我正在使用spring boot开发应用程序,在这里我想显示登录用户的“名称和图像”,因此我使用session在身份验证后传递名称和图像。如果任何用户输入用户凭据(在登录页面中),或者如果任何登录用户直接键入URL 几分钟,则其工作(www.abc.com/this/url)。但几分钟后,会话名称和图像不可见(会话已过期),但其他功能正在使用该会话。我的代码是
@Component
public class SecurityHandler implements AuthenticationSuccessHandler{
@Autowired
private UserService userService;
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
HttpSession session = request.getSession();
String userName = null;
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
if (principal instanceof UserDetails) {
userName = ((UserDetails) principal).getUsername();
} else {
userName = principal.toString();
}
User user = userService.findBySSO(userName);
session.setAttribute("userName", user.getFirstName());
session.setAttribute("imgPathh", user.getImagePath());
response.sendRedirect(request.getContextPath()+"/dashboard/index");
}
}
常见的jsp页面
<h2><c:out value="${userName }"></c:out></h2>
我想知道为什么这个会话变量即使在身份验证后几分钟也不起作用(无论如何,如果我们直接输入URL,它应该通过此身份验证,我是否正确?)
更新1。 安全配置
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("customUserDetailsService")
UserDetailsService userDetailsService;
@Autowired
PersistentTokenRepository tokenRepository;
@Autowired
SecurityHandler securityHandler;
@Autowired
HttpSession session;
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
auth.authenticationProvider(authenticationProvider());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers() // antmachers
.and().formLogin().loginPage("/login").successHandler(securityHandler).loginProcessingUrl("/login").usernameParameter("ssoId").passwordParameter("password")
.and().rememberMe().rememberMeParameter("remember-me").tokenRepository(tokenRepository)
.tokenValiditySeconds(86400).and().csrf().and().exceptionHandling().accessDeniedPage("/Access_Denied")
.and()
.sessionManagement().sessionFixation().migrateSession()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED); //always, IF_REQUIRED,never ,stateless
http.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login")
.invalidateHttpSession(true)
.permitAll();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(userDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoder());
authenticationProvider.setHideUserNotFoundExceptions(false);
System.out.println("Error in DaoAuthenticationProvider");
return authenticationProvider;
}
@Bean
public PersistentTokenBasedRememberMeServices getPersistentTokenBasedRememberMeServices() {
PersistentTokenBasedRememberMeServices tokenBasedservice = new PersistentTokenBasedRememberMeServices(
"remember-me", userDetailsService, tokenRepository);
System.out.println("Error in PersistentTokenBasedRememberMeServices");
return tokenBasedservice;
}
@Bean
public AuthenticationTrustResolver getAuthenticationTrustResolver() {
System.out.println("Error in AuthenticationTrustResolver");
return new AuthenticationTrustResolverImpl();
}
}
答案 0 :(得分:-2)
这叫做会话超时。
一旦会话超时或过期,就是这样。
用户在服务器中没有任何会话。
用户必须重新登录。
如果希望将会话超时保留更长时间,请尝试更改会话超时。