spring security自定义会话超时陷入无限循环

时间:2014-02-13 11:08:17

标签: java spring spring-security

我正在尝试使用Spring安全性来实现自定义会话超时处理程序,以将动态参数添加到重定向网址上,并且我遇到了一个问题,即我进入无限循环但我不知道为什么。我想知道是否有人可以启发我这个?

<http use-expressions="true" auto-config="false" entry-point-ref="loginUrlAuthenticationEntryPoint">    
    <!-- custom filters -->
    <custom-filter position="FORM_LOGIN_FILTER" ref="twoFactorAuthenticationFilter" />      
    <custom-filter after="SECURITY_CONTEXT_FILTER" ref="securityLoggingFilter"/>
     <custom-filter before="SESSION_MANAGEMENT_FILTER" ref="sessionManagementFilter" />

    <!-- session management -->     
    <session-management session-fixation-protection="none" />

    <!-- error handlers -->
    <access-denied-handler error-page="/accessDenied.htm"/>             

    <!-- logout --> 
    <logout             
        invalidate-session="false" 
        delete-cookies="JSESSIONID" 
        success-handler-ref="customUrlLogoutSuccessHandler"/>


    <!-- authorize pages -->    
    <intercept-url pattern="/home.htm" access="isAuthenticated()" />
    <intercept-url pattern="/shortsAndOvers.htm" access="isAuthenticated()" />
    <intercept-url pattern="/shortsAndOversDaily.htm" access="isAuthenticated()" />
    <intercept-url pattern="/birtpage.htm" access="isAuthenticated()" />
    <intercept-url pattern="/reports/show.htm" access="isAuthenticated()" />    

</http> 

<beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
    <beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
    <beans:property name="invalidSessionStrategy" ref="customSimpleRedirectInvalidSessionStrategy" />
</beans:bean>   

<beans:bean id="customSimpleRedirectInvalidSessionStrategy" class="com.myer.reporting.security.CustomSimpleRedirectInvalidSessionStrategy">
  <beans:constructor-arg name="invalidSessionUrl" value="/sessionExpired.htm" />
  <beans:property name="createNewSession" value="false" />
</beans:bean>

<beans:bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>

到目前为止一切顺利。当我得到会话超时时,调用CustomSimpleRedirectInvalidSessionStrategy.onInvalidSessionDetected中的代码.... 

public CustomSimpleRedirectInvalidSessionStrategy(String invalidSessionUrl) {
    Assert.isTrue(UrlUtils.isValidRedirectUrl(invalidSessionUrl), "url must start with '/' or with 'http(s)'");
    this.destinationUrl = invalidSessionUrl;
}
public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response) throws IOException {
    logger.debug("Starting new session (if required) and redirecting to '" + destinationUrl + "'");
        SecurityContext securityContext = SecurityContextHolder.getContext();
        String store = null;
        ReportingManagerUser user = null;
        if (securityContext != null){
            Authentication authentication = securityContext.getAuthentication();

            if (authentication!=null && !(authentication instanceof AnonymousAuthenticationToken)){
                user = (ReportingManagerUser)authentication.getPrincipal();
                if (user!=null){
                    store = user.getStore();
                }                   
            }
        }

        String amendedTargetUrl = null;
        if (user !=null && user.isLoggedInWithSiteId()){
            amendedTargetUrl = 
                    destinationUrl.concat(
                    ParamConstants.PARAM_PREFIX + 
                    ParamConstants.PARAM_SITE_ID + 
                    ParamConstants.PARAM_EQ 
                    + store);
        }else{
            amendedTargetUrl = destinationUrl;              
        } 

    if (createNewSession) {
        request.getSession();
    }
    redirectStrategy.sendRedirect(request, response, amendedTargetUrl);
}

代码执行正常,但即使重定向后代码仍然落入onInvalidSessionDetected方法,而不是实际重定向到我在invalidSessionUrl属性中配置的内容。

我真的不明白。

提前致谢

1 个答案:

答案 0 :(得分:0)

愚蠢的错误。我没有在重定向网址上排除安全性。所以它试图验证该页面的jsession并且每次都失败。洛尔

相关问题
最新问题