使用Spring Security时，会话比预期更快地超时

Question

我正在使用Spring Security 3.1，我遇到会话超时的问题 我在 web.xml 中设置了会话超时，如下所示：

<session-config>
    <session-timeout>
        45
    </session-timeout>
</session-config> 

所以会话应在45分钟后过期 但是我注意到2分钟后会话已经过期完全！我是否正在申请申请
这些是我的春季安全豆：

<bean id="ConcurrentSessionFilterAdmin" class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <property name="sessionRegistry" ref="sessionRegistry"/>
    <property name="logoutHandlers">
        <list>
            <ref bean = "logoutHandler"/>
        </list>
    </property>
    <property name="expiredUrl" value="/admin/login.jsp?error=expiredURL"/>
</bean>
<bean id="sessionRegistry"
    class="org.springframework.security.core.session.SessionRegistryImpl" autowire="byType" />

<bean id="logoutHandler"
    class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
</bean>

<bean id="securityContextPersistenceFilter"
    class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
    <property name="securityContextRepository" ref="securityContextRepository"/>
</bean>

<bean id="securityContextRepository"
    class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">
    <property name="allowSessionCreation" value="false" />
</bean>
<bean id="logoutFilterAdmin"
    class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <constructor-arg value="/admin/login.jsp" />
    <constructor-arg>
        <list>
            <ref bean="logoutHandler"/>
        </list>
    </constructor-arg>
    <property name="filterProcessesUrl" value="/admin/j_spring_security_logout"></property>
</bean>
<bean id="usernamePasswordAuthenticationFilterAdmin"
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <property name="usernameParameter" value="j_username"/>
    <property name="passwordParameter" value="j_password"/>
    <property name="allowSessionCreation" value="false"/>
    <property name="authenticationFailureHandler" ref="authenticationFailureHandlerAdmin"/>
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="authenticationSuccessHandler" ref="authenticationSuccessHandlerAdmin"/>
    <property name="continueChainBeforeSuccessfulAuthentication" value="false"/>
    <property name="filterProcessesUrl" value="/admin/j_spring_security_check"/>
    <property name="sessionAuthenticationStrategy" ref="sessionAuthenticationStrategy"/>
</bean>
<bean id="authenticationFailureHandlerAdmin"
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <property name="defaultFailureUrl" value="/admin/login.jsp?error=loginfailed" />
</bean>
<bean id="authenticationSuccessHandlerAdmin" 
    class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <property name="requestCache" ref="requestCache"/>
    <property name="defaultTargetUrl" value="/admin/index.html"/>
</bean>

<bean id="requestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache"/>

<bean id="sessionAuthenticationStrategy"
    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
    <property name="maximumSessions" value="1" />
    <property name="migrateSessionAttributes" value="true"/>
</bean>

<bean id="basicAuthenticationFilterAdmin"
    class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
    <property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
    <property name="authenticationManager" ref="authenticationManager"/>
</bean>
<bean id="authenticationDetailsSource"
    class="org.springframework.security.authentication.AuthenticationDetailsSourceImpl"/>
<bean id="requestCacheAwareFilter"
    class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter">
    <constructor-arg ref="requestCache"/>
</bean>

<bean id="securityContextHolderAwareRequestFilter"
    class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter">
    <property name="rolePrefix" value="ROLE_"/>
</bean>

<bean id="anonymousAuthenticationFilter"
    class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
    <constructor-arg value="KEY"/>
</bean>

<bean id="sessionManagementFilterAdmin" class="org.springframework.security.web.session.SessionManagementFilter">
    <constructor-arg ref="securityContextRepository"/>
    <constructor-arg ref="sessionAuthenticationStrategy"/> 
    <property name="authenticationFailureHandler" ref="authenticationFailureHandlerAdmin"/>
    <property name="invalidSessionStrategy" ref="invalidSessionStrategyAdmin"/>
</bean>
<bean id="invalidSessionStrategyAdmin"
    class="org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy">
    <constructor-arg value="/admin/login.jsp"/>
    <property name="createNewSession" value="false"/>
</bean>
<bean id="exceptionTranslationFilter"
    class="org.springframework.security.web.access.ExceptionTranslationFilter">     
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
    <property name="accessDeniedHandler" ref="accessDeniedHandler" />
    <property name="requestCache" ref="requestCache"/>
</bean>
<bean id="authenticationEntryPoint"
    class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
</bean>
<bean id="accessDeniedHandler"
    class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
</bean>
 <bean id="filterSecurityInterceptorAdmin"
    class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="securityMetadataSource" ref="myFilterInvocationSecurityMetadataSource" />
</bean>
<bean id="myFilterInvocationSecurityMetadataSource" class="com.datx.security.model.MyFilterSecurityMetadataSource" autowire="byName" scope="prototype">
</bean>

两分钟后，我被重定向到/admin/login.jsp?error=expiredURL，这是在第一个bean配置中设置的。 （这意味着会话已过期）

问题是这些bean中的哪一个负责会话到期？我没有设置什么属性导致这个问题？

Answer 1

Spring Security依赖于底层容器，即它是管理会话超时的容器（请添加有关您正在使用的容器的信息）。但是，我认为如果服务器符合Java EE，web.xml设置通常应该具有更高的优先级。

也可以通过调用HttpSession.setMaxInactiveInterval() 方法动态调整单个会话超时，或者通过调用invalidate()使会话无效。

在某些情况下，Spring Security可能会使会话无效（例如，登录后，用户会获得一个新的HttpSession）。

此外，会话失效可能由Spring Security并发会话控制机制引起，例如，如果指定了max-sessions值。

您可以通过为 org.springframework.security。* 命名空间设置 DEBUG 日志记录级别来检查Spring Security何时使会话无效，因为Spring通常会将此类信息写入记录器。