我是春天安全的新手。我想在会话超时后点击任何标签/链接,将URL重定向到登录页面
我的安全上下文中有以下配置
<global-method-security pre-post-annotations="enabled"
secured-annotations="enabled">
<!-- <expression-handler ref="expressionHandler"/> -->
</global-method-security>
<security:http pattern="/pages/common/UnAuthorized.html*"
security="none" />
<security:http pattern="/resources/images/*" security="none" />
<security:http pattern="/Logout.html*"
security="none" />
<security:http pattern="/SessionTimeout.html*"
security="none" />
<security:http auto-config="false" use-expressions="true"
entry-point-ref="http403EntryPoint">
<security:intercept-url pattern="/**"
access="fullyAuthenticated" />
<security:custom-filter position="PRE_AUTH_FILTER"
ref="siteminderFilter" />
<security:logout delete-cookies="JSESSIONID,SMSESSION"
invalidate-session="true" logout-url="/logout" logout-success-url="/Logout.html" />
<security:session-management
invalid-session-url="/SessionTimeout.html">
<security:concurrency-control expired-url="/pages/common/SessionTimeout.html" />
</security:session-management>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="customAuthenticationProvider">
</security:authentication-provider>
</security:authentication-manager>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
<beans:bean id="http403EntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
并在web.xml中注册了一个事件以及会话超时配置
<session-config>
<session-timeout>2</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
<filter-name>localDeploymentFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<servlet>
<servlet-name>spring-dispatcher</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
我不确定我在这里缺少什么。但是网址没有被重定向到sessiontimeout页面。
当我尝试调试spring代码时,我看到只调用了“RegisterSessionAuthenticationStrategy”,并且使用现有会话创建了新会话。我期待一些代码将重定向到会话到期URL。但是我在调试期间没找到任何东西。
答案 0 :(得分:0)
您的web.xml应如下所示:
FATAL #012EOFError (end of file reached):#012
你的spring配置应该是这样的
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<display-name>Local-Dev Timeout POC</display-name>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>spring-web</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>spring-web</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>1</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
如果他们没有登录,因为会话已过期,他们将被重定向到登录。