Shulou(Shulou.com)06/02 Report--

This article mainly introduces "how to disable the session function with tomcat in springboot2". In daily operation, I believe many people have doubts about how to disable the session function with tomcat in springboot2. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the question of "how to disable the session function with tomcat in springboot2". Next, please follow the editor to study!

Disable the session feature with tomcat

Each service under the microservice is stateless, so at this time, the session management function of tomcat is redundant, even if it is not used, it will consume performance. After shutting down, the performance of tomcat will be improved, but the tomcat provided by springboot has no configuration option to turn off directly. After studying, the default session manager name of tomcat is: StandardManager. Check the tomcat load source code to find that if there is no Manager in context, directly new StandardManager () The source code snippet is as follows:

Manager contextManager = null; Manager manager = getManager () If (manager = = null) {if (log.isDebugEnabled ()) {log.debug (sm.getString ("standardContext.cluster.noManager", Boolean.valueOf ((getCluster ()! = null)), Boolean.valueOf (distributable) } if ((getCluster ()! = null) & & distributable) {try {contextManager = getCluster () .createManager (getName ()) } catch (Exception ex) {log.error (sm.getString ("standardContext.cluster.managerError"), ex); ok = false;}} else {contextManager = new StandardManager () }} / / Configure default manager if none was specified if (contextManager! = null) {if (log.isDebugEnabled ()) {log.debug (sm.getString ("standardContext.manager", contextManager.getClass () .getName () } setManager (contextManager);}

In order not to let tomcat go to new its own manager, we must let getManager () in the second line get the object, so we can start from here. My solution is as follows: customize a tomcat factory, inherit the original factory, and add the manager written by yourself to the context.

@ Componentpublic class TomcatServletWebServerFactorySelf extends TomcatServletWebServerFactory {protected void postProcessContext (Context context) {context.setManager (new NoSessionManager ());}} public class NoSessionManager extends ManagerBase implements Lifecycle {@ Override protected synchronized void startInternal () throws LifecycleException {super.startInternal (); try {load ();} catch (Throwable t) {ExceptionUtils.handleThrowable (t); t.printStackTrace () } setState (LifecycleState.STARTING);} @ Override protected synchronized void stopInternal () throws LifecycleException {setState (LifecycleState.STOPPING); try {unload ();} catch (Throwable t) {ExceptionUtils.handleThrowable (t); t.printStackTrace ();} super.stopInternal () } @ Override public void load () throws ClassNotFoundException, IOException {log.info ("HttpSession has been closed, please configure: seeyon.tomcat.disableSession=false" if enabled);} @ Override public void unload () throws IOException {} @ Override public Session createSession (String sessionId) {return null;} @ Override public Session createEmptySession () {return null @ Override public void add (Session session) {} @ Override public Session findSession (String id) throws IOException {return null;} @ Override public Session [] findSessions () {return null;} @ Override public void processExpires () {}}

Two classes solve the problem, so getting session through request is empty, and the processing performance of tomcat to get rid of session has been improved.

Disable the unsafe request method of built-in Tomcat

Cause: for the requirements put forward by the security group for interface testing, unsafe request methods, such as put and delete, need to be disabled to prevent server resources from being maliciously tampered with.

Anyone who has used springMvc knows that you can use annotations such as @ PostMapping, @ GetMapping, etc., to define a single interface method type, or to specify the method property in @ RequestMapping. This way is more troublesome, so there is no more general method, by consulting the relevant data, the answer is yes.

The traditional form of tomcat forbids unsafe http methods by configuring web.xml.

/ * PUT DELETE HEAD OPTIONS TRACE BASIC

Spring boot used to use the built-in tomcat,2.0 version in the following form

@ Bean public EmbeddedServletContainerFactory servletContainer () {TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory () {/ / 1 protected void postProcessContext (Context context) {SecurityConstraint securityConstraint = new SecurityConstraint (); securityConstraint.setUserConstraint ("CONFIDENTIAL"); SecurityCollection collection = new SecurityCollection (); collection.addPattern ("/ *"); collection.addMethod ("HEAD"); collection.addMethod ("PUT") Collection.addMethod ("DELETE"); collection.addMethod ("OPTIONS"); collection.addMethod ("TRACE"); collection.addMethod ("COPY"); collection.addMethod ("SEARCH"); collection.addMethod ("PROPFIND"); securityConstraint.addCollection (collection); context.addConstraint (securityConstraint) }}

Version 2.0 uses the following form

@ Beanpublic ConfigurableServletWebServerFactory configurableServletWebServerFactory () {TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory (); factory.addContextCustomizers (context-> {SecurityConstraint securityConstraint = new SecurityConstraint (); securityConstraint.setUserConstraint ("CONFIDENTIAL"); SecurityCollection collection = new SecurityCollection (); collection.addPattern ("/ *"); collection.addMethod ("HEAD"); collection.addMethod ("PUT"); collection.addMethod ("DELETE"); collection.addMethod ("OPTIONS") Collection.addMethod ("TRACE"); collection.addMethod ("COPY"); collection.addMethod ("SEARCH"); collection.addMethod ("PROPFIND"); securityConstraint.addCollection (collection); context.addConstraint (securityConstraint);}); return factory;} this is the end of the study on "how springboot2 disables the session function with tomcat", hoping to solve everyone's doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.