avoid registering a Spring Session-specific `RedisTemplate` bean.
* JDBC configuration support has been updated to avoid registering a Spring Session-specific `JdbcTemplate` bean.
* Previously deprecated classes and methods have been removed across the codebase
## [](#_dropped_support)Dropped Support
As a part of the changes to `HttpSessionStrategy` and its alignment to the counterpart from the reactive world, the support for managing multiple users' sessions in a single browser instance has been removed.
The introduction of a new API to replace this functionality is under consideration for future releases.
Spring Session provides transparent integration with Spring WebFlux’s `WebSession`.
This means that you can switch the `WebSession` implementation out with an implementation that is backed by Spring Session.
## [](#websession-why)Why Spring Session and WebSession?
We have already mentioned that Spring Session provides transparent integration with Spring WebFlux’s `WebSession`, but what benefits do we get out of this?
As with `HttpSession`, Spring Session makes it trivial to support [clustered sessions](#websession-redis) without being tied to an application container specific solution.
## [](#websession-redis)WebSession with Redis
Using Spring Session with `WebSession` is enabled by registering a `WebSessionManager` implementation backed by Spring Session’s `ReactiveSessionRepository`.
The Spring configuration is responsible for creating a `WebSessionManager` that replaces the `WebSession` implementation with an implementation backed by Spring Session.
To do so, add the following Spring Configuration:
```
@EnableRedisWebSession (1)
public class SessionConfiguration {
@Bean
public LettuceConnectionFactory redisConnectionFactory() {
return new LettuceConnectionFactory(); (2)
}
}
```
|**1**| The `@EnableRedisWebSession` annotation creates a Spring bean with the name of `webSessionManager`. That bean implements the `WebSessionManager`.<br/>This is what is in charge of replacing the `WebSession` implementation to be backed by Spring Session.<br/>In this instance, Spring Session is backed by Redis. |
|**2**|We create a `RedisConnectionFactory` that connects Spring Session to the Redis Server.<br/>We configure the connection to connect to localhost on the default port (6379)<br/>For more information on configuring Spring Data Redis, see the [reference documentation](https://docs.spring.io/spring-data/data-redis/docs/2.6.2/reference/html/).|
## [](#websession-how)How WebSession Integration Works
It is considerably easier for Spring Session to integrate with Spring WebFlux and its `WebSession`, compared to Servlet API and its `HttpSession`.
Spring WebFlux provides the `WebSessionStore` API, which presents a strategy for persisting `WebSession`.
| |This section describes how Spring Session provides transparent integration with `WebSession`. We offer this content so that you can understand what is happening under the covers. This functionality is already integrated and you do NOT need to implement this logic yourself.|
// ... other methods delegate to the original Session
}
```
Next, we create a custom `WebSessionStore` that delegates to the `ReactiveSessionRepository` and wraps `Session` into custom `WebSession` implementation, as the following listing shows:
```
public class SpringSessionWebSessionStore<S extends Session> implements WebSessionStore {
private final ReactiveSessionRepository<S> sessions;
public SpringSessionWebSessionStore(ReactiveSessionRepository<S> reactiveSessionRepository) {
this.sessions = reactiveSessionRepository;
}
// ...
}
```
To be detected by Spring WebFlux, this custom `WebSessionStore` needs to be registered with `ApplicationContext` as a bean named `webSessionManager`.
For additional information on Spring WebFlux, see the [Spring Framework Reference Documentation](https://docs.spring.io/spring-framework/docs/5.3.16/reference/html/web-reactive.html).
Spring Session provides transparent integration with Spring’s WebSocket support.
| |Spring Session’s WebSocket support works only with Spring’s WebSocket support.<br/>Specifically,it does not work with using [JSR-356](https://www.jcp.org/en/jsr/detail?id=356) directly, because JSR-356 does not have a mechanism for intercepting incoming WebSocket messages.|
## [](#websocket-why)Why Spring Session and WebSockets?
So why do we need Spring Session when we use WebSockets?
Consider an email application that does much of its work through HTTP requests.
However, there is also a chat application embedded within it that works over WebSocket APIs.
If a user is actively chatting with someone, we should not timeout the `HttpSession`, since this would be a pretty poor user experience.
However, this is exactly what [JSR-356](https://java.net/jira/browse/WEBSOCKET_SPEC-175) does.
Another issue is that, according to JSR-356, if the `HttpSession` times out, any WebSocket that was created with that `HttpSession` and an authenticated user should be forcibly closed.
This means that, if we are actively chatting in our application and are not using the HttpSession, we also do disconnect from our conversation.
## [](#websocket-usage)WebSocket Usage
The [ WebSocket Sample](samples.html#samples) provides a working sample of how to integrate Spring Session with WebSockets.
You can follow the basic steps for integration described in the next few headings, but we encourage you to follow along with the detailed WebSocket Guide when integrating with your own application.
Check also the Spring Session BOM [release notes](https://github.com/spring-projects/spring-session-bom/wiki#release-notes)for a list of new and noteworthy features, as well as upgrade instructions for each release.
在 Spring session1.x 中, Spring session 的所有`SessionRepository`实现都在`spring-session`工件中可用。虽然方便,但这种方法不能长期持续,因为项目中增加了更多的特性和`SessionRepository`实现。
在 Spring Session2.0 中,将几个模块拆分成独立的模块和托管存储库。 Spring MongoDB 的会话已退役,但后来作为一个单独的模块重新激活。从 Spring 会话 2.6 开始,MongoDB 的 Spring 会话被合并回 Spring 会话。
在 Spring Session2.0 中,将几个模块拆分成独立的模块和托管存储库。 Spring MongoDB 的会话已退役,但后来作为一个单独的模块重新激活。从 Spring Session 2.6 开始,MongoDB 的 Spring Session 被合并回 Spring Session 。
* 托管 Spring 会话数据 Geode 模块。 Spring 会话数据 Geode 有其自己的用户指南,你可以在[[https://spring.io/projects/spring-session-data-geode#learn](https://spring.io/projects/spring-session-data-geode#learn)站点]上找到它。
* 托管 Spring Session 数据 Geode 模块。 Spring Session 数据 Geode 有其自己的用户指南,你可以在[[https://spring.io/projects/spring-session-data-geode#learn](https://spring.io/projects/spring-session-data-geode#learn)站点]上找到它。
最后, Spring Session 还提供了一个 Maven BOM(“物料清单”)模块,以帮助用户处理版本管理问题:
## [](#spring-security-rememberme) Spring 安全 Remember-Me 支持
Spring 会话提供了与[Spring Security’s Remember-me Authentication](https://docs.spring.io/spring-security/site/docs/5.6.2/reference/html5/#servlet-rememberme)的集成。支持:
Spring Session 提供了与[Spring Security’s Remember-me Authentication](https://docs.spring.io/spring-security/site/docs/5.6.2/reference/html5/#servlet-rememberme)的集成。支持:
要在 Java 配置中配置具有 Spring 安全性的 Spring 会话,可以使用以下清单作为指导:
要在 Java 配置中配置具有 Spring 安全性的 Spring Session ,可以使用以下清单作为指导:
```
@Override
...
...
@@ -48,7 +48,7 @@ public SpringSessionRememberMeServices rememberMeServices() {
## [](#spring-security-concurrent-sessions) Spring 安全并发会话控制
Spring 会话提供与 Spring 安全性的集成,以支持其并发的会话控制。这允许限制单个用户可以并发的活动会话的数量,但是,与默认的 Spring 安全支持不同,这也适用于集群环境。这是通过提供 Spring Security 的`SessionRegistry`接口的自定义实现来完成的。
Spring Session 提供与 Spring 安全性的集成,以支持其并发的会话控制。这允许限制单个用户可以并发的活动会话的数量,但是,与默认的 Spring 安全支持不同,这也适用于集群环境。这是通过提供 Spring Security 的`SessionRegistry`接口的自定义实现来完成的。
当使用 Spring Security 的 Java Config DSL 时,你可以通过`SessionManagementConfigurer`配置自定义`SessionRegistry`,如下所示:
...
...
@@ -79,7 +79,7 @@ public class SecurityConfiguration<S extends Session> extends WebSecurityConfigu
}
```
这假定你还配置了 Spring 会话,以提供一个`FindByIndexNameSessionRepository`,返回`Session`实例。
这假定你还配置了 Spring Session ,以提供一个`FindByIndexNameSessionRepository`,返回`Session`实例。
当使用 XML 配置时,它看起来类似于以下清单:
...
...
@@ -97,7 +97,7 @@ public class SecurityConfiguration<S extends Session> extends WebSecurityConfigu
</bean>
```
这假定你的 Spring 会话`SessionRegistry` Bean 被称为`sessionRegistry`,这是所有`SpringHttpSessionConfiguration`子类使用的名称。
这假定你的 Spring Session `SessionRegistry` Bean 被称为`sessionRegistry`,这是所有`SpringHttpSessionConfiguration`子类使用的名称。
有了新的主要版本, Spring 会话团队利用这个机会进行了一些非被动的更改。这些更改的重点是改进和协调 Spring Session 的 API,以及删除不受欢迎的组件。
有了新的主要版本, Spring Session 团队利用这个机会进行了一些非被动的更改。这些更改的重点是改进和协调 Spring Session 的 API,以及删除不受欢迎的组件。
## [](#_baseline_update)基线更新
Spring 会话 2.0 需要 Java8 和 Spring Framework5.0 作为基线,因为其整个代码库现在基于 Java8 源代码。有关升级 Spring 框架的更多信息,请参见[Upgrading to Spring Framework 5.x](https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-5.x)。
Spring Session 2.0 需要 Java8 和 Spring Framework5.0 作为基线,因为其整个代码库现在基于 Java8 源代码。有关升级 Spring 框架的更多信息,请参见[Upgrading to Spring Framework 5.x](https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-5.x)。
## [](#_replaced_and_removed_modules)替换和移除模块
...
...
@@ -14,13 +14,13 @@ Spring 会话 2.0 需要 Java8 和 Spring Framework5.0 作为基线,因为其
Spring 会话提供了与 Spring WebFlux 的`WebSession`的透明集成。这意味着你可以使用 Spring 会话支持的实现来切换`WebSession`实现。
Spring Session 提供了与 Spring WebFlux 的`WebSession`的透明集成。这意味着你可以使用 Spring Session 支持的实现来切换`WebSession`实现。
## [](#websession-why)为什么要进行会话和 WebSession?
我们已经提到, Spring 会话提供了与 Spring WebFlux 的`WebSession`的透明集成,但是我们从中得到了什么好处呢?与`HttpSession`一样, Spring 会话使得在不绑定到特定于应用程序容器的解决方案的情况下支持[群集会话](#websession-redis)变得非常简单。
我们已经提到, Spring Session 提供了与 Spring WebFlux 的`WebSession`的透明集成,但是我们从中得到了什么好处呢?与`HttpSession`一样, Spring Session 使得在不绑定到特定于应用程序容器的解决方案的情况下支持[群集会话](#websession-redis)变得非常简单。
## [](#websession-redis)与 Redis 的 WebSession
使用 Spring session with`WebSession`是通过注册一个`WebSessionManager`实现来启用的,该实现由 Spring session 的`ReactiveSessionRepository`支持。 Spring 配置负责创建一个`WebSessionManager`,该实现用 Spring 会话支持的实现替换`WebSession`实现。要做到这一点,请添加以下 Spring 配置:
使用 Spring session with`WebSession`是通过注册一个`WebSessionManager`实现来启用的,该实现由 Spring session 的`ReactiveSessionRepository`支持。 Spring 配置负责创建一个`WebSessionManager`,该实现用 Spring Session 支持的实现替换`WebSession`实现。要做到这一点,请添加以下 Spring 配置:
```
@EnableRedisWebSession (1)
...
...
@@ -22,18 +22,18 @@ public class SessionConfiguration {
}
```
|**1**|`@EnableRedisWebSession`注释创建了一个名为`webSessionManager`的 Spring Bean。这个 Bean 实现了`WebSessionManager`。<br/>这就是负责替换要由 Spring 会话支持的`WebSession`实现的内容。<br/>在这个实例中, Spring 会话是由 Redis 支持的。|
|**1**|`@EnableRedisWebSession`注释创建了一个名为`webSessionManager`的 Spring Bean。这个 Bean 实现了`WebSessionManager`。<br/>这就是负责替换要由 Spring Session 支持的`WebSession`实现的内容。<br/>在这个实例中, Spring Session 是由 Redis 支持的。|
|**2**|我们创建一个`RedisConnectionFactory`将 Spring 会话连接到 Redis 服务器。<br/>我们将连接配置为在默认端口(6379)<br/>上连接到 localhost。有关配置 Spring 数据 Redis 的更多信息,请参见[参考文献](https://docs.spring.io/spring-data/data-redis/docs/2.6.2/reference/html/)。|
|**2**|我们创建一个`RedisConnectionFactory`将 Spring Session 连接到 Redis 服务器。<br/>我们将连接配置为在默认端口(6379)<br/>上连接到 localhost。有关配置 Spring 数据 Redis 的更多信息,请参见[参考文献](https://docs.spring.io/spring-data/data-redis/docs/2.6.2/reference/html/)。|
## [](#websession-how)WebSession 集成如何工作
与 Servlet API 及其`HttpSession`相比, Spring 会话与 Spring WebFlux 及其`WebSession`集成要容易得多。 Spring WebFlux 提供了`WebSessionStore`API,该 API 提供了用于持久化`WebSession`的策略。
与 Servlet API 及其`HttpSession`相比, Spring Session 与 Spring WebFlux 及其`WebSession`集成要容易得多。 Spring WebFlux 提供了`WebSessionStore`API,该 API 提供了用于持久化`WebSession`的策略。
| |本节描述 Spring 会话如何使用`WebSession`提供透明的集成。我们提供这些内容,这样你就可以了解幕后发生了什么。这个功能已经集成了,你不需要自己实现这个逻辑。|
| |本节描述 Spring Session 如何使用`WebSession`提供透明的集成。我们提供这些内容,这样你就可以了解幕后发生了什么。这个功能已经集成了,你不需要自己实现这个逻辑。|
*`WebSocketConnectHandlerDecoratorFactory`作为`WebSocketHandlerDecoratorFactory`添加到`WebSocketTransportRegistration`。这确保了一个包含`WebSocketSession`的自定义`SessionConnectEvent`被触发。当 Spring 会话结束时,要结束任何 WebSocket 仍处于打开状态的连接,`WebSocketSession`是必需的。
*`WebSocketConnectHandlerDecoratorFactory`作为`WebSocketHandlerDecoratorFactory`添加到`WebSocketTransportRegistration`。这确保了一个包含`WebSocketSession`的自定义`SessionConnectEvent`被触发。当 Spring Session 结束时,要结束任何 WebSocket 仍处于打开状态的连接,`WebSocketSession`是必需的。