Spring MVC中Cookie/Session操作与RESTful接口开发
- 发布时间:2025-03-14 10:31:30
- 本文热度:浏览 71 赞 0 评论 0
- 文章标签: Spring MVC Java Web开发 RESTful API
- 全文共1字,阅读约需1分钟
在Java Web开发领域,Spring MVC框架提供了强大的功能来处理HTTP请求和响应。本文将深入探讨Cookie和Session的获取方法,解析@RestController的核心特性,并详细介绍HTTP Header的设置技巧。通过实际代码示例,我们将揭示这些技术在实际开发中的最佳实践。
一、Cookie操作全解析
1.1 传统方式获取Cookie
@GetMapping("/traditional-cookie")
public String getCookieTraditional(HttpServletRequest request) {
Cookie[] cookies = request.getCookies();
if (cookies != null) {
return Arrays.stream(cookies)
.filter(c -> "USER_TOKEN".equals(c.getName()))
.findFirst()
.map(Cookie::getValue)
.orElse("Cookie not found");
}
return "No cookies available";
}
此方法通过HttpServletRequest直接获取Cookie数组,适用于需要处理多个Cookie或进行复杂过滤的场景。注意空指针检查和流式处理的应用。
1.2 注解方式获取Cookie
@GetMapping("/annotation-cookie")
public String getCookieByAnnotation(
@CookieValue(name = "USER_TOKEN", defaultValue = "default") String token) {
return "Token value: " + token;
}
@CookieValue注解简化了单个Cookie的获取过程,defaultValue参数可有效处理Cookie不存在的情况。适合快速获取特定Cookie的场景。
1.3 Cookie安全设置实践
@GetMapping("/secure-cookie")
public void setSecureCookie(HttpServletResponse response) {
Cookie secureCookie = new Cookie("SECURE_ID", "encryptedValue");
secureCookie.setHttpOnly(true);
secureCookie.setSecure(true);
secureCookie.setPath("/api");
secureCookie.setMaxAge(3600);
response.addCookie(secureCookie);
}
关键安全设置:
- HttpOnly:防止XSS攻击
- Secure:仅HTTPS传输
- Path限制:控制Cookie作用域
- 有效时间:合理设置生命周期
二、Session深度管理
2.1 Session基础操作
@PostMapping("/login")
public String login(HttpSession session, @RequestParam String username) {
session.setAttribute("CURRENT_USER", username);
session.setMaxInactiveInterval(1800); // 30分钟过期
return "Login successful";
}
@GetMapping("/profile")
public String getProfile(HttpSession session) {
String user = (String) session.getAttribute("CURRENT_USER");
return user != null ? "Welcome " + user : "Please login";
}
Session的生命周期管理要点:
- 默认过期时间由容器决定(通常30分钟)
- setMaxInactiveInterval()可覆盖默认设置
- 显式调用invalidate()立即销毁Session
2.2 分布式Session解决方案
@Configuration
@EnableRedisHttpSession(maxInactiveIntervalInSeconds = 3600)
public class SessionConfig {
@Bean
public LettuceConnectionFactory connectionFactory() {
return new LettuceConnectionFactory();
}
}
Spring Session提供Redis集成方案,实现:
- 跨服务Session共享
- 高可用性保障
- 灵活的过期策略
2.3 Session安全增强策略
@Bean
public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
return new ServletListenerRegistrationBean<>(new HttpSessionEventPublisher());
}
@Bean
public SessionFixationProtectionStrategy sessionFixationProtectionStrategy() {
return new SessionFixationProtectionStrategy();
}
安全防护措施:
- 会话固定攻击防护
- 会话劫持检测
- 并发会话控制
三、@RestController核心解密
3.1 与@Controller的对比分析
// 传统Controller
@Controller
public class TraditionalController {
@GetMapping("/html")
public String htmlPage() {
return "page";
}
}
// RestController
@RestController
public class ApiController {
@GetMapping("/json")
public UserData jsonData() {
return new UserData("John", 30);
}
}
关键差异:
- @RestController自动应用@ResponseBody
- 默认响应格式为JSON/XML
- 适合构建API接口
3.2 响应处理机制
@RestControllerAdvice
public class CustomResponseHandler implements ResponseBodyAdvice<Object> {
@Override
public boolean supports(MethodParameter returnType, Class converterType) {
return true;
}
@Override
public Object beforeBodyWrite(Object body, MethodParameter returnType,
MediaType selectedContentType, Class selectedConverterType,
ServerHttpRequest request, ServerHttpResponse response) {
return new StandardResponse(200, "Success", body);
}
}
统一响应格式的全局处理方案,实现:
- 响应数据标准化封装
- 异常结果的统一处理
- 响应头自动配置
四、Header高级配置技巧
4.1 基础Header设置
@GetMapping("/basic-header")
public ResponseEntity<String> setBasicHeader() {
return ResponseEntity.ok()
.header("X-Custom-Header", "value")
.header("Cache-Control", "no-store")
.body("Response with headers");
}
4.2 安全相关Header配置
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.headers()
.contentSecurityPolicy("default-src 'self'")
.and()
.frameOptions().deny()
.xssProtection().block(true)
.and()
// 其他安全配置
return http.build();
}
关键安全Header:
- Content-Security-Policy
- X-Frame-Options
- X-Content-Type-Options
- Strict-Transport-Security
4.3 自定义Header处理器
public class CustomHeaderInterceptor implements HandlerInterceptor {
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response,
Object handler, ModelAndView modelAndView) {
response.setHeader("X-Request-ID", UUID.randomUUID().toString());
response.setHeader("X-Processing-Time",
String.valueOf(System.currentTimeMillis() - (Long)request.getAttribute("startTime")));
}
}
@Configuration
public class WebConfig implements WebMvcConfigurer {
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new CustomHeaderInterceptor());
}
}
实现全局Header管理的拦截器模式:
- 请求追踪ID生成
- 性能监控数据收集
- 版本信息注入
五、实战问题解决方案
5.1 Cookie跨域处理
@Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurer() {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/api/**")
.allowedOrigins("https://trusted-domain.com")
.allowCredentials(true)
.maxAge(3600);
}
};
}
跨域Cookie设置要点:
- Access-Control-Allow-Credentials: true
- Access-Control-Allow-Origin指定具体域名
- 避免使用通配符*
5.2 Session并发控制
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.sessionRegistry(sessionRegistry());
return http.build();
}
@Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
}
实现:
- 单用户单会话限制
- 并发登录阻止
- 活跃会话监控
5.3 响应压缩优化
@Configuration
public class CompressionConfig {
@Bean
public FilterRegistrationBean<CompressionFilter> compressionFilter() {
FilterRegistrationBean<CompressionFilter> registration = new FilterRegistrationBean<>();
registration.setFilter(new CompressionFilter());
registration.addInitParameter("compressionThreshold", "1024");
registration.addInitParameter("compressionLevel", "9");
registration.addUrlPatterns("/api/*");
return registration;
}
}
压缩配置参数:
- compressionThreshold:启用压缩的阈值
- compressionLevel:压缩级别(1-9)
- excludedUserAgents:排除特定客户端
- mimeTypes:指定压缩类型
(因篇幅限制,此处展示部分核心内容,完整实现需参考详细文档)
正文到此结束
相关文章
热门推荐
评论插件初始化中...