Spring Security:尽管会话超时,我仍可以保存数据

时间:2017-11-29 11:45:43

标签: java spring spring-mvc session

我遇到了Spring Security的问题。它看起来像这样:

  1. 我以公式
    2. 更改了一些数据
  2. 我离开电脑一段时间(足以超时活动会话)
  3. 我回到电脑
  4. 我点击"保存" webapp中的按钮

    5. 现在 - 数据已保存到数据库中,然后应用程序将我注销,告诉我的会话已超时。这种行为是不正确的,如何确定我在定义或默认时间后完全注销,没有任何可能在超时后保存数据?

    我的security-context.xml如下所示:

    <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
    xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">

    <import resource="spring-database.xml" />

    <security:http pattern="/login" security="none" />
    <security:http pattern="/loginfailed" security="none" />
    <security:http pattern="/403" security="none" />

    <security:http auto-config="true">
        <security:intercept-url pattern="/*" access="ROLE_ADMIN" />
        <security:form-login login-page="/login"
            default-target-url="/" authentication-failure-url="/loginfailed" />
        <security:logout logout-success-url="/login" />
        <security:access-denied-handler
            error-page="/403" />
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider>
            <security:jdbc-user-service
                data-source-ref="dataSource"
                users-by-username-query="select username,password, enabled from users where username= ?"
                authorities-by-username-query="select username,role from user_roles where username= ?" />
        </security:authentication-provider>
    </security:authentication-manager>

</beans>

1 个答案:

答案 0 :(得分:1)

您在<security:logout标记中缺少xml属性。只需在此标记中添加invalidate-session="true"即可。通过这种方式,在无效会话的每种情况下,用户将被迫重新登录。您可以在this主题中阅读有关Spring Secutity的此功能的更多信息。

您可以在下面找到包含上述属性的XML的一部分。

...

<security:http auto-config="true">
        <security:intercept-url pattern="/*" access="ROLE_ADMIN" />
        <security:form-login login-page="/login"
            default-target-url="/" authentication-failure-url="/loginfailed" />
        <security:logout logout-success-url="/login" invalidate-session="true"/>
        <security:access-denied-handler
            error-page="/403" />
</security:http>

...
相关问题
最新问题