会话无效无效

时间:2016-02-29 12:08:06

标签: spring-mvc spring-security spring-session

 < ?xml version="1.0" encoding="UTF-8"?>
  <  beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:security="http://www.springframework.org/schema/security"
   xmlns:p="http://www.springframework.org/schema/p" 
   xsi:schemaLocation="http://www.springframework.org/schema/beans
                       http://www.springframework.org/schema/beans/spring-beans.xsd
                       http://www.springframework.org/schema/security
                       http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    < security:global-method-security secured-annotations="enabled" />
   <  security:http> 
       < security:intercept-url pattern="/index*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
     <  security:intercept-url pattern="/login123" access="ROLE_ADMIN" />
      <  security:intercept-url pattern="/employee1" access="ROLE_EMPLOYEE"/>
      < security:intercept-url pattern="/emppreviewshow" access="ROLE_EMPLOYEE"/>
       < security:access-denied-handler error-page="/login"/>

    <security:form-login login-page="/login" default-target-url="/index"
        authentication-failure-url="/fail2login" 
        username-parameter="username"
        password-parameter="j_password" />
        <security:session-management invalid-session-url="/logout" session-fixation-protection="newSession" >
       <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
    </security:session-management>
    <security:logout logout-success-url="/logout" delete-cookies="JSESSIONID" invalidate-session="true"/>

</security:http>

    <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" >
     <constructor-arg name="strength" value="255" />
</bean>

<security:authentication-manager>
  <security:authentication-provider>
    <security:jdbc-user-service data-source-ref="dataSource"
            users-by-username-query=
                "select username,password, enabled from USER_MASTER where username=?"
            authorities-by-username-query=
                "select username,USER_ROLE from USER_ROLE where username =?  " />
                <security:password-encoder ref="passwordEncoder" />
  </security:authentication-provider>
</security:authentication-manager>

当我点击退出并点击浏览器的后退按钮时,它仍显示旧页面。我希望在浏览器中点击后退按钮时显示相同的登录URL。

3 个答案:

答案 0 :(得分:1)

您可以在控制器类的所有方法中检查会话是否处于活动状态。请求映射的类,方法。如果会话处于活动状态,则返回page.otherwise重定向到登录页面。

答案 1 :(得分:0)

欢迎来到客户端与服务器的世界!使会话无效是服务器上的操作。假设会话ID在cookie中传递,这意味着包含该cookie的下一个请求将不是上一个会话的成员,因此您将激活所有&#34; 请先登录& #34;机械。

但在正常情况下,点击浏览器上的后退按钮会发送新请求,但只显示本地缓存中的最后一页。因此,它只是一个客户端操作。

作为一名应用程序开发人员,您几乎无能为力。您可以尝试使用javascript来隐藏按钮,捕获它或清理缓存。但是,如果我是你,我就不敢去思考:你可能会陷入浏览器兼容性问题,因为你不应该关心它。用户在本地读取的内容是它自己的问题。如果他/她打印了一份页面的打印副本,那么当会话结束时你就不会用打火机来打磨它。缓存的页面是相同的:本地副本。这就是为什么在显式断开连接时,您经常会看到一条要求关闭浏览器窗口的消息。如果他/她点击后退按钮,它是用户确保不读取脱机副本的唯一方法。

答案 2 :(得分:0)

我无法使用invalidate-session。我只需添加&#34; authentication-success-handler-ref&#34; 。并在其中设置会话。登录后,会话设置为true。注销后,sesison设置为false。

这是代码: Securuty-的context.xml              

<bean id="customAuthenticationSuccessHandler" class="org.dewbyte.corebank.utility.CustomAuthenticationSuccessHandler"/>

根context.xml中

<bean id="LogoutSuccessHandler" class="org.dewbyte.corebank.utility.LogoutSuccessHandler" />

CustomAuthenticationSuccessHandler类

public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler{

private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();

@Override
public void onAuthenticationSuccess(HttpServletRequest request,
        HttpServletResponse response, Authentication authentication)
        throws IOException, ServletException {

    request.getSession().setAttribute("loginStatus", "true");
    String targetUrl = "/dashboard"; 
    redirectStrategy.sendRedirect(request, response, targetUrl);

}

public RedirectStrategy getRedirectStrategy() {
    return redirectStrategy;
}

public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
    this.redirectStrategy = redirectStrategy;
}

}

LogoutSuccessHandler类

public class LogoutSuccessHandler implements org.springframework.security.web.authentication.logout.LogoutSuccessHandler{

private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();

public RedirectStrategy getRedirectStrategy() {
    return redirectStrategy;
}

public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
    this.redirectStrategy = redirectStrategy;
}

@Override
public void onLogoutSuccess(HttpServletRequest request,
        HttpServletResponse response, Authentication authentication)
        throws IOException, ServletException {

    request.getSession().setAttribute("loginStatus", "false");
    String targetUrl = "/"; 
    redirectStrategy.sendRedirect(request, response, targetUrl);

}

}

检查控制器类中每个方法的会话是真还是假。

控制器类

if (request.getSession().getAttribute("loginStatus").equals("true")) 
    {
return home;
}
else
return login;