在spring security 4中,并发会话不会重定向到过期的url

时间:2015-08-10 11:43:53

标签: spring-security session-management

在spring security 4中,并发会话不会重定向到过期的url,而是重定向到失败的身份验证URL。 以下是java配置代码片段。

/*start of code*/
public class SecurityContextConfig extends WebSecurityConfigurerAdapter {

private static final Logger logger = LoggerFactory.getLogger(SecurityContextConfig.class);

/**
 * @param auth
 * @throws Exception
 */
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    logger.debug("configureGlobal() : Start : auth={}", auth);
    auth.authenticationProvider(userDetailsAuthenticationProvider());
}

@Override
public void configure(WebSecurity web) throws Exception {
    logger.debug("configure() : Start : web={}", web);
    // This is here to ensure that the static content (JavaScript, CSS, etc)
    // is accessible from the login page without authentication
    web.ignoring().antMatchers("/resources/**");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    logger.debug("configure() : Start : http={}", http);

    http
        .authorizeRequests()
            .antMatchers("/resources/**")
                .permitAll()
            .antMatchers("/login/**")
                .permitAll()
            .antMatchers("/authenticate/**")
                .permitAll()
            .antMatchers("/ssoLogout")
                .permitAll()
            .antMatchers("/forgotpassword/json")
                .permitAll()
            .antMatchers("/favicon.ico")
                .permitAll()
            .antMatchers("/secure/**")
                .authenticated()
            .and()

            // This is where we configure our login form.
            // login-page: the page that contains the login screen
            // login-processing-url: this is the URL to which the login form
            // should be submitted
            // default-target-url: the URL to which the user will be
            // redirected if they login successfully
            // authentication-failure-url: the URL to which the user will be
            // redirected if they fail login
            // username-parameter: the name of the request parameter which
            // contains the username
            // password-parameter: the name of the request parameter which
            // contains the password
            .formLogin()
                .loginPage("/")
                .loginProcessingUrl("/authenticate")
                .failureUrl("/")
                .successHandler(loginSuccessHandler())
            .and()

            // This is where the logout page and process is configured. The
            // logout-url is the URL to send
            // the user to in order to logout, the logout-success-url is
            // where they are taken if the logout
            // is successful, and the delete-cookies and invalidate-session
            // make sure that we clean up after logout
            .logout()
                .logoutUrl("/logout")
                .logoutSuccessHandler(logoutHandler())
                .deleteCookies("JSESSIONID")
                .invalidateHttpSession(true)
            .and()

            .csrf()
            .and()

            // The session management is used to ensure the user only has
            // one session. This isn't
            // compulsory but can add some extra security to your
            // application.
            .sessionManagement()
                //.invalidSessionUrl("/login")
                .sessionFixation()
                .changeSessionId()
            .maximumSessions(1)
                .expiredUrl("/login?reason=CONCURRENT_SESSION");
            http.exceptionHandling().accessDeniedHandler(accessDeniedHandler());
    logger.debug("configure() : End : http={}", http);

}

/**
 * @return
 */
@Bean(name = "loginSuccessHandler")
public LoginSuccessHandler loginSuccessHandler() {
    logger.debug("loginSuccessHandler() : Start.");
    LoginSuccessHandler loginSuccessHandler = new LoginSuccessHandler();

    logger.debug("loginSuccessHandler() : End : loginSuccessHandler={}", loginSuccessHandler);
    return loginSuccessHandler;}

/**
 * @return
 */
@Bean(name = "logoutHandler")
public LogoutHandler logoutHandler() {
    logger.debug("logoutHandler() : Start.");

    LogoutHandler logoutHandler = new LogoutHandler();

    logger.debug("logoutHandler() : End : logoutHandler={}", logoutHandler);

    return logoutHandler;
}

/**
 * @return
 */
@Bean(name = "authenticationProvider")
public UserDetailsAuthenticationProvider userDetailsAuthenticationProvider() {
    logger.debug("userDetailsAuthenticationProvider() : Start.");

    UserDetailsAuthenticationProvider authenticationProvider = new UserDetailsAuthenticationProvider();

    logger.debug("userDetailsAuthenticationProvider() : End : authenticationProvider={}", authenticationProvider);

    return authenticationProvider;
}

@Bean(name="accessDeniedHandler")
public AccessDeniedHandlerImpl accessDeniedHandler(){

AccessDeniedHandlerImpl accessDeniedHandler=new AccessDeniedHandlerImpl();
accessDeniedHandler.setErrorPage("/login?reason=Access Denied");
    return accessDeniedHandler;

}}

过期网址的行为不一致。有时工作但有时无法正常工作。 可能是什么问题?

1 个答案:

答案 0 :(得分:0)

问题在于,当它重定向到过期的URL时,您的用户无法访问该URL,因此会将用户发送到登录页面(与登录失败URL相同)。

您需要确保将每个用户的访问权限授予过期的URL。例如:

http
    .authorizeRequests()
        .antMatchers("/login")
            .permitAll()
        ...