我要评论构建一个可靠、高效的分布式会话管理方案,序列化是最核心的环节。spring session的“全能序列化”方案,并非指一个万能工具,而是一套以 genericjackson2jsonredisserializer 为核心的自定义json序列化策略。
简单来说,就是放弃spring session默认的java原生序列化(jdkserializationredisserializer),转而使用json格式来存储会话数据。
为什么需要“全能序列化”?
spring session默认的java原生序列化存在一些明显短板,而json序列化则能很好地弥补这些问题-17。
| 对比维度 | java 原生序列化 (jdkserializationredisserializer) | json 序列化 (genericjackson2jsonredisserializer) |
|---|---|---|
| 可读性 | ❌ 二进制格式,存储在redis中为乱码,不便调试 | ✅ 纯文本格式,可在redis客户端直接查看,方便调试和运维 |
| 性能 | ⚠️ 性能较差,序列化后字节数组较大,影响网络和内存开销 | ✅ 性能更好,序列化后数据体积更小,效率更高 |
| 跨语言 | ❌ 仅限java,其他语言(如python, node.js)无法解析 | ✅ 基于json,支持跨语言服务调用和数据处理 |
| 类版本兼容性 | ❌ 对serialversionuid极其敏感,类结构变更可能导致旧会话无法反序列化 | ✅ 通过在json中保留类型信息,对类的小幅变更(如增加字段)有较好兼容性 |
| 安全性 | ⚠️ 存在反序列化漏洞风险 | ✅ 相对更安全 |
因此,采用json序列化方案能有效解决由序列化引发的诸多生产问题,让你的系统更健壮。
下面通过代码示例给大家演示:
package com.kongjs.common.session.config;
import com.fasterxml.jackson.annotation.jsontypeinfo;
import com.kongjs.common.session.jackson.restjacksonmodule;
import org.springframework.beans.factory.beanclassloaderaware;
import org.springframework.context.annotation.bean;
import org.springframework.context.annotation.configuration;
import org.springframework.data.redis.serializer.jacksonjsonredisserializer;
import org.springframework.data.redis.serializer.redisserializer;
import org.springframework.security.jackson.securityjacksonmodule;
import org.springframework.security.jackson.securityjacksonmodules;
import tools.jackson.databind.defaulttyping;
import tools.jackson.databind.jacksonmodule;
import tools.jackson.databind.cfg.mapperbuilder;
import tools.jackson.databind.json.jsonmapper;
import tools.jackson.databind.jsontype.basicpolymorphictypevalidator;
import tools.jackson.databind.module.simplemodule;
import java.util.arraylist;
import java.util.list;
@configuration(proxybeanmethods = false)
public class sessionconfig implements beanclassloaderaware {
private classloader beanclassloader;
@bean
public redisserializer<object> springsessiondefaultredisserializer() {
return new jacksonjsonredisserializer<>(objectmapper(), object.class);
}
private jsonmapper objectmapper() {
list<jacksonmodule> modules = securityjacksonmodules.getmodules(this.beanclassloader);
restjacksonmodule restjacksonmodule = new restjacksonmodule();
list<jacksonmodule> restmodules = new arraylist<>(modules);
restmodules.add(restjacksonmodule);
applypolymorphictypevalidator(restmodules, null);
return jsonmapper.builder().addmodules(restmodules).build();
}
// 放开某些类型
private static void applypolymorphictypevalidator(list<jacksonmodule> modules, basicpolymorphictypevalidator.builder typevalidatorbuilder) {
basicpolymorphictypevalidator.builder builder = (typevalidatorbuilder != null) ? typevalidatorbuilder
: basicpolymorphictypevalidator.builder();
for (jacksonmodule module : modules) {
if (module instanceof securityjacksonmodule securitymodule) {
securitymodule.configurepolymorphictypevalidator(builder);
}
}
modules.add(new simplemodule() {
@override
public void setupmodule(setupcontext context) {
((mapperbuilder<?, ?>) context.getowner()).activatedefaulttyping(builder.build(),
defaulttyping.non_final, jsontypeinfo.as.property);
}
});
}
@override
public void setbeanclassloader(classloader classloader) {
this.beanclassloader = classloader;
}
}package com.kongjs.common.session.jackson;
import com.kongjs.common.session.authentication.restauthentication;
import com.kongjs.common.session.dto.accountinfo;
import org.springframework.security.jackson.securityjacksonmodule;
import tools.jackson.core.version;
import tools.jackson.databind.jsontype.basicpolymorphictypevalidator;
import java.util.linkedhashmap;
// 使用这个方便
public class restjacksonmodule extends securityjacksonmodule {
public restjacksonmodule() {
super(restjacksonmodule.class.getname(), new version(1, 0, 0, null, null, null));
}
public restjacksonmodule(string name, version version) {
super(name, version);
}
@override
public void configurepolymorphictypevalidator(basicpolymorphictypevalidator.builder builder) {
builder.allowifbasetype(object.class); // 允许 object 所有子类型(包含 long/integer 等)
builder.allowifbasetype(long.class); // 显式允许 long 类型
builder.allowifbasetype(linkedhashmap.class); // 兼容认证信息中的 map 类型
builder.allowifsubtype(restauthentication.class);
builder.allowifsubtype(accountinfo.class);
}
@override
public void setupmodule(setupcontext context) {
super.setupmodule(context);
context.setmixin(restauthentication.class, restauthenticationmixin.class);
context.setmixin(accountinfo.class, accountinfomixin.class);
}
}package com.kongjs.common.session.authentication;
import com.fasterxml.jackson.annotation.jsoninclude;
import org.jspecify.annotations.nullable;
import org.springframework.security.authentication.abstractauthenticationtoken;
import org.springframework.security.core.grantedauthority;
import org.springframework.util.assert;
import java.io.serial;
import java.util.collection;
@jsoninclude(jsoninclude.include.non_null)
public class restauthentication extends abstractauthenticationtoken {
@serial
private static final long serialversionuid = 20260313l;
private final object principal;
private object credentials;
public restauthentication(object principal, object credentials) {
super((collection<? extends grantedauthority>) null);
this.principal = principal;
this.credentials = credentials;
super.setauthenticated(false);
}
public restauthentication(object principal, object credentials, collection<? extends grantedauthority> authorities) {
super(authorities);
this.principal = principal;
this.credentials = credentials;
super.setauthenticated(true);
}
public static restauthentication unauthenticated(object principal, object credentials) {
return new restauthentication(principal, credentials);
}
public static restauthentication authenticated(object principal, object credentials, collection<? extends grantedauthority> authorities) {
return new restauthentication(principal, credentials, authorities);
}
protected restauthentication(builder<?> builder) {
super(builder);
this.principal = builder.principal;
this.credentials = builder.credentials;
}
@override
public @nullable object getprincipal() {
return principal;
}
@override
public @nullable object getcredentials() {
return credentials;
}
@override
public void erasecredentials() {
super.erasecredentials();
this.credentials = null;
}
public builder<?> tobuilder() {
return new builder<>(this);
}
public static class builder<b extends builder<b>> extends abstractauthenticationbuilder<b> {
private @nullable object principal;
private @nullable object credentials;
protected builder(restauthentication token) {
super(token);
this.principal = token.principal;
this.credentials = token.credentials;
}
public b principal(@nullable object principal) {
assert.notnull(principal, "principal cannot be null");
this.principal = principal;
return (b) this;
}
public b credentials(@nullable object credentials) {
this.credentials = credentials;
return (b) this;
}
public restauthentication build() {
return new restauthentication(this);
}
}
}
package com.kongjs.common.session.jackson;
import com.fasterxml.jackson.annotation.jsonautodetect;
import com.fasterxml.jackson.annotation.jsontypeinfo;
import tools.jackson.databind.annotation.jsondeserialize;
@jsontypeinfo(use = jsontypeinfo.id.class)
@jsonautodetect(fieldvisibility = jsonautodetect.visibility.any, gettervisibility = jsonautodetect.visibility.none, isgettervisibility = jsonautodetect.visibility.none)
@jsondeserialize(using = restauthenticationdeserializer.class)
public class restauthenticationmixin {
}
package com.kongjs.common.session.jackson;
import com.kongjs.common.session.authentication.restauthentication;
import org.jspecify.annotations.nullable;
import org.springframework.security.core.grantedauthority;
import tools.jackson.core.jacksonexception;
import tools.jackson.core.jsonparser;
import tools.jackson.core.exc.streamreadexception;
import tools.jackson.core.type.typereference;
import tools.jackson.databind.databindexception;
import tools.jackson.databind.deserializationcontext;
import tools.jackson.databind.jsonnode;
import tools.jackson.databind.valuedeserializer;
import tools.jackson.databind.node.missingnode;
import java.util.list;
public class restauthenticationdeserializer extends valuedeserializer<restauthentication> {
private static final typereference<list<grantedauthority>> granted_authority_list = new typereference<>() {
};
/**
* this method construct {@link restauthentication} object from
* serialized json.
*
* @param jp the jsonparser
* @param ctxt the deserializationcontext
* @return the user
* @throws jacksonexception if an error during json processing occurs
*/
@override
public restauthentication deserialize(jsonparser jp, deserializationcontext ctxt) throws jacksonexception {
jsonnode jsonnode = ctxt.readtree(jp);
boolean authenticated = readjsonnode(jsonnode, "authenticated").asboolean();
jsonnode principalnode = readjsonnode(jsonnode, "principal");
object principal = getprincipal(ctxt, principalnode);
jsonnode credentialsnode = readjsonnode(jsonnode, "credentials");
object credentials = getcredentials(credentialsnode);
jsonnode authoritiesnode = readjsonnode(jsonnode, "authorities");
list<grantedauthority> authorities = ctxt.readtreeasvalue(authoritiesnode,
ctxt.gettypefactory().constructtype(granted_authority_list));
restauthentication token = (!authenticated)
? restauthentication.unauthenticated(principal, credentials)
: restauthentication.authenticated(principal, credentials, authorities);
jsonnode detailsnode = readjsonnode(jsonnode, "details");
if (detailsnode.isnull() || detailsnode.ismissingnode()) {
token.setdetails(null);
} else {
object details = ctxt.readtreeasvalue(detailsnode, object.class);
token.setdetails(details);
}
return token;
}
private object getprincipal(deserializationcontext ctxt, jsonnode principalnode) throws streamreadexception, databindexception {
if (principalnode.isobject()) {
return ctxt.readtreeasvalue(principalnode, object.class);
}
return principalnode.asstring();
}
private @nullable object getcredentials(jsonnode credentialsnode) {
if (credentialsnode.isnull() || credentialsnode.ismissingnode()) {
return null;
}
return credentialsnode.asstring();
}
private jsonnode readjsonnode(jsonnode jsonnode, string field) {
return jsonnode.has(field) ? jsonnode.get(field) : missingnode.getinstance();
}
}到此这篇关于springsession全能序列化实践方案的文章就介绍到这了,更多相关springsession序列化内容请搜索代码网以前的文章或继续浏览下面的相关文章希望大家以后多多支持代码网!
发表评论