Spring Security - 用户在会话销毁时保持身份验证

时间:2017-05-10 08:52:41

标签: java spring spring-security

我正在使用Spring开发一个网站,我使用Spring Security进行身份验证。 我遇到了一个我无法解决的问题:

<div sec:authorize="!isAuthenticated()" id="login">
    SHOW IF NOT AUTHENTICATED
</div>
<div sec:authorize="isAuthenticated()">
    Hi <span th:text="${session.user.email}"></span>
</div>

当会话被破坏时,例如通过WebSecurityConfigurerAdapter中的更改,显示第二个div导致内部服务器错误,因为session.user对象为null。

如何让用户&#34;未经身份验证&#34;当他的会议被摧毁?

编辑:SecurityConfig

@Override
    protected void configure(HttpSecurity http) throws Exception {

        http.sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
        .sessionAuthenticationErrorUrl("/login?error")
        .maximumSessions(1)
        .maxSessionsPreventsLogin(false)
        .expiredUrl("/login?expired")
        .and()
        .sessionFixation().newSession();

        http.authorizeRequests()
        .antMatchers("/css/**", "/img/**", "/fonts/**", "/js/**", "/", "/home", "/prizes", "/login").permitAll()
        .anyRequest().authenticated()
        .and()
        .formLogin().loginPage("/login").loginProcessingUrl("/dologin")
        .usernameParameter("username").passwordParameter("password")
        .defaultSuccessUrl("/loginsuccessful").failureUrl("/login?invalid").permitAll()
        .and()
        .logout()
        .logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/")
        .permitAll();
    }

调用/注销时的Spring Security日志

************************************************************

Request received for GET '/logout':

org.apache.catalina.connector.RequestFacade@1512eefb

servletPath:/logout
pathInfo:null
headers: 
host: localhost:8080
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding: gzip, deflate
referer: http://localhost:8080/
cookie: JSESSIONID=0179284CCE4040DA16C9F16D9AB14AF2
dnt: 1
connection: keep-alive
upgrade-insecure-requests: 1


Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  CsrfFilter
  LogoutFilter
  UsernamePasswordAuthenticationFilter
  ConcurrentSessionFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]


************************************************************


2017-05-10 12:45:44.079  INFO 12028 --- [nio-8080-exec-2] Spring Security Debugger                 : 

************************************************************

Request received for GET '/':

org.apache.catalina.connector.RequestFacade@1512eefb

servletPath:/
pathInfo:null
headers: 
host: localhost:8080
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding: gzip, deflate
referer: http://localhost:8080/
cookie: JSESSIONID=0179284CCE4040DA16C9F16D9AB14AF2
dnt: 1
connection: keep-alive
upgrade-insecure-requests: 1


Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  CsrfFilter
  LogoutFilter
  UsernamePasswordAuthenticationFilter
  ConcurrentSessionFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]


************************************************************

1 个答案:

答案 0 :(得分:0)

好的,我无法使用isAuthenticated(),所以我通过在preHandle()方法(拦截器)中手动检查会话中的每个用户对象来修复它