我在Spring mvc webapp上使用spring security,我正在尝试实现自定义会话到期。我的要求是会话到期时我需要检索会话过期的用户,然后从他们的安全上下文中抓取一些内容并将其写入重定向URL。
我面临的问题是,在会话超时时,安全上下文不是会话超时的用户。相反,安全上下文以匿名用户身份出现。
如何让org.springframework.security.web.session.SessionManagementFilter将会话超时的用户传递给onInvalidSessionDetected(request,response);
这是SessionManagementFilter中的方法,我需要以某种方式获取会话超时发生的用户并将其传递给invalidSessionStrategy。或者我可以在invalidSessionStrategy中获取它。
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
if (request.getAttribute(FILTER_APPLIED) != null) {
chain.doFilter(request, response);
return;
}
request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
if (!securityContextRepository.containsContext(request)) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null && !authenticationTrustResolver.isAnonymous(authentication)) {
// The user has been authenticated during the current request, so call the session strategy
try {
sessionAuthenticationStrategy.onAuthentication(authentication, request, response);
} catch (SessionAuthenticationException e) {
// The session strategy can reject the authentication
logger.debug("SessionAuthenticationStrategy rejected the authentication object", e);
SecurityContextHolder.clearContext();
failureHandler.onAuthenticationFailure(request, response, e);
return;
}
// Eagerly save the security context to make it available for any possible re-entrant
// requests which may occur before the current request completes. SEC-1396.
securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);
} else {
// No security context or authentication present. Check for a session timeout
if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
logger.debug("Requested session ID" + request.getRequestedSessionId() + " is invalid.");
if (invalidSessionStrategy != null) {
invalidSessionStrategy.onInvalidSessionDetected(request, response);
return;
}
}
}
}
chain.doFilter(request, response);
}
当我进行身份验证身份验证= securityContext.getAuthentication();在onInvalidSessionDetected里面我得到一个匿名用户,这不是我想要的。
感谢