Spring安全会话超时 - Java

时间:2018-04-17 14:34:25

标签: java spring spring-security

我的Spring安全性运行良好,但经过一段时间后,当用户访问页面时,我开始收到大量异常。

我注意到session and principal is null这就是我收到错误500的原因。

如何再次将用户重定向到登录?

或者我可以简单地删除会话超时(我真的不需要它)

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled=true)
@ComponentScan("pt.impactzero.atp")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private MyUserDetailsService myUserDetailsService;
    @Autowired
    private AuthenticationSuccessHandler authenticationSuccessHandler;
    @Autowired
    private LogoutSuccessHandler logoutSuccessHandler;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/").hasAnyRole("Administrator" , "Member")
                .and()
                .formLogin()
                    .loginPage("/login").permitAll()
                    .defaultSuccessUrl("/dashboard",true)
                    .failureUrl("/login?error")
                    .successHandler(authenticationSuccessHandler)
                .and()
                .logout()
                    .logoutUrl("/logout").permitAll()
                    .logoutSuccessUrl("/login")
                    .logoutSuccessHandler(logoutSuccessHandler)
                .and()
                .csrf().disable();
    }

    @Override
    public void configure(WebSecurity web) {
        web.httpFirewall(allowUrlEncodedSlashHttpFirewall());
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(myUserDetailsService).passwordEncoder(passwordEncoder());
    }
    @Bean
    public PasswordEncoder passwordEncoder() {
        BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
        return passwordEncoder;
    }

    @Bean
    public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
        DefaultHttpFirewall firewall = new DefaultHttpFirewall();
        firewall.setAllowUrlEncodedSlash(true);
        return firewall;
    }

    @Bean
    public CommonsMultipartResolver filterMultipartResolver(){
        return new CommonsMultipartResolver();
    }

    //Online users
    @Bean
    public ActiveUsers activeUsers(){
        return new ActiveUsers();
    }
}

1 个答案:

答案 0 :(得分:1)

如果您想要禁用会话,您可以:

@Override
protected void configure(HttpSecurity http) throws Exception {
    // disable session
    http.sessionManagement().disable()
        .authorizeRequests().antMatchers("/").hasAnyRole("Administrator" , "Member")
            .and()
            .formLogin()
                .loginPage("/login").permitAll()
                .defaultSuccessUrl("/dashboard",true)
                .failureUrl("/login?error")
                .successHandler(authenticationSuccessHandler)
            .and()
            .logout()
                .logoutUrl("/logout").permitAll()
                .logoutSuccessUrl("/login")
                .logoutSuccessHandler(logoutSuccessHandler)
            .and()
            .csrf().disable();
}

如果您想将用户重定向到登录页面,可以试试这个:

@Override
protected void configure(HttpSecurity http) throws Exception {
    // redirect user to login page
    http.sessionManagement().invalidSessionUrl("http://your.login.page").and()
        .authorizeRequests().antMatchers("/").hasAnyRole("Administrator" , "Member")
            .and()
            .formLogin()
                .loginPage("/login").permitAll()
                .defaultSuccessUrl("/dashboard",true)
                .failureUrl("/login?error")
                .successHandler(authenticationSuccessHandler)
            .and()
            .logout()
                .logoutUrl("/logout").permitAll()
                .logoutSuccessUrl("/login")
                .logoutSuccessHandler(logoutSuccessHandler)
            .and()
            .csrf().disable();
}