当为会话超时到期调用SessionManagementFilter时,自定义InvalidSessionStrategy为null

时间:2015-09-09 08:04:19

标签: java spring-mvc spring-security

会话超时到期时我需要一个特殊的重定向。所以我试图通过在SESSION_MANAGEMENT_FILTER级别的过滤器中使用它来应用自定义InvalidSessionStrategy。 我有以下安全配置

<http auto-config="false" entry-point-ref="customAuthenticationEntryPoint"  create-session="ifRequired" >
    <custom-filter before="SESSION_MANAGEMENT_FILTER" ref="customSessionManagementFilter" />
    <custom-filter before="BASIC_AUTH_FILTER"  ref="customAuthFilter" />
    <intercept-url pattern="/userpage*" access="hasRole('USER')" />
    <intercept-url pattern="/greetpage*" access="hasAnyRole('USER')" />
    <logout logout-url="/logout" success-handler-ref="customLogoutSuccessHandler" />
    <headers>
    <frame-options policy="SAMEORIGIN" />
    </headers>
    <csrf disabled="true" />
</http>

<beans:bean id="customSessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
    <beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
    <beans:property name="invalidSessionStrategy" ref="customInvalidSessionStrategy" />
</beans:bean>

<beans:bean id="customInvalidSessionStrategy" class="com.test.CustomInvalidSessionStrategy">
    <beans:constructor-arg name="customHandlerService" ref="customHandlerService"/>
</beans:bean>

<beans:bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>

<beans:bean id="customHandlerService" class="com.test.CustomHandlerService" />

和CustomInvalidSessionStrategy 

public class CustomInvalidSessionStrategy implements InvalidSessionStrategy {
    private CustomHandlerService customHandlerService;
    private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();

    @Autowired
    public CustomInvalidSessionStrategy(CustomHandlerService customHandlerService) {
        this.customHandlerService = customHandlerService;
    }

    @Override
    public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {

        String requestUrl = getRequestUrl(request);
        if(requestUrl.contains("/api")) {
            String refererUrl = request.getHeader("referer");
            String redirectUrl = customHandlerService.getRedirectLogoutUrl(refererUrl);
            redirectStrategy.sendRedirect(request, response, redirectUrl);
        } else {
            request.getSession(true);
            redirectStrategy.sendRedirect(request, response, requestUrl);
        }
    }

    private String getRequestUrl(HttpServletRequest request) {
        StringBuffer requestURL = request.getRequestURL();

        String queryString = request.getQueryString();
        if (StringUtils.hasText(queryString)) {
            requestURL.append("?").append(queryString);
        }

        return requestURL.toString();
    }
}

问题是我的CustomInvalidSessionStrategy永远不会被调用。

从SessionManagementFilter.doFilter()中的断点开始,我看到它的invalidSessionStrategy为null,尽管 SessionManagementFilter.setInvalidSessionStrategy()DID将自定义过滤器设置为它。

非常感谢任何建议, 感谢

1 个答案:

答案 0 :(得分:0)

这个问题无效。问题是ajax发送请求到其他url,shich没有配置为使用自定义消息过滤器。这就是无效会话策略为空的原因

相关问题
最新问题