springsession全能序列化实践方案
更新时间:2026年04月17日 08:40:52 作者:Tirzano
文章主要介绍了SpringSession的“全能序列化”方案,即使用JSON格式替代Java原生序列化来存储会话数据,JSON序列化方案能提高系统性能、增强跨语言服务调用能力、提升类版本兼容性,并具有更高的安全性,感兴趣的朋友跟随小编一起看看吧
构建一个可靠、高效的分布式会话管理方案,序列化是最核心的环节。Spring Session的“全能序列化”方案,并非指一个万能工具,而是一套以 GenericJackson2JsonRedisSerializer 为核心的自定义JSON序列化策略。
简单来说,就是放弃Spring Session默认的Java原生序列化(JdkSerializationRedisSerializer),转而使用JSON格式来存储会话数据。
为什么需要“全能序列化”?
Spring Session默认的Java原生序列化存在一些明显短板,而JSON序列化则能很好地弥补这些问题-17。
| 对比维度 | Java 原生序列化 (JdkSerializationRedisSerializer) | JSON 序列化 (GenericJackson2JsonRedisSerializer) |
|---|---|---|
| 可读性 | ❌ 二进制格式,存储在Redis中为乱码,不便调试 | ✅ 纯文本格式,可在Redis客户端直接查看,方便调试和运维 |
| 性能 | ⚠️ 性能较差,序列化后字节数组较大,影响网络和内存开销 | ✅ 性能更好,序列化后数据体积更小,效率更高 |
| 跨语言 | ❌ 仅限Java,其他语言(如Python, Node.js)无法解析 | ✅ 基于JSON,支持跨语言服务调用和数据处理 |
| 类版本兼容性 | ❌ 对serialVersionUID极其敏感,类结构变更可能导致旧会话无法反序列化 | ✅ 通过在JSON中保留类型信息,对类的小幅变更(如增加字段)有较好兼容性 |
| 安全性 | ⚠️ 存在反序列化漏洞风险 | ✅ 相对更安全 |
因此,采用JSON序列化方案能有效解决由序列化引发的诸多生产问题,让你的系统更健壮。
下面通过代码示例给大家演示:
package com.kongjs.common.session.config;
import com.fasterxml.jackson.annotation.JsonTypeInfo;
import com.kongjs.common.session.jackson.RestJacksonModule;
import org.springframework.beans.factory.BeanClassLoaderAware;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.redis.serializer.JacksonJsonRedisSerializer;
import org.springframework.data.redis.serializer.RedisSerializer;
import org.springframework.security.jackson.SecurityJacksonModule;
import org.springframework.security.jackson.SecurityJacksonModules;
import tools.jackson.databind.DefaultTyping;
import tools.jackson.databind.JacksonModule;
import tools.jackson.databind.cfg.MapperBuilder;
import tools.jackson.databind.json.JsonMapper;
import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator;
import tools.jackson.databind.module.SimpleModule;
import java.util.ArrayList;
import java.util.List;
@Configuration(proxyBeanMethods = false)
public class SessionConfig implements BeanClassLoaderAware {
private ClassLoader beanClassloader;
@Bean
public RedisSerializer<Object> springSessionDefaultRedisSerializer() {
return new JacksonJsonRedisSerializer<>(objectMapper(), Object.class);
}
private JsonMapper objectMapper() {
List<JacksonModule> modules = SecurityJacksonModules.getModules(this.beanClassloader);
RestJacksonModule restJacksonModule = new RestJacksonModule();
List<JacksonModule> restModules = new ArrayList<>(modules);
restModules.add(restJacksonModule);
applyPolymorphicTypeValidator(restModules, null);
return JsonMapper.builder().addModules(restModules).build();
}
// 放开某些类型
private static void applyPolymorphicTypeValidator(List<JacksonModule> modules, BasicPolymorphicTypeValidator.Builder typeValidatorBuilder) {
BasicPolymorphicTypeValidator.Builder builder = (typeValidatorBuilder != null) ? typeValidatorBuilder
: BasicPolymorphicTypeValidator.builder();
for (JacksonModule module : modules) {
if (module instanceof SecurityJacksonModule securityModule) {
securityModule.configurePolymorphicTypeValidator(builder);
}
}
modules.add(new SimpleModule() {
@Override
public void setupModule(SetupContext context) {
((MapperBuilder<?, ?>) context.getOwner()).activateDefaultTyping(builder.build(),
DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY);
}
});
}
@Override
public void setBeanClassLoader(ClassLoader classLoader) {
this.beanClassloader = classLoader;
}
}package com.kongjs.common.session.jackson;
import com.kongjs.common.session.authentication.RestAuthentication;
import com.kongjs.common.session.dto.AccountInfo;
import org.springframework.security.jackson.SecurityJacksonModule;
import tools.jackson.core.Version;
import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator;
import java.util.LinkedHashMap;
// 使用这个方便
public class RestJacksonModule extends SecurityJacksonModule {
public RestJacksonModule() {
super(RestJacksonModule.class.getName(), new Version(1, 0, 0, null, null, null));
}
public RestJacksonModule(String name, Version version) {
super(name, version);
}
@Override
public void configurePolymorphicTypeValidator(BasicPolymorphicTypeValidator.Builder builder) {
builder.allowIfBaseType(Object.class); // 允许 Object 所有子类型(包含 Long/Integer 等)
builder.allowIfBaseType(Long.class); // 显式允许 Long 类型
builder.allowIfBaseType(LinkedHashMap.class); // 兼容认证信息中的 Map 类型
builder.allowIfSubType(RestAuthentication.class);
builder.allowIfSubType(AccountInfo.class);
}
@Override
public void setupModule(SetupContext context) {
super.setupModule(context);
context.setMixIn(RestAuthentication.class, RestAuthenticationMixin.class);
context.setMixIn(AccountInfo.class, AccountInfoMixin.class);
}
}package com.kongjs.common.session.authentication;
import com.fasterxml.jackson.annotation.JsonInclude;
import org.jspecify.annotations.Nullable;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.util.Assert;
import java.io.Serial;
import java.util.Collection;
@JsonInclude(JsonInclude.Include.NON_NULL)
public class RestAuthentication extends AbstractAuthenticationToken {
@Serial
private static final long serialVersionUID = 20260313L;
private final Object principal;
private Object credentials;
public RestAuthentication(Object principal, Object credentials) {
super((Collection<? extends GrantedAuthority>) null);
this.principal = principal;
this.credentials = credentials;
super.setAuthenticated(false);
}
public RestAuthentication(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) {
super(authorities);
this.principal = principal;
this.credentials = credentials;
super.setAuthenticated(true);
}
public static RestAuthentication unauthenticated(Object principal, Object credentials) {
return new RestAuthentication(principal, credentials);
}
public static RestAuthentication authenticated(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) {
return new RestAuthentication(principal, credentials, authorities);
}
protected RestAuthentication(Builder<?> builder) {
super(builder);
this.principal = builder.principal;
this.credentials = builder.credentials;
}
@Override
public @Nullable Object getPrincipal() {
return principal;
}
@Override
public @Nullable Object getCredentials() {
return credentials;
}
@Override
public void eraseCredentials() {
super.eraseCredentials();
this.credentials = null;
}
public Builder<?> toBuilder() {
return new Builder<>(this);
}
public static class Builder<B extends Builder<B>> extends AbstractAuthenticationBuilder<B> {
private @Nullable Object principal;
private @Nullable Object credentials;
protected Builder(RestAuthentication token) {
super(token);
this.principal = token.principal;
this.credentials = token.credentials;
}
public B principal(@Nullable Object principal) {
Assert.notNull(principal, "principal cannot be null");
this.principal = principal;
return (B) this;
}
public B credentials(@Nullable Object credentials) {
this.credentials = credentials;
return (B) this;
}
public RestAuthentication build() {
return new RestAuthentication(this);
}
}
}
package com.kongjs.common.session.jackson;
import com.fasterxml.jackson.annotation.JsonAutoDetect;
import com.fasterxml.jackson.annotation.JsonTypeInfo;
import tools.jackson.databind.annotation.JsonDeserialize;
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE)
@JsonDeserialize(using = RestAuthenticationDeserializer.class)
public class RestAuthenticationMixin {
}
package com.kongjs.common.session.jackson;
import com.kongjs.common.session.authentication.RestAuthentication;
import org.jspecify.annotations.Nullable;
import org.springframework.security.core.GrantedAuthority;
import tools.jackson.core.JacksonException;
import tools.jackson.core.JsonParser;
import tools.jackson.core.exc.StreamReadException;
import tools.jackson.core.type.TypeReference;
import tools.jackson.databind.DatabindException;
import tools.jackson.databind.DeserializationContext;
import tools.jackson.databind.JsonNode;
import tools.jackson.databind.ValueDeserializer;
import tools.jackson.databind.node.MissingNode;
import java.util.List;
public class RestAuthenticationDeserializer extends ValueDeserializer<RestAuthentication> {
private static final TypeReference<List<GrantedAuthority>> GRANTED_AUTHORITY_LIST = new TypeReference<>() {
};
/**
* This method construct {@link RestAuthentication} object from
* serialized json.
*
* @param jp the JsonParser
* @param ctxt the DeserializationContext
* @return the user
* @throws JacksonException if an error during JSON processing occurs
*/
@Override
public RestAuthentication deserialize(JsonParser jp, DeserializationContext ctxt) throws JacksonException {
JsonNode jsonNode = ctxt.readTree(jp);
boolean authenticated = readJsonNode(jsonNode, "authenticated").asBoolean();
JsonNode principalNode = readJsonNode(jsonNode, "principal");
Object principal = getPrincipal(ctxt, principalNode);
JsonNode credentialsNode = readJsonNode(jsonNode, "credentials");
Object credentials = getCredentials(credentialsNode);
JsonNode authoritiesNode = readJsonNode(jsonNode, "authorities");
List<GrantedAuthority> authorities = ctxt.readTreeAsValue(authoritiesNode,
ctxt.getTypeFactory().constructType(GRANTED_AUTHORITY_LIST));
RestAuthentication token = (!authenticated)
? RestAuthentication.unauthenticated(principal, credentials)
: RestAuthentication.authenticated(principal, credentials, authorities);
JsonNode detailsNode = readJsonNode(jsonNode, "details");
if (detailsNode.isNull() || detailsNode.isMissingNode()) {
token.setDetails(null);
} else {
Object details = ctxt.readTreeAsValue(detailsNode, Object.class);
token.setDetails(details);
}
return token;
}
private Object getPrincipal(DeserializationContext ctxt, JsonNode principalNode) throws StreamReadException, DatabindException {
if (principalNode.isObject()) {
return ctxt.readTreeAsValue(principalNode, Object.class);
}
return principalNode.asString();
}
private @Nullable Object getCredentials(JsonNode credentialsNode) {
if (credentialsNode.isNull() || credentialsNode.isMissingNode()) {
return null;
}
return credentialsNode.asString();
}
private JsonNode readJsonNode(JsonNode jsonNode, String field) {
return jsonNode.has(field) ? jsonNode.get(field) : MissingNode.getInstance();
}
}到此这篇关于springsession全能序列化实践方案的文章就介绍到这了,更多相关springsession序列化内容请搜索脚本之家以前的文章或继续浏览下面的相关文章希望大家以后多多支持脚本之家!
相关文章
这篇文章主要介绍了Java反射机制概念、原理与用法,较为详细的分析了java反射机制的概念、原理,并结合实例形式总结分析了java反射机制的具体使用方法与相关注意事项,需要的朋友可以参考下2017-11-11
本文主要介绍了Java为什么只能单继承,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友们下面随着小编来一起学习学习吧2023-03-03
Spring Security中的Servlet过滤器体系代码分析
这篇文章主要介绍了Spring Security中的Servlet过滤器体系,本文通过图文并茂的形式给大家介绍的非常详细,对大家的学习或工作具有一定的参考借鉴价值,需要的朋友可以参考下2020-07-07
最近在linux上发布了一个SpringBoot项目,研究了一下jar包在Linux上的集中启动方式,这篇文章主要给大家介绍了Linux下启动jar包的几种常见方式,需要的朋友可以参考下2023-07-07
文章介绍了将JDK和Java程序一起打包,通过启动脚本直接调用内置JDK,实现无需安装JDK即可一键运行Java程序,适合绿色部署、低技术门槛和快速交付场景,需要的朋友可以参考下2025-10-10
最简单的MyBatis Plus的多表联接、分页查询实现方法
这篇文章主要介绍了最简单的MyBatis Plus的多表联接、分页查询实现方法,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友们下面随着小编来一起学习学习吧2020-11-11
本文详细介绍了后台管理使用springboot+vue制作,以分步骤、图文的形式详细讲解,大家有需要的可以参考参考2021-08-08
Stream 作为 Java 8 的一大亮点,它与 java.io 包里的 InputStream 和 OutputStream 是完全不同的概念。今天通过本文重点给大家介绍java树结构stream工具类的示例代码,感兴趣的朋友一起看看吧2022-03-03
我们知道Spring一次可以加载多个Bean定义的Xml配置文件,我们可以设想下如果让我们来做我们会怎么做?我估计会根据配置文件的顺序依次读取并加载,那再来看看Spring是如何做的?2021-06-06
这篇文章主要介绍了Java中的LinkedHashSet和TreeSet解读,哈希表和链表实现的set接口哈希表决定了它元素是唯一的,而链表则保证了他是有序的(存储和取出顺序一致),元素按照一定规则排序,不是按储存时间排的,需要的朋友可以参考下2023-09-09
最新评论