更新的问题:
我有一个使用EmbeddedTomcat和Spring-Security的spring-boot 1.1.3.RELEASE项目。我暂时发布了这个问题,但是这个问题没有得到解答(对那些看到那篇帖子而且没有意义的人道歉。希望这个更好)
这是我的设置: 的的build.gradle:
project.ext {
springBootVersion = '1.1.3.RELEASE'
}
dependencies {
compile("org.springframework.boot:spring-boot-starter-web:$springBootVersion")
compile("org.springframework.boot:spring-boot-starter-thymeleaf")
compile("org.springframework.boot:spring-boot-starter-security")
compile("org.springframework.boot:spring-boot-starter-data-jpa:$springBootVersion")
compile("org.springframework.security:spring-security-web:4.0.0.M1")
compile("org.springframework.security:spring-security-config:4.0.0.M1")
compile('org.thymeleaf.extras:thymeleaf-extras-springsecurity3:2.1.1.RELEASE')
compile("org.hibernate:hibernate-core:4.3.4.Final")
compile("org.hibernate:hibernate-entitymanager:4.3.4.Final")
compile("org.hibernate:hibernate-validator")
compile("com.h2database:h2:1.3.172")
compile("joda-time:joda-time:2.3")
// compile("org.thymeleaf:thymeleaf-spring4")
compile("org.codehaus.groovy.modules.http-builder:http-builder:0.7.1")
compile('org.codehaus.groovy:groovy-all:2.2.1')
compile('org.jadira.usertype:usertype.jodatime:2.0.1')
compile("org.liquibase:liquibase-core")
testCompile('org.spockframework:spock-core:1.0-groovy-2.0-SNAPSHOT') {
exclude group: 'org.codehaus.groovy', module: 'groovy-all'
}
testCompile('org.spockframework:spock-spring:1.0-groovy-2.0-SNAPSHOT') {
exclude group: 'org.spockframework', module: 'spock-core'
exclude group: 'org.spockframework', module: 'spring-beans'
exclude group: 'org.spockframework', module: 'spring-test'
exclude group: 'org.codehaus.groovy', module: 'groovy-all'
}
testCompile("org.springframework.boot:spring-boot-starter-test:$springBootVersion")
testCompile('org.codehaus.groovy.modules.http-builder:http-builder:0.7+')
testCompile("junit:junit")
}
我的主要课程:
@ComponentScan
@EnableAutoConfiguration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class OFAC {
public static void main(String[] args) {
ApplicationContext ofac = SpringApplication.run( OFAC.class, args );
}
}
我的主要配置:
@Configuration
@EnableScheduling
public class OFAConfiguration {
@Autowired
private ConfigurationSettings configurationSettings;
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public EmbeddedServletContainerCustomizer servletContainerCustomizer() {
return new SessionTimeoutEmbeddedServletContainerCustomizer();
}
}
Marten推荐的embeddedServletContainer:
public class SessionTimeoutEmbeddedServletContainerCustomizer implements EmbeddedServletContainerCustomizer {
@Autowired
private ConfigurationSettings configurationSettings;
@Override
public void customize(ConfigurableEmbeddedServletContainer configurableEmbeddedServletContainer) {
int port = 9000;
TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) configurableEmbeddedServletContainer;
if ( configurationSettings.getServerPort() != null ) {
port = Integer.parseInt( configurationSettings.getServerPort() );
}
tomcat.setPort( port );
tomcat.addErrorPages( new ErrorPage( HttpStatus.NOT_FOUND, "/notfound.html" ) );
}
}
我的安全配置:
@Configuration
@EnableWebMvcSecurity
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource datasource;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/resources/**").permitAll()
.antMatchers("/css/**").permitAll()
.antMatchers("/libs/**").permitAll();
http
.formLogin().failureUrl("/login?error")
.defaultSuccessUrl("/")
.loginPage("/login")
.permitAll()
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/")
.permitAll();
http
.sessionManagement()
.maximumSessions(1)
.expiredUrl("/login?expired")
.maxSessionsPreventsLogin(true)
.and()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.invalidSessionUrl("/");
http
.authorizeRequests().anyRequest().authenticated();
}
和
@Order(Ordered.HIGHEST_PRECEDENCE)
@Configuration
public class AuthenticationSecurity extends GlobalAuthenticationConfigurerAdapter {
// no code actually
}
在我的application.properties中,我有五分钟的超时时间:
server.session-timeout=300
当我启动时,我会看到以下日志消息:
2014-07-08 14:02:18.735 INFO 69422 --- [ main] ationConfigEmbeddedWebApplicationContext : Refreshing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@340b9eec: startup date [Tue Jul 08 14:02:18 MDT 2014]; root of context hierarchy
2014-07-08 14:02:20.827 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.scheduling.annotation.SchedulingConfiguration' of type [class org.springframework.scheduling.annotation.SchedulingConfiguration$$EnhancerBySpringCGLIB$$75b53f01] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:20.983 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration' of type [class org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration$$EnhancerBySpringCGLIB$$6ac51dc6] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.016 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'transactionAttributeSource' of type [class org.springframework.transaction.annotation.AnnotationTransactionAttributeSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.035 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'transactionInterceptor' of type [class org.springframework.transaction.interceptor.TransactionInterceptor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.047 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.transaction.config.internalTransactionAdvisor' of type [class org.springframework.transaction.interceptor.BeanFactoryTransactionAttributeSourceAdvisor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.097 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration' of type [class org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration$$EnhancerBySpringCGLIB$$38601c80] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.118 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'objectPostProcessor' of type [class org.springframework.security.config.annotation.configuration.AutowireBeanFactoryObjectPostProcessor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.120 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler@2f8ffdc4' of type [class org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.177 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'authenticationSecurity' of type [class com.edelweissco.ofac.configuration.AuthenticationSecurity$$EnhancerBySpringCGLIB$$85675816] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.199 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'enableGlobalAuthenticationAutowiredConfigurer' of type [class org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$EnableGlobalAuthenticationAutowiredConfigurer] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.218 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration' of type [class org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$$EnhancerBySpringCGLIB$$2da1b835] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.219 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration' of type [class org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration$$EnhancerBySpringCGLIB$$c09573b2] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.250 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'methodSecurityMetadataSource' of type [class org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.258 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'metaDataSourceAdvisor' of type [class org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.934 INFO 69422 --- [ main] .t.TomcatEmbeddedServletContainerFactory : Server initialized with port: 9001
2014-07-08 14:02:22.213 INFO 69422 --- [ main] o.apache.catalina.core.StandardService : Starting service Tomcat
2014-07-08 14:02:22.213 INFO 69422 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet Engine: Apache Tomcat/7.0.54
2014-07-08 14:02:22.363 INFO 69422 --- [ost-startStop-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2014-07-08 14:02:22.364 INFO 69422 --- [ost-startStop-1] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 3631 ms
2014-07-08 14:02:24.157 INFO 69422 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@6e3afd5, org.springframework.security.web.context.SecurityContextPersistenceFilter@96219e4, org.springframework.security.web.header.HeaderWriterFilter@12cad708, org.springframework.security.web.csrf.CsrfFilter@78688290, org.springframework.security.web.authentication.logout.LogoutFilter@655490cd, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@331b7b16, org.springframework.security.web.session.ConcurrentSessionFilter@5d42f8e3, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@750bff35, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1dd0a8c0, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@4e2ccc7b, org.springframework.security.web.session.SessionManagementFilter@7b54be6d, org.springframework.security.web.access.ExceptionTranslationFilter@5497e581, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@16254dd7]
2014-07-08 14:02:24.242 INFO 69422 --- [ost-startStop-1] o.s.b.c.e.ServletRegistrationBean : Mapping servlet: 'dispatcherServlet' to [/]
2014-07-08 14:02:24.244 INFO 69422 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'springSecurityFilterChain' to: [/*]
2014-07-08 14:02:24.244 INFO 69422 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'hiddenHttpMethodFilter' to: [/*]
..
2014-07-08 14:02:31.240 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/**/favicon.ico] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2014-07-08 14:02:31.357 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/about],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.AboutController.get(org.springframework.ui.Model)
2014-07-08 14:02:31.357 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/admin],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.AdminController.displayUpload(org.springframework.ui.Model)
2014-07-08 14:02:31.358 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/upload],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.CustomerDataController.displayUpload(org.springframework.ui.Model)
2014-07-08 14:02:31.358 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/customerFile],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.CustomerDataController.handleFileUpload(org.springframework.web.multipart.MultipartFile,org.springframework.ui.Model,org.springframework.security.core.Authentication)
2014-07-08 14:02:31.358 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/fileDownloadService],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.util.List<java.lang.String> com.edelweissco.ofac.controller.FileDownloadController.index()
2014-07-08 14:02:31.359 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/search],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.SearchController.getSearchCustomerForm(org.springframework.ui.Model)
2014-07-08 14:02:31.359 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/searchTreasuryData],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.SearchController.searchTreasury(com.edelweissco.ofac.model.SdnSearch,org.springframework.ui.Model)
2014-07-08 14:02:31.360 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/status],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.StatusController.get(org.springframework.ui.Model)
2014-07-08 14:02:31.360 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/refreshData],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.StatusController.searchCustomer(org.springframework.ui.Model)
2014-07-08 14:02:31.366 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/error],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.http.ResponseEntity<java.util.Map<java.lang.String, java.lang.Object>> org.springframework.boot.autoconfigure.web.BasicErrorController.error(javax.servlet.http.HttpServletRequest)
2014-07-08 14:02:31.366 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/error],methods=[],params=[],headers=[],consumes=[],produces=[text/html],custom=[]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.boot.autoconfigure.web.BasicErrorController.errorHtml(javax.servlet.http.HttpServletRequest)
2014-07-08 14:02:31.379 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/about] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/status] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/home] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/login] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/search] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/upload] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Root mapping to handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/admin] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.397 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2014-07-08 14:02:31.397 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/webjars/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2014-07-08 14:02:32.907 INFO 69422 --- [ main] o.s.j.e.a.AnnotationMBeanExporter : Registering beans for JMX exposure on startup
2014-07-08 14:02:33.112 INFO 69422 --- [ main] s.b.c.e.t.TomcatEmbeddedServletContainer : Tomcat started on port(s): 9001/http
2014-07-08
所以我能够登录。但是如果让它保持不活动状态,我仍然可以登录并能够使用完整的授权功能。我尝试使用来自两个不同浏览器的相同凭据登录,第二次尝试失败并显示“无效的用户名/密码”,因此我认为正在拾取并发会话设置。 FireBug或浏览器开发工具没有选择任何AJAX调用。
任何人都可以看到错误是什么吗?
答案 0 :(得分:12)
因此,为了让嵌入式Tomcat遵守会话超时,当您使用server.session-timeout值时,请在几分钟而不是几秒钟内使用它。我以前的尝试是使用server.session-timeout = 300,等待至少45分钟后,超时从未发生过。但是,我将HttpSessionListener bean与system.outs一起添加到sessionCreated()和sessionDestroyed()上的消息。在application.properties设置为server.session-timeout=5的情况下,我看到会话在5分钟不活动后被破坏。
因此,我现在可以使用这些参数控制会话长度。感谢M. Deinum和Dave Sayers的帮助和建议。如果没有别的,你真的帮我清理了我的代码并更多地了解了Spring。
答案 1 :(得分:4)
我建议你看看this,它解释了如何修改嵌入式tomcat。不要尝试引导自己的容器,而是让spring启动它并使用EmbeddedServletContainerCustomizer来修改你需要的东西。
public class SessionTimeoutEmbeddedServletContainerCustomizer implements EmbeddedServletContainerCustomizer {
@Override
public void customize(ConfigurableEmbeddedServletContainer configurableEmbeddedServletContainer) {
TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) configurableEmbeddedServletContainer;
tomcat.setSessionTimeout(30, TimeUnit.MINUTES);
tomcat.addErrorPages(new ErrorPage(HttpStatus.NOT_FOUND, "/notfound.html"));
}
}
然后从配置中删除容器,并将其替换为构建此自定义程序的@Bean方法。 (我可能会将它作为@Bean方法添加到入门类中,这样就可以将所有内容与在一个类中引导应用程序相关联!)。
@Configuration
public class OFAConfiguration {
@Bean
public EmbeddedServletContainerCustomizer servletContainerCustomizer() {
return new SessionTimeoutEmbeddedServletContainerCustomizer();
}
}
这样做的好处是Spring Boot仍然可以使用servlet容器完成所有工作,并且只需要修改所需的内容。
我注意到的其他一些事情首先是你的依赖项有点乱,你的配置包含很多。
<强>依赖关系
<强>配置
您的配置包含多个@EnableJpaRepositories,您可以在Spring Boot检测到Spring Data JPA的存在时将其删除,并为您和@EnableTransactionManagement
您的主类扩展WebMvcConfigurerAdapter,因为Spring Boot也检测并配置了它,因此不需要它。
@ComponentScan
@EnableAutoConfiguration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class OFAC {
public static void main(String[] args) {
ApplicationContext ofac = SpringApplication.run( OFAC.class, args );
}
}
这应该是您的入门课程所需的全部内容。
答案 2 :(得分:4)
截至当前版本(http://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html) 有错字,属性是:server.session.timeout
答案 3 :(得分:2)
只是为了更新这个,因为我一直在寻找答案,而且无法轻易找到答案:
你可以设置 server.session.cookie.max年龄=
在您的application.properties中在一段时间后强制注销。
这个实际上使用秒而不是分钟作为整数值。所以把它设置为像120这样的合理的2分钟。
答案 4 :(得分:0)
事情发生了变化,但是从Spring boot 2.1.3(具有Spring web 5.1.5,可以选择添加Spring Session 2.1.4)开始,该属性现在为
server.servlet.session.timeout = <您的值>> <单位>
例如,要设置的值可以是1800秒(1800秒)或30m(30分钟)
spring会话属性 spring.session.timeout (如果未配置)将退回到上面的属性。