< ?xml version="1.0" encoding="UTF-8"?>
< beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
< security:global-method-security secured-annotations="enabled" />
< security:http>
< security:intercept-url pattern="/index*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
< security:intercept-url pattern="/login123" access="ROLE_ADMIN" />
< security:intercept-url pattern="/employee1" access="ROLE_EMPLOYEE"/>
< security:intercept-url pattern="/emppreviewshow" access="ROLE_EMPLOYEE"/>
< security:access-denied-handler error-page="/login"/>
<security:form-login login-page="/login" default-target-url="/index"
authentication-failure-url="/fail2login"
username-parameter="username"
password-parameter="j_password" />
<security:session-management invalid-session-url="/logout" session-fixation-protection="newSession" >
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>
<security:logout logout-success-url="/logout" delete-cookies="JSESSIONID" invalidate-session="true"/>
</security:http>
<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" >
<constructor-arg name="strength" value="255" />
</bean>
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource"
users-by-username-query=
"select username,password, enabled from USER_MASTER where username=?"
authorities-by-username-query=
"select username,USER_ROLE from USER_ROLE where username =? " />
<security:password-encoder ref="passwordEncoder" />
</security:authentication-provider>
</security:authentication-manager>
当我点击退出并点击浏览器的后退按钮时,它仍显示旧页面。我希望在浏览器中点击后退按钮时显示相同的登录URL。
答案 0 :(得分:1)
您可以在控制器类的所有方法中检查会话是否处于活动状态。请求映射的类,方法。如果会话处于活动状态,则返回page.otherwise重定向到登录页面。
答案 1 :(得分:0)
欢迎来到客户端与服务器的世界!使会话无效是服务器上的操作。假设会话ID在cookie中传递,这意味着包含该cookie的下一个请求将不是上一个会话的成员,因此您将激活所有&#34; 请先登录& #34;机械。
但在正常情况下,点击浏览器上的后退按钮会不发送新请求,但只显示本地缓存中的最后一页。因此,它只是一个客户端操作。
作为一名应用程序开发人员,您几乎无能为力。您可以尝试使用javascript来隐藏按钮,捕获它或清理缓存。但是,如果我是你,我就不敢去思考:你可能会陷入浏览器兼容性问题,因为你不应该关心它。用户在本地读取的内容是它自己的问题。如果他/她打印了一份页面的打印副本,那么当会话结束时你就不会用打火机来打磨它。缓存的页面是相同的:本地副本。这就是为什么在显式断开连接时,您经常会看到一条要求关闭浏览器窗口的消息。如果他/她点击后退按钮,它是用户确保不读取脱机副本的唯一方法。
答案 2 :(得分:0)
我无法使用invalidate-session。我只需添加&#34; authentication-success-handler-ref&#34; 。并在其中设置会话。登录后,会话设置为true。注销后,sesison设置为false。
这是代码: Securuty-的context.xml
<bean id="customAuthenticationSuccessHandler" class="org.dewbyte.corebank.utility.CustomAuthenticationSuccessHandler"/>
根context.xml中
<bean id="LogoutSuccessHandler" class="org.dewbyte.corebank.utility.LogoutSuccessHandler" />
CustomAuthenticationSuccessHandler类
public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler{
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
@Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
request.getSession().setAttribute("loginStatus", "true");
String targetUrl = "/dashboard";
redirectStrategy.sendRedirect(request, response, targetUrl);
}
public RedirectStrategy getRedirectStrategy() {
return redirectStrategy;
}
public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
this.redirectStrategy = redirectStrategy;
}
}
LogoutSuccessHandler类
public class LogoutSuccessHandler implements org.springframework.security.web.authentication.logout.LogoutSuccessHandler{
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
public RedirectStrategy getRedirectStrategy() {
return redirectStrategy;
}
public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
this.redirectStrategy = redirectStrategy;
}
@Override
public void onLogoutSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
request.getSession().setAttribute("loginStatus", "false");
String targetUrl = "/";
redirectStrategy.sendRedirect(request, response, targetUrl);
}
}
检查控制器类中每个方法的会话是真还是假。
控制器类
if (request.getSession().getAttribute("loginStatus").equals("true"))
{
return home;
}
else
return login;