In SpringBoot2.x version the pit stepped on by SpringSession and its solution
- 2021-10-16 01:30:38
- OfStack
SpringBoot2.x SpringSession stepping on the pit
Exception encountered during context initialization-cancelling refresh attempt: org. springframework. beans. factory. BeanCreationException: Error creating bean with name 'org. springframework. boot. autoconfigure. session. SessionAutoConfiguration $ServletSessionRepositoryValidator': Invocation of method failed; nested exception is ES40springframework. EN could be auto-configured, check your configuration (session store type is 'redis')
This is due to the absence of the spring-session-data-redis dependency.
With regard to SpringBoot2. X, referencing SpringSession and using Redis to store cached data requires the following configuration:
<!--SpringSession Dependency -->
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-core</artifactId>
</dependency>
<!--SpringSessionRedis Dependency -->
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-data-redis</artifactId>
</dependency>
# Use use Redis Cache session Data
spring.session.store-type=REDIS
#Redis Server address
spring.redis.host=127.0.0.1
#Redis Server port number
spring.redis.port=6379
Summary:
In the version of SpringBoot2.x, when referring to spring-session-core, it is not loading spring-session-data-redis, but the user needs to add the association dependency about spring-session and redis himself.
springboot 2. x stepping on the pit-cross-domain causes session problems
At present, the front and back ends of IT are separated, but there will be cross-domain problems in the process of separation.
What is cross-domain?
It means that when the browser requests the resources of another domain name from the web page of one domain name, the domain name, port and protocol are all cross-domain.
Scenes encountered
When we use springboot + shrio + vue to do the background management project, we can't get the current logged-in user of shiroSession.
So we checked, and the Internet said that it is ok to let session pass when crossing domains
Back end
@Configuration
public class CorsConfig {
private CorsConfiguration buildConfig() {
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.setAllowCredentials(true);
// Allow any domain name to use
corsConfiguration.addAllowedOrigin("*");
// Allow any header
corsConfiguration.addAllowedHeader("*");
// Allow any method ( post , get Etc.)
corsConfiguration.addAllowedMethod("*");
corsConfiguration.setMaxAge(3600L);
return corsConfiguration;
}
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
// Configure cross-domain settings for interfaces
source.registerCorsConfiguration("/**", buildConfig());
return new CorsFilter(source);
}
}
Front end
axios.defaults.withCredentials=true;
But it still doesn't work after setting it up
After one day's Baidu and investigation, I rolled back to springboot 1. x and didn't have this problem, only to locate that it was the cause of upgrading to springboot 2. x. Well, the murderer has been caught, so it is good to prescribe the right medicine. I went online to see the problems related to upgrading springboot to 2. x spring session.
Finally discovered the New World, SameSite was introduced into Cookie in spring-session 2. x, and its default value is Lax. Ok, let's take a look at what this is.
SameSite Cookie is used to prevent CSRF attacks and has two values: Strict, Lax
SameSite = Strict:
Strict mode, indicating that this cookie cannot be used as a third party cookie under any circumstances;
SameSite = Lax:
It means loose mode. In GET request, it can be used as a third-party cookie, but it cannot carry cookie for cross-domain post access (this is very painful, our verification interface is POST request)
Summary: The front-end requests to the background, each session is not 1, each time is a new session, resulting in no access to user information
Solution:
Set SameSite to null
@Configuration
public class SpringSessionConfig {
@Bean
public CookieSerializer httpSessionIdResolver() {
DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
// Cancellation is limited to the same 1 Site Settings
cookieSerializer.setSameSite(null);
return cookieSerializer;
}
}
Problem solved! !