我正在使用具有安全性的Spring Boot版本2.1.5.RELEASE。我在/file/{id}处公开了一个可公开访问的端点，该端点返回一个图像字节数组。

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
@RequestMapping("file")
public class FileFetchController extends BaseFileController {

    @ResponseBody
    @GetMapping("{id}")
    public byte[] getFileData(@PathVariable Long id,@RequestParam("size") String size) throws Exception {
        return // The image byte array...
    }
}

我可以在<img src="https://example.com/file/123"/>这样的HTML图像标签中使用此端点，它可以正确提取图像并将其显示在网络浏览器中。

一段时间不活动后似乎出现了问题。当我重新加载网页时，图像无法显示。当我检查网络时，我可以看到Spring Boot服务器响应了302重定向。

我怀疑会话期满后它会重定向到登录页面。但是我可能错了！？

以下是Spring Security配置：

protected void configure(HttpSecurity http) throws Exception
{
    http    .csrf().disable()
            .authorizeRequests()
            .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
            .antMatchers("/file/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .successHandler(customAuthenticationSuccessHandler)
            .loginPage("/login").permitAll()
            .failureUrl("/login?error")
            .and()
            .logout()
            .invalidateHttpSession(true)
            .logoutUrl("/logout")
            .deleteCookies("JSESSIONID","remember-me")
            .permitAll()
            .and()
            .rememberMe().key("salt").tokenValiditySeconds(31536000).authenticationSuccessHandler(customAuthenticationSuccessHandler);
}

您会注意到，我允许未经验证的请求发给/file/**。那么，为什么在一段时间没有请求后仍收到302重定向？还是其他原因导致重定向响应？

以下是回复的详细信息：

Request URL: https://diff.uk/file/1756?size=l
Request Method: GET
Status Code: 302 
Remote Address: xxx.xxx.xxx.xxx:443
Referrer Policy: no-referrer-when-downgrade
cache-control: no-cache,no-store,max-age=0,must-revalidate
content-length: 0
date: Mon,04 Nov 2019 16:52:29 GMT
expires: 0
location: https://diff.uk/home
pragma: no-cache
set-cookie: JSESSIONID=66AA54E923A9E7C3F95C5C8C092C6E6D; Path=/; Secure; HttpOnly
status: 302
strict-transport-security: max-age=31536000 ; includeSubDomains
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
:authority: diff.uk
:method: GET
:path: /file/1756?size=l
:scheme: https
accept: image/webp,image/apng,image/*,*/*;q=0.8
accept-encoding: gzip,deflate,br
accept-language: en-GB,en-US;q=0.9,en;q=0.8
cache-control: no-cache
cookie: remember-me=Y3JtOjE2MDQxNzA1NTM3MDc6ZWMyM2ZkZTlmOWIzMDZkZDAyNGI4OTBkYzM1ZDViYjE; JSESSIONID=349EF51482FA88879BBF4BE02505279A
dnt: 1
pragma: no-cache
referer: https://example.co.uk/
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/78.0.3904.70 Safari/537.36
size: l

这是成功响应，在收到302响应后立即发送相同的请求时收到：

Request URL: https://diff.uk/file/1756?size=l
Request Method: GET
Status Code: 200 
Remote Address: xxx.xxx.xxx.xxx:443
Referrer Policy: no-referrer-when-downgrade
cache-control: no-cache,must-revalidate
content-length: 15087
content-type: image/webp
date: Mon,04 Nov 2019 16:57:35 GMT
expires: 0
pragma: no-cache
status: 200
strict-transport-security: max-age=31536000 ; includeSubDomains
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
:authority: diff.uk
:method: GET
:path: /file/1756?size=l
:scheme: https
accept: image/webp,en;q=0.8
cache-control: no-cache
cookie: remember-me=Y3JtOjE2MDQxNzA1NTM3MDc6ZWMyM2ZkZTlmOWIzMDZkZDAyNGI4OTBkYzM1ZDViYjE; JSESSIONID=5A70AE46A5ACA081947A728C20F92502
dnt: 1
pragma: no-cache
referer: https://example.co.uk/
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/78.0.3904.70 Safari/537.36
size: l

这两个响应之间的差异似乎是：

set-cookie: JSESSIONID=66AA54E923A9E7C3F95C5C8C092C6E6D; Path=/; Secure; HttpOnly

这是Chrome显示的错误：

  

设置了与https://diff.uk/处的跨站点资源关联的cookie，但未设置SameSite属性。如果将来的Chrome浏览器版本设置为SameSite=None和Secure，则仅会发送带有跨站点请求的cookie。您可以在开发人员工具的“应用程序”>“存储”>“ Cookies”下查看Cookie，并在https://www.chromestatus.com/feature/5088147346030592和https://www.chromestatus.com/feature/5633521622188032上查看更多详细信息。   2跨域读取阻止（CORB）阻止了MIME类型为text / html的跨域响应https://diff.uk/home。有关更多详细信息，请参见https://www.chromestatus.com/feature/5629709824032768。