Spring MVC中Cookie/Session操作与RESTful接口开发

在Java Web开发领域,Spring MVC框架提供了强大的功能来处理HTTP请求和响应。本文将深入探讨Cookie和Session的获取方法,解析@RestController的核心特性,并详细介绍HTTP Header的设置技巧。通过实际代码示例,我们将揭示这些技术在实际开发中的最佳实践。

一、Cookie操作全解析

1.1 传统方式获取Cookie

@GetMapping("/traditional-cookie")
public String getCookieTraditional(HttpServletRequest request) {
    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
        return Arrays.stream(cookies)
                .filter(c -> "USER_TOKEN".equals(c.getName()))
                .findFirst()
                .map(Cookie::getValue)
                .orElse("Cookie not found");
    }
    return "No cookies available";
}

此方法通过HttpServletRequest直接获取Cookie数组,适用于需要处理多个Cookie或进行复杂过滤的场景。注意空指针检查和流式处理的应用。

1.2 注解方式获取Cookie

@GetMapping("/annotation-cookie")
public String getCookieByAnnotation(
        @CookieValue(name = "USER_TOKEN", defaultValue = "default") String token) {
    return "Token value: " + token;
}

@CookieValue注解简化了单个Cookie的获取过程,defaultValue参数可有效处理Cookie不存在的情况。适合快速获取特定Cookie的场景。

1.3 Cookie安全设置实践

@GetMapping("/secure-cookie")
public void setSecureCookie(HttpServletResponse response) {
    Cookie secureCookie = new Cookie("SECURE_ID", "encryptedValue");
    secureCookie.setHttpOnly(true);
    secureCookie.setSecure(true);
    secureCookie.setPath("/api");
    secureCookie.setMaxAge(3600);
    response.addCookie(secureCookie);
}

关键安全设置:

  • HttpOnly:防止XSS攻击
  • Secure:仅HTTPS传输
  • Path限制:控制Cookie作用域
  • 有效时间:合理设置生命周期

二、Session深度管理

2.1 Session基础操作

@PostMapping("/login")
public String login(HttpSession session, @RequestParam String username) {
    session.setAttribute("CURRENT_USER", username);
    session.setMaxInactiveInterval(1800); // 30分钟过期
    return "Login successful";
}

@GetMapping("/profile")
public String getProfile(HttpSession session) {
    String user = (String) session.getAttribute("CURRENT_USER");
    return user != null ? "Welcome " + user : "Please login";
}

Session的生命周期管理要点:

  • 默认过期时间由容器决定(通常30分钟)
  • setMaxInactiveInterval()可覆盖默认设置
  • 显式调用invalidate()立即销毁Session

2.2 分布式Session解决方案

@Configuration
@EnableRedisHttpSession(maxInactiveIntervalInSeconds = 3600)
public class SessionConfig {
    @Bean
    public LettuceConnectionFactory connectionFactory() {
        return new LettuceConnectionFactory();
    }
}

Spring Session提供Redis集成方案,实现:

  • 跨服务Session共享
  • 高可用性保障
  • 灵活的过期策略

2.3 Session安全增强策略

@Bean
public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
    return new ServletListenerRegistrationBean<>(new HttpSessionEventPublisher());
}

@Bean
public SessionFixationProtectionStrategy sessionFixationProtectionStrategy() {
    return new SessionFixationProtectionStrategy();
}

安全防护措施:

  • 会话固定攻击防护
  • 会话劫持检测
  • 并发会话控制

三、@RestController核心解密

3.1 与@Controller的对比分析

// 传统Controller
@Controller
public class TraditionalController {
    @GetMapping("/html")
    public String htmlPage() {
        return "page";
    }
}

// RestController
@RestController
public class ApiController {
    @GetMapping("/json")
    public UserData jsonData() {
        return new UserData("John", 30);
    }
}

关键差异:

  • @RestController自动应用@ResponseBody
  • 默认响应格式为JSON/XML
  • 适合构建API接口

3.2 响应处理机制

@RestControllerAdvice
public class CustomResponseHandler implements ResponseBodyAdvice<Object> {
    @Override
    public boolean supports(MethodParameter returnType, Class converterType) {
        return true;
    }

    @Override
    public Object beforeBodyWrite(Object body, MethodParameter returnType, 
                                  MediaType selectedContentType, Class selectedConverterType,
                                  ServerHttpRequest request, ServerHttpResponse response) {
        return new StandardResponse(200, "Success", body);
    }
}

统一响应格式的全局处理方案,实现:

  • 响应数据标准化封装
  • 异常结果的统一处理
  • 响应头自动配置

四、Header高级配置技巧

4.1 基础Header设置

@GetMapping("/basic-header")
public ResponseEntity<String> setBasicHeader() {
    return ResponseEntity.ok()
            .header("X-Custom-Header", "value")
            .header("Cache-Control", "no-store")
            .body("Response with headers");
}

4.2 安全相关Header配置

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .headers()
            .contentSecurityPolicy("default-src 'self'")
            .and()
            .frameOptions().deny()
            .xssProtection().block(true)
            .and()
        // 其他安全配置
    return http.build();
}

关键安全Header:

  • Content-Security-Policy
  • X-Frame-Options
  • X-Content-Type-Options
  • Strict-Transport-Security

4.3 自定义Header处理器

public class CustomHeaderInterceptor implements HandlerInterceptor {
    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, 
                          Object handler, ModelAndView modelAndView) {
        response.setHeader("X-Request-ID", UUID.randomUUID().toString());
        response.setHeader("X-Processing-Time", 
                          String.valueOf(System.currentTimeMillis() - (Long)request.getAttribute("startTime")));
    }
}

@Configuration
public class WebConfig implements WebMvcConfigurer {
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new CustomHeaderInterceptor());
    }
}

实现全局Header管理的拦截器模式:

  • 请求追踪ID生成
  • 性能监控数据收集
  • 版本信息注入

五、实战问题解决方案

5.1 Cookie跨域处理

@Bean
public WebMvcConfigurer corsConfigurer() {
    return new WebMvcConfigurer() {
        @Override
        public void addCorsMappings(CorsRegistry registry) {
            registry.addMapping("/api/**")
                    .allowedOrigins("https://trusted-domain.com")
                    .allowCredentials(true)
                    .maxAge(3600);
        }
    };
}

跨域Cookie设置要点:

  • Access-Control-Allow-Credentials: true
  • Access-Control-Allow-Origin指定具体域名
  • 避免使用通配符*

5.2 Session并发控制

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.sessionManagement()
            .maximumSessions(1)
            .maxSessionsPreventsLogin(true)
            .sessionRegistry(sessionRegistry());
        return http.build();
    }

    @Bean
    public SessionRegistry sessionRegistry() {
        return new SessionRegistryImpl();
    }
}

实现:

  • 单用户单会话限制
  • 并发登录阻止
  • 活跃会话监控

5.3 响应压缩优化

@Configuration
public class CompressionConfig {
    @Bean
    public FilterRegistrationBean<CompressionFilter> compressionFilter() {
        FilterRegistrationBean<CompressionFilter> registration = new FilterRegistrationBean<>();
        registration.setFilter(new CompressionFilter());
        registration.addInitParameter("compressionThreshold", "1024");
        registration.addInitParameter("compressionLevel", "9");
        registration.addUrlPatterns("/api/*");
        return registration;
    }
}

压缩配置参数:

  • compressionThreshold:启用压缩的阈值
  • compressionLevel:压缩级别(1-9)
  • excludedUserAgents:排除特定客户端
  • mimeTypes:指定压缩类型

(因篇幅限制,此处展示部分核心内容,完整实现需参考详细文档)

正文到此结束
评论插件初始化中...
Loading...