使用Spring Session作分佈式會話管理

時間 2019-11-20

標籤使用 spring session 分佈式會話管理欄目 Spring 简体版

原文原文鏈接

　　在Web項目開發中，會話管理是一個很重要的部分，用於存儲與用戶相關的數據。一般是由符合session規範的容器來負責存儲管理，也就是一旦容器關閉，重啓會致使會話失效。所以打造一個高可用性的系統，必須將session管理從容器中獨立出來。而這實現方案有不少種，下面簡單介紹下：html

　　第一種是使用容器擴展來實現，你們比較容易接受的是經過容器插件來實現，好比基於Tomcat的tomcat-redis-session-manager，基於Jetty的jetty-session-redis等等。好處是對項目來講是透明的，無需改動代碼。不過前者目前還不支持Tomcat 8，或者說不太完善。我的以爲因爲過於依賴容器，一旦容器升級或者更換意味着又得重新來過。而且代碼不在項目中，對開發者來講維護也是個問題。html5

　　第二種是本身寫一套會話管理的工具類，包括Session管理和Cookie管理，在須要使用會話的時候都從本身的工具類中獲取，而工具類後端存儲能夠放到Redis中。很顯然這個方案靈活性最大，但開發須要一些額外的時間。而且系統中存在兩套Session方案，很容易弄錯而致使取不到數據。java

　　第三種是使用框架的會話管理工具，也就是本文要說的spring-session，能夠理解是替換了Servlet那一套會話管理，既不依賴容器，又不須要改動代碼，而且是用了spring-data-redis那一套鏈接池，能夠說是最完美的解決方案。固然，前提是項目要使用Spring Framework才行。git

　　這裏簡單記錄下整合的過程：github

　　若是項目以前沒有整合過spring-data-redis的話，這一步須要先作，在maven中添加這兩個依賴：web

 1 <dependency>
 2     <groupId>org.springframework.data</groupId>
 3     <artifactId>spring-data-redis</artifactId>
 4     <version>1.5.2.RELEASE</version>
 5 </dependency>
 6 <dependency>
 7     <groupId>org.springframework.session</groupId>
 8     <artifactId>spring-session</artifactId>
 9     <version>1.0.2.RELEASE</version>
10 </dependency>

　　再在applicationContext.xml中添加如下bean，用於定義redis的鏈接池和初始化redis模版操做類，自行替換其中的相關變量。redis

 1 <!-- redis -->
 2 <bean id="jedisPoolConfig" class="redis.clients.jedis.JedisPoolConfig">
 3 </bean>
 4  
 5 <bean id="jedisConnectionFactory"
 6     class="org.springframework.data.redis.connection.jedis.JedisConnectionFactory">
 7     <property name="hostName" value="${redis.host}" />
 8     <property name="port" value="${redis.port}" />
 9     <property name="password" value="${redis.pass}" />
10     <property name="timeout" value="${redis.timeout}" />
11     <property name="poolConfig" ref="jedisPoolConfig" />
12     <property name="usePool" value="true" />
13 </bean>
14  
15 <bean id="redisTemplate" class="org.springframework.data.redis.core.StringRedisTemplate">
16     <property name="connectionFactory" ref="jedisConnectionFactory" />
17 </bean>
18  
19 <!-- 將session放入redis -->
20 <bean id="redisHttpSessionConfiguration"
21 class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration">
22     <property name="maxInactiveIntervalInSeconds" value="1800" />
23 </bean>

　　這裏前面幾個bean都是操做redis時候使用的，最後一個bean纔是spring-session須要用到的，其中的id能夠不寫或者保持不變，這也是一個約定優先配置的體現。這個bean中又會自動產生多個bean，用於相關操做，極大的簡化了咱們的配置項。其中有個比較重要的是springSessionRepositoryFilter，它將在下面的代理filter中被調用到。maxInactiveIntervalInSeconds表示超時時間，默認是1800秒。寫上述配置的時候我我的習慣採用xml來定義，官方文檔中有采用註解來聲明一個配置類。spring

　　而後是在web.xml中添加一個session代理filter，經過這個filter來包裝Servlet的getSession()。須要注意的是這個filter須要放在全部filter鏈最前面。apache

1 <!-- delegatingFilterProxy -->
2 <filter>
3     <filter-name>springSessionRepositoryFilter</filter-name>
4     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
5 </filter>
6 <filter-mapping>
7     <filter-name>springSessionRepositoryFilter</filter-name>
8     <url-pattern>/*</url-pattern>
9 </filter-mapping>

　　這樣便配置完畢了，須要注意的是，spring-session要求Redis Server版本不低於2.8。後端

　　驗證：使用redis-cli就能夠查看到session key了，且瀏覽器Cookie中的jsessionid已經替換爲session。

1 127.0.0.1:6379> KEYS *
2 1) "spring:session:expirations:1440922740000"
3 2) "spring:session:sessions:35b48cb4-62f8-440c-afac-9c7e3cfe98d3"

　　補充：

　　spring session提供如下功能:
1.API and implementations for managing a user's session
2.HttpSession - allows replacing the HttpSession in an application container (i.e. Tomcat) neutral way
2.1.Clustered Sessions - Spring Session makes it trivial to support clustered sessions without being tied to an application container specific solution.
2.2.Multiple Browser Sessions - Spring Session supports managing multiple users' sessions in a single browser instance (i.e. multiple authenticated accounts similar to Google).
2.3.RESTful APIs - Spring Session allows providing session ids in headers to work with RESTful APIs
3.WebSocket - provides the ability to keep the HttpSession alive when receiving WebSocket messages
僅是集羣session功能,都是振奮人心的.spring session是經過filter嵌入去實現的(spring security也是使用這種方式),下面是個例子.

1.主要依賴

 1 <dependency>  
 2     <groupId>org.springframework.data</groupId>  
 3     <artifactId>spring-data-redis</artifactId>  
 4     <version>1.4.1.RELEASE</version>  
 5 </dependency>  
 6 <dependency>  
 7     <groupId>redis.clients</groupId>  
 8     <artifactId>jedis</artifactId>  
 9     <version>2.5.2</version>  
10 </dependency>  
11 <dependency>  
12     <groupId>org.springframework.session</groupId>  
13     <artifactId>spring-session</artifactId>  
14     <version>${spring.session.version}</version>  
15 </dependency>

2.寫一個configuration來啓用RedisHttpSession,在這個配置註冊一個redis客戶端的鏈接工廠Bean,供Spring Session用於與redis服務端交互.

 1 package org.exam.config;  
 2 import org.springframework.context.annotation.Bean;  
 3 import org.springframework.data.redis.connection.jedis.JedisConnectionFactory;  
 4 import org.springframework.session.data.redis.config.annotation.web.http.EnableRedisHttpSession;  
 5 /** 
 6  * Created by xin on 15/1/20. 
 7  */  
 8 @EnableRedisHttpSession  
 9 public class SessionConfig {  
10     @Bean  
11     public JedisConnectionFactory connectionFactory() {  
12         return new JedisConnectionFactory();  
13     }  
14 }

3.寫一個Initializer,主要用於嚮應用容器添加springSessionRepositoryFilter,順便註冊一下HttpSessionEventPublisher監聽,這個監聽的做用發佈HttpSessionCreatedEvent和HttpSessionDestroyedEvent事件

1 package org.exam.config;  
2 import org.springframework.session.web.context.AbstractHttpSessionApplicationInitializer;  
3 
4 public class SessionApplicationInitializer extends AbstractHttpSessionApplicationInitializer {  
5     @Override  
6     protected void afterSessionRepositoryFilter(ServletContext servletContext) {  
7         servletContext.addListener(new HttpSessionEventPublisher());  
8     }  
9 }

4.將SessionConfig加入到org.exam.config.DispatcherServletInitializer#getRootConfigClasses,不要加到ServletConfigClasses,至於緣由看http://blog.csdn.net/xiejx618/article/details/50603758文末

1 @Override  
2 protected Class<?>[] getRootConfigClasses() {  
3     return new Class<?>[] {AppConfig.class,SessionConfig.class};  
4 }

5.使用例子.

 1 package org.exam.web;  
 2 import org.springframework.stereotype.Controller;  
 3 import org.springframework.ui.Model;  
 4 import org.springframework.web.bind.annotation.RequestMapping;  
 5 import javax.servlet.http.HttpServletRequest;  
 6 import javax.servlet.http.HttpSession;  
 7 /** 
 8  * Created by xin on 15/1/7. 
 9  */  
10 @Controller  
11 public class DefaultController {  
12     @RequestMapping("/")  
13     public String index(Model model,HttpServletRequest request,String action,String msg){  
14         HttpSession session=request.getSession();  
15         if ("set".equals(action)){  
16             session.setAttribute("msg", msg);  
17         }else if ("get".equals(action)){  
18             String message=(String)session.getAttribute("msg");  
19             model.addAttribute("msgFromRedis",message);  
20         }  
21         return "index";  
22     }  
23 }

　　獲得這個被spring session包裝過的session,像日常同樣直接使用.
　　6.測試.先啓動redis服務端.
　　請求:localhost:8080/testweb/?action=set&msg=123 把123經過spring session set到redis去.
　　請求:localhost:8080/testweb/?action=get 從redis取出剛纔存入的值.

　　從Redis刪除存入去相關的值,再次請求localhost:8080/testweb/?action=get查看結果

　　redis:

　　a.查詢全部key:keys命令，keys *

　　b.根據某個key刪除,使用del命令

　　源碼例子:

　　使用redis集羣的一個例子:

 1 <dependency>  
 2     <groupId>org.springframework.data</groupId>  
 3     <artifactId>spring-data-redis</artifactId>  
 4     <version>1.7.1.RELEASE</version>  
 5 </dependency>  
 6 <dependency>  
 7     <groupId>org.apache.commons</groupId>  
 8     <artifactId>commons-pool2</artifactId>  
 9     <version>2.4.2</version>  
10 </dependency>  
11 <dependency>  
12     <groupId>redis.clients</groupId>  
13     <artifactId>jedis</artifactId>  
14     <version>2.8.1</version>  
15 </dependency>  
16 <dependency>  
17     <groupId>org.springframework.session</groupId>  
18     <artifactId>spring-session</artifactId>  
19     <version>1.1.1.RELEASE</version>  
20 </dependency>

1 #REDIS START  
2 redis.maxRedirections=10  
3 redis.maxWaitMillis=1500  
4 redis.maxTotal=2048  
5 redis.minIdle=20  
6 redis.maxIdle=200  
7 redis.jedisClusterNodes=192.168.1.250:6380,192.168.1.250:6381,192.168.1.250:6382  
8 #REDIS END

 1 @Configuration  
 2 @EnableRedisHttpSession  
 3 public class HttpSessionConfig implements EnvironmentAware {  
 4     private Environment env;  
 5     @Bean  
 6     public JedisConnectionFactory jedisConnectionFactory() {  
 7         String[] jedisClusterNodes = env.getProperty("redis.jedisClusterNodes").split(",");  
 8         RedisClusterConfiguration clusterConfig=new RedisClusterConfiguration(Arrays.asList(jedisClusterNodes));  
 9         clusterConfig.setMaxRedirects(env.getProperty("redis.maxRedirections",Integer.class));  
10   
11         JedisPoolConfig poolConfig=new JedisPoolConfig();  
12         poolConfig.setMaxWaitMillis(env.getProperty("redis.maxWaitMillis",Integer.class));  
13         poolConfig.setMaxTotal(env.getProperty("redis.maxTotal",Integer.class));  
14         poolConfig.setMinIdle(env.getProperty("redis.minIdle",Integer.class));  
15         poolConfig.setMaxIdle(env.getProperty("redis.maxIdle",Integer.class));  
16   
17         return new JedisConnectionFactory(clusterConfig,poolConfig);  
18     }  
19   
20     @Override  
21     public void setEnvironment(Environment environment) {  
22         this.env=environment;  
23     }  
24 }

下面順便跟蹤下實現吧:

1.註冊springSessionRepositoryFilter位置在:org.springframework.session.web.context.AbstractHttpSessionApplicationInitializer#insertSessionRepositoryFilter,從org.springframework.web.filter.DelegatingFilterProxy#initDelegate能夠看出會去找名爲springSessionRepositoryFilter Bean的實現做爲Filter的具體實現.
2.由於使用了@EnableRedisHttpSession,就會使用org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration,這個配置裏註冊的springSessionRepositoryFilter Bean就是SessionRepositoryFilter.即springSessionRepositoryFilter的實現爲org.springframework.session.web.http.SessionRepositoryFilter
3.Filter每一次的請求都會調用doFilter,即調用SessionRepositoryFilter的父類OncePerRequestFilter的doFilter,此方法會調用SessionRepositoryFilter自身的doFilterInternal.這個方法以下:

[java] view plain copy

protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
request.setAttribute(SESSION_REPOSITORY_ATTR, sessionRepository);
SessionRepositoryRequestWrapper wrappedRequest = new SessionRepositoryRequestWrapper(request, response);
SessionRepositoryResponseWrapper wrappedResponse = new SessionRepositoryResponseWrapper(wrappedRequest,response);
HttpServletRequest strategyRequest = httpSessionStrategy.wrapRequest(wrappedRequest, wrappedResponse);
HttpServletResponse strategyResponse = httpSessionStrategy.wrapResponse(wrappedRequest, wrappedResponse);
try {
filterChain.doFilter(strategyRequest, strategyResponse);
} finally {
wrappedRequest.commitSession();
}
}

4.從這裏就知request通過了包裝,httpSessionStrategy的默認值是new CookieHttpSessionStrategy(),能夠猜想它結合了cookie來實現,固然裏面的getSession方法也重寫了.org.springframework.session.web.http.SessionRepositoryFilter.SessionRepositoryRequestWrapper#getSession(boolean)方法以下:

[java] view plain copy

public HttpSession getSession(boolean create) {
if(currentSession != null) {
return currentSession;
}
String requestedSessionId = getRequestedSessionId();
if(requestedSessionId != null) {
S session = sessionRepository.getSession(requestedSessionId);
if(session != null) {
this.requestedValidSession = true;
currentSession = new HttpSessionWrapper(session, getServletContext());
currentSession.setNew(false);
return currentSession;
}
}
if(!create) {
return null;
}
S session = sessionRepository.createSession();
currentSession = new HttpSessionWrapper(session, getServletContext());
return currentSession;
}

即上面的例子調用getSession會調用此方法來獲取Session.而此Session是經過sessionRepository建立的,此處注入的是org.springframework.session.data.redis.RedisOperationsSessionRepository(sessionRepository的註冊也是在org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration),而不是應用服務器自己去建立的.

能夠繼續看看org.springframework.session.data.redis.RedisOperationsSessionRepository#createSession

[java] view plain copy

public RedisSession createSession() {
RedisSession redisSession = new RedisSession();
if(defaultMaxInactiveInterval != null) {
redisSession.setMaxInactiveIntervalInSeconds(defaultMaxInactiveInterval);
}
return redisSession;
}

這裏new了一個RedisSession,繼續看org.springframework.session.data.redis.RedisOperationsSessionRepository.RedisSession#RedisSession()

[java] view plain copy

RedisSession() {
this(new MapSession());
delta.put(CREATION_TIME_ATTR, getCreationTime());
delta.put(MAX_INACTIVE_ATTR, getMaxInactiveIntervalInSeconds());
delta.put(LAST_ACCESSED_ATTR, getLastAccessedTime());
}
RedisSession(MapSession cached) {
Assert.notNull("MapSession cannot be null");
this.cached = cached;
}

這裏又new了一個MapSession並賦給了cached變量,再看org.springframework.session.MapSession片斷:

[java] view plain copy

public static final int DEFAULT_MAX_INACTIVE_INTERVAL_SECONDS = 1800;
private String id = UUID.randomUUID().toString();
private Map<String, Object> sessionAttrs = new HashMap<String, Object>();
private long creationTime = System.currentTimeMillis();
private long lastAccessedTime = creationTime;
/**
* Defaults to 30 minutes
*/
private int maxInactiveInterval = DEFAULT_MAX_INACTIVE_INTERVAL_SECONDS;

從這裏你能夠基本猜想id就是sessionid,這個UUID就是區分不一樣的客戶端的一個惟一標識,它會寫入到客戶端的cookie,session的有效時間是存在什麼地方了,cached和delta都有存.最後就要看它怎麼保存到redis裏面去了.下面再看看如何保存到redis去:response是通過了SessionRepositoryResponseWrapper包裝,SessionRepositoryResponseWrapper是OnCommittedResponseWrapper的子類,服務端一旦調用response.getWriter()就會觸發org.springframework.session.web.http.OnCommittedResponseWrapper#getWriter

[java] view plain copy