Question

我正在使用spring security 4.1，我面临的问题是当我尝试登录时，我被多次发送回会话过期页面。我尝试过添加自己的HttpSessionListener等多项内容 org.springframework.security.web.session.HttpSessionEventPublisher 但会议一直到期。我在其中一个问题中读到了对这种行为的解释 “在某些情况下，Spring Security可能会使会话无效（例如，在登录后，用户会获得一个新的HttpSession）。” 我使用Fiddler工具来查看发生了什么，我看到用户已经过身份验证，但会立即重定向到会话过期页面。我希望允许同一个用户根据需要多次登录。我还在一些地方读到它将有助于移动到弹簧3.x但我认为它可能适用于使用较旧版本弹簧的情况。请建议。谢谢

    <http auto-config="true" use-expressions="true"
    authentication-manager-ref="authenticationManager">
    <session-management 
    invalid-session-url="/login?eventType=sessionTimedOut" 
    session-fixation-protection="none"
    />
    <intercept-url pattern="/login" access="permitAll" />

    <intercept-url pattern="/*"     access="hasAnyAuthority('FF_USER','FF_ADMIN')" />

    <form-login login-page="/login" 
        authentication-success-handler-ref="authenticationSuccessHandler"
        authentication-failure-handler-ref="customAuthenticationFailureHandler"
        login-processing-url="/j_spring_security_check"
        username-parameter="j_username"
        password-parameter="j_password"
        />

    <logout invalidate-session="false" logout-success-url="/login?eventType=logout"
        logout-url="/j_spring_security_logout" delete-cookies="JSESSIONID"/>

    <csrf token-repository-ref="csrfTokenRepository" />

</http>

<beans:bean id="csrfTokenRepository"
    class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository">
    <beans:property name="headerName" value="X-XSRF-TOKEN" />
</beans:bean>

<beans:bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <beans:property name="defaultTargetUrl" value="/home"/>
    <beans:property name="alwaysUseDefaultTargetUrl" value="true"/>
</beans:bean>

<beans:bean id="customAuthenticationFailureHandler" class="*.*.CustomAuthenticationFailureHandler">
    <beans:property name="defaultFailureUrl" value="/login?eventType=error"></beans:property>
    <beans:property name="baseFailureUrl" value="/login?eventType=error"></beans:property>
</beans:bean>

<beans:bean id="authenticationManager"
    class="org.springframework.security.authentication.ProviderManager">
    <beans:constructor-arg>
        <beans:list>
            <beans:ref bean="ldapAuthenticationProvider" />
        </beans:list>
    </beans:constructor-arg>
    <beans:property name="eraseCredentialsAfterAuthentication"
        value="true" />
</beans:bean>

Answer 1

 <http>
    <logout delete-cookies="JSESSIONID" />
  </http>

Unfortunately this can't be guaranteed to work with every servlet container, so you will need to test it in your environment[8].

因此，您需要添加一个实现LogoutHandler到LogoutFilter处理程序的客户注销处理程序。

<http auto-config="true" use-expressions="true" authentication-manager-ref="authenticationManager">
...
<custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />
...
</http>


<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
        <constructor-arg name="logoutSuccessUrl" value="/login?eventType=logout" />
        <!-- implement LogoutHandler, Websphere log out -->
        <constructor-arg name="handlers" ref="{customer logout }" />
        <property name="filterProcessesUrl" value="/j_spring_security_logout" />
</bean>

春季安全会议超时

1 个答案: