会话超时到期时我需要一个特殊的重定向。所以我试图通过在SESSION_MANAGEMENT_FILTER级别的过滤器中使用它来应用自定义InvalidSessionStrategy。 我有以下安全配置
<http auto-config="false" entry-point-ref="customAuthenticationEntryPoint" create-session="ifRequired" >
<custom-filter before="SESSION_MANAGEMENT_FILTER" ref="customSessionManagementFilter" />
<custom-filter before="BASIC_AUTH_FILTER" ref="customAuthFilter" />
<intercept-url pattern="/userpage*" access="hasRole('USER')" />
<intercept-url pattern="/greetpage*" access="hasAnyRole('USER')" />
<logout logout-url="/logout" success-handler-ref="customLogoutSuccessHandler" />
<headers>
<frame-options policy="SAMEORIGIN" />
</headers>
<csrf disabled="true" />
</http>
<beans:bean id="customSessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
<beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
<beans:property name="invalidSessionStrategy" ref="customInvalidSessionStrategy" />
</beans:bean>
<beans:bean id="customInvalidSessionStrategy" class="com.test.CustomInvalidSessionStrategy">
<beans:constructor-arg name="customHandlerService" ref="customHandlerService"/>
</beans:bean>
<beans:bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
<beans:bean id="customHandlerService" class="com.test.CustomHandlerService" />
和CustomInvalidSessionStrategy
public class CustomInvalidSessionStrategy implements InvalidSessionStrategy {
private CustomHandlerService customHandlerService;
private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
@Autowired
public CustomInvalidSessionStrategy(CustomHandlerService customHandlerService) {
this.customHandlerService = customHandlerService;
}
@Override
public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
String requestUrl = getRequestUrl(request);
if(requestUrl.contains("/api")) {
String refererUrl = request.getHeader("referer");
String redirectUrl = customHandlerService.getRedirectLogoutUrl(refererUrl);
redirectStrategy.sendRedirect(request, response, redirectUrl);
} else {
request.getSession(true);
redirectStrategy.sendRedirect(request, response, requestUrl);
}
}
private String getRequestUrl(HttpServletRequest request) {
StringBuffer requestURL = request.getRequestURL();
String queryString = request.getQueryString();
if (StringUtils.hasText(queryString)) {
requestURL.append("?").append(queryString);
}
return requestURL.toString();
}
}
问题是我的CustomInvalidSessionStrategy永远不会被调用。
从SessionManagementFilter.doFilter()中的断点开始,我看到它的invalidSessionStrategy为null,尽管 SessionManagementFilter.setInvalidSessionStrategy()DID将自定义过滤器设置为它。
非常感谢任何建议, 感谢
答案 0 :(得分:0)
这个问题无效。问题是ajax发送请求到其他url,shich没有配置为使用自定义消息过滤器。这就是无效会话策略为空的原因