3. Spring Session Restful 风格API

在Java web应用, Session 会话保持是依靠浏览器传入一个name为SESSON的cookie而实现的, 默认情况下, spring session 也是采用基于这种方式实现的, spring session会解析请求对象中的cookie. 而Restful风格的API, 倡导的时无状态的请求, 也就是说没有会话保持这个概念的, 即没有session的概念. 通常会采取每个请求都传递一个token 来实现认证参数的传递. spring session对Restful 风格的API 也提供了支持, 可以将Token 存入request Header 中

1. spring session 的两种SessionId 解析器

1.1 HeaderHttpSessionIdResolver VS CookieHttpSessionIdResolver

• CookieHttpSessionIdResolver 和 HeaderHttpSessionIdResolver 均为sessionId 的解析器.
• CookieHttpSessionIdResolver 会从请求携带的Cookie中解析名为SESSION的Cookie, 然后进行base64为解码, 解码后的值为sessionId; 响应结束时, 将sessionId, 以Set-Cookie:SESSION 存入header, 然后返回给客户端
• HeaderHttpSessionIdResolver 会从请求头中解析headerName 为x-Auth-Token 或 authenticationInfo 的值, 解析的值即为sessionId; 响应结束后, 将sessionId, 以x-Auth-Token或authenticationInfo 存入header, 然后返回客户端.

1.2 CookieHttpSessionIdResolver 响应头信息

Set-Cookie:SESSION=M2ZlNzA3YjItNmQzZi00YjkzLThmNjItYTI3MzY5ODQzYzJl; Path=/; HttpOnly; SameSite=Lax
Content-Type:text/plain;charset=UTF-8
Content-Length:66
Date:Wed, 17 Apr 2019 06:10:34 GMT

1.3 HeaderHttpSessionIdResolver 响应头信息

X-Auth-Token:b9088e9e-3547-48d2-b60a-245835e5c198
Content-Type:text/plain;charset=UTF-8
Content-Length:66
Date:Wed, 17 Apr 2019 05:52:22 GMT

2. 测试HeaderHttpSessionIdResolver

2.1 配置HeaderHttpSessionIdResolver 解析器

• 只需要在Spring 容器中注入HeaderHttpSessionIdResolver 解析器即可, 默认注入的是CookieHttpSessionIdResolver
• HeaderHttpSessionIdResolver 有两个静态方法用于返回解析器实例:
  • xAuthToken: 响应头中通过x-Auth-Token 存放sessionId
  • authenticationInfo: 响应头中通过 Authentication-Info 存放sessionId

@Bean
public HttpSessionIdResolver httpSessionIdResolver() {
    return HeaderHttpSessionIdResolver.xAuthToken();
}

1.2 定义Restful 接口

• spring 使用RestController 来定于Restful 风格的API

@RestController
@RequestMapping("/rest/hello")
public class RestHelloController {

    @GetMapping("/say.json")
    public String say() {

        String result = "sessionId:" + session.getId() + "\n session.isNew:" + session.isNew();

        return result;
    }
}

3. 测试

3.1 添加依赖

由于浏览器中直接输入网址方式没有办法设置请求头携带x-Auth-Token, 所以笔者使用HttpClient 来进行接口调用

<dependency>
    <groupId>org.apache.httpcomponents</groupId>
    <artifactId>httpclient</artifactId>
    <version>4.5.6</version>
</dependency>

3.2 测试用例

• 笔者使用HttpClient 创建两个两个测试用例, test()请求头中不携带参数x-Auth-Token, 另一个请求头中携带x-Auth-Token.
• x-Auth-Token的值并不是随便设置的, 而是从之前的请求响应中获取的

public class TestHttpUtilRestuful {

    String url = "http://localhost:8180/rest/hello/say.json"; 

    // 请求参数不携带x-Auth-Token, 每次获取的都是新的token
    @Test
    public void test(){

        HttpGet httpGet = new HttpGet(url);

        CloseableHttpClient httpClient = HttpClients.createDefault();

        try {
            CloseableHttpResponse response = httpClient.execute(httpGet);

            System.out.println("\n******************** 响应 ********************");
            String result = EntityUtils.toString(response.getEntity());
            System.out.println("response:" + result);

            // 返回header 信息
            for (Header header : response.getAllHeaders()) {
                System.out.println(header.getName() + ":" + header.getValue());
            }
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    // 请求参数携带接口返回的x-Auth-Token, 则返回session 为已存在token
    @Test
    public void test_with_header(){

        // 使用token 测试
        String xAuthToken = "d075cdbd-87d4-46b8-b52f-a89b86edd25a2";

        HttpGet httpGet = new HttpGet(url);

        CloseableHttpClient httpClient = HttpClients.createDefault();

        try {

            httpGet.setHeader("X-Auth-Token", xAuthToken);

            CloseableHttpResponse response = httpClient.execute(httpGet);

            System.out.println("\n******************** 响应 ********************");
            String result = EntityUtils.toString(response.getEntity());
            System.out.println("response:" + result);

            // 返回header 信息
            for (Header header : response.getAllHeaders()) {
                System.out.println(header.getName() + ":" + header.getValue());
            }
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

3.3 测试结果-未携带header

• 请求响应头中, 会新增x-Auth-Token, 值为sessionId. 如果不开启Restful支持的话, 响应头中不会包含此参数.
• 请求Header不携带x-Auth-Token, 则每次请求都会新创建一个session. 响应结果中session.isNew 为true.

response:sessionId:b9088e9e-3547-48d2-b60a-245835e5c198
 session.isNew:true
X-Auth-Token:b9088e9e-3547-48d2-b60a-245835e5c198
Content-Type:text/plain;charset=UTF-8
Content-Length:66
Date:Wed, 17 Apr 2019 05:52:22 GMT

3.4 携带header

• 将x-Auth-Token 修改为已存在token, 查看输出session.isNew 为false, 证明已不是新的session
• 如果x-Auth-Token 设置的值不存在, 则spring session 会创建一个新的session, 返回session.isNew 为true

response:sessionId:b9088e9e-3547-48d2-b60a-245835e5c198
session.isNew:false
Content-Type:text/plain;charset=UTF-8
Content-Length:67
Date:Wed, 17 Apr 2019 05:52:58 GMT