Spring安全自定义会话超时

时间:2014-02-14 02:01:23

标签: spring spring-mvc spring-security

我在Spring mvc webapp上使用spring security,我正在尝试实现自定义会话到期。我的要求是会话到期时我需要检索会话过期的用户,然后从他们的安全上下文中抓取一些内容并将其写入重定向URL。

我面临的问题是,在会话超时时,安全上下文不是会话超时的用户。相反,安全上下文以匿名用户身份出现。

如何让org.springframework.security.web.session.SessionManagementFilter将会话超时的用户传递给onInvalidSessionDetected(request,response);

这是SessionManagementFilter中的方法,我需要以某种方式获取会话超时发生的用户并将其传递给invalidSessionStrategy。或者我可以在invalidSessionStrategy中获取它。

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
        throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;

    if (request.getAttribute(FILTER_APPLIED) != null) {
        chain.doFilter(request, response);
        return;
    }

    request.setAttribute(FILTER_APPLIED, Boolean.TRUE);

    if (!securityContextRepository.containsContext(request)) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

        if (authentication != null && !authenticationTrustResolver.isAnonymous(authentication)) {
         // The user has been authenticated during the current request, so call the session strategy
            try {
                sessionAuthenticationStrategy.onAuthentication(authentication, request, response);
            } catch (SessionAuthenticationException e) {
                // The session strategy can reject the authentication
                logger.debug("SessionAuthenticationStrategy rejected the authentication object", e);
                SecurityContextHolder.clearContext();
                failureHandler.onAuthenticationFailure(request, response, e);

                return;
            }
            // Eagerly save the security context to make it available for any possible re-entrant
            // requests which may occur before the current request completes. SEC-1396.
            securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);
        } else {
         // No security context or authentication present. Check for a session timeout
            if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
                logger.debug("Requested session ID" + request.getRequestedSessionId() + " is invalid.");

                if (invalidSessionStrategy != null) {
                    invalidSessionStrategy.onInvalidSessionDetected(request, response);
                    return;
                }
            }
        }
    }

    chain.doFilter(request, response);
}

当我进行身份验证身份验证= securityContext.getAuthentication();在onInvalidSessionDetected里面我得到一个匿名用户,这不是我想要的。

感谢

0 个答案:

没有答案