我正在使用Spring开发一个网站,我使用Spring Security进行身份验证。 我遇到了一个我无法解决的问题:
<div sec:authorize="!isAuthenticated()" id="login">
SHOW IF NOT AUTHENTICATED
</div>
<div sec:authorize="isAuthenticated()">
Hi <span th:text="${session.user.email}"></span>
</div>
当会话被破坏时,例如通过WebSecurityConfigurerAdapter中的更改,显示第二个div导致内部服务器错误,因为session.user对象为null。
如何让用户&#34;未经身份验证&#34;当他的会议被摧毁?
编辑:SecurityConfig
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
.sessionAuthenticationErrorUrl("/login?error")
.maximumSessions(1)
.maxSessionsPreventsLogin(false)
.expiredUrl("/login?expired")
.and()
.sessionFixation().newSession();
http.authorizeRequests()
.antMatchers("/css/**", "/img/**", "/fonts/**", "/js/**", "/", "/home", "/prizes", "/login").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").loginProcessingUrl("/dologin")
.usernameParameter("username").passwordParameter("password")
.defaultSuccessUrl("/loginsuccessful").failureUrl("/login?invalid").permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/")
.permitAll();
}
调用/注销时的Spring Security日志
************************************************************
Request received for GET '/logout':
org.apache.catalina.connector.RequestFacade@1512eefb
servletPath:/logout
pathInfo:null
headers:
host: localhost:8080
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding: gzip, deflate
referer: http://localhost:8080/
cookie: JSESSIONID=0179284CCE4040DA16C9F16D9AB14AF2
dnt: 1
connection: keep-alive
upgrade-insecure-requests: 1
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
UsernamePasswordAuthenticationFilter
ConcurrentSessionFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
2017-05-10 12:45:44.079 INFO 12028 --- [nio-8080-exec-2] Spring Security Debugger :
************************************************************
Request received for GET '/':
org.apache.catalina.connector.RequestFacade@1512eefb
servletPath:/
pathInfo:null
headers:
host: localhost:8080
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding: gzip, deflate
referer: http://localhost:8080/
cookie: JSESSIONID=0179284CCE4040DA16C9F16D9AB14AF2
dnt: 1
connection: keep-alive
upgrade-insecure-requests: 1
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
UsernamePasswordAuthenticationFilter
ConcurrentSessionFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
答案 0 :(得分:0)
好的,我无法使用isAuthenticated(),所以我通过在preHandle()方法(拦截器)中手动检查会话中的每个用户对象来修复它