我的安全上下文中有以下配置
<global-method-security pre-post-annotations="enabled"
secured-annotations="enabled">
<!-- <expression-handler ref="expressionHandler"/> -->
</global-method-security>
<security:http pattern="/pages/common/UnAuthorized.html*"
security="none" />
<security:http pattern="/resources/images/*" security="none" />
<security:http pattern="/Logout.html*"
security="none" />
<security:http pattern="/SessionTimeout.html*"
security="none" />
<security:http auto-config="false" use-expressions="true"
entry-point-ref="http403EntryPoint">
<security:intercept-url pattern="/**"
access="fullyAuthenticated" />
<security:custom-filter position="PRE_AUTH_FILTER"
ref="siteminderFilter" />
<security:logout delete-cookies="JSESSIONID,SMSESSION"
invalidate-session="true" logout-url="/logout" logout-success-url="/Logout.html" />
<security:session-management
invalid-session-url="/SessionTimeout.html">
<security:concurrency-control expired-url="/pages/common/SessionTimeout.html" />
</security:session-management>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="customAuthenticationProvider">
</security:authentication-provider>
</security:authentication-manager>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
<beans:bean id="http403EntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
并在web.xml中注册了一个事件以及会话超时配置
<session-config>
<session-timeout>2</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
<filter-name>localDeploymentFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<servlet>
<servlet-name>spring-dispatcher</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
我不确定我在这里缺少什么。但是网址没有被重定向到sessiontimeout页面。
当我尝试调试spring代码时,我只看到&#34; RegisterSessionAuthenticationStrategy&#34;正在调用,并使用现有会话创建新会话。我期待一些代码将重定向到会话到期URL。但是我在调试期间没找到任何东西。
更新 我正在使用Angular JS(单页面应用程序),我们的应用程序没有登录屏幕。登录通过siteminder进行。