HTTP会话无效重定向不起作用

时间:2018-09-06 05:11:33

标签: java spring spring-security httpsession

我正在尝试重定向到注销URL或在HTTP会话超时的情况下发送禁止的代码。从日志中可以看到http会话正在超时并被破坏。

但是,它没有将其重定向到注销页面。两者均未发送“禁止”代码。并没有达到invalidSessionStrategy中指定的那段代码。

以下是我的配置:

        http.sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
            .invalidSessionUrl(PropertyMgr.getXyzURL() + XyzConstants.LOGOUT_PAGE)
            .invalidSessionStrategy(new InvalidSessionStrategy() {
                @Override
                public void onInvalidSessionDetected(HttpServletRequest httpServletRequest,
                                                     HttpServletResponse httpServletResponse)
                        throws IOException, ServletException {
                    logger.info("***************** Invalid session strategy called ***********************");
                    httpServletResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);

                }
            })
            .and().addFilter(XyzSpringSecurityConfig.customExceptionTranslationFilter())
                .addFilterBefore(webServiceAuthenticationFilter(), XyzPreAuthenticationFilter.class)
                .authorizeRequests()
                .antMatchers("/services/**")
                .authenticated()
            .and()
                .csrf().requireCsrfProtectionMatcher(new CSRFRequestMatcher())
            .and()
                .addFilter(preAuthenticatedProcessingFilter())
                .authenticationProvider(XyzSpringSecurityConfig.preAuthenticatedAuthenticationProvider())
                .authorizeRequests()
                .antMatchers("/services/**").permitAll()
                .anyRequest()
                .authenticated()
            .and()
                .exceptionHandling()
                .authenticationEntryPoint(XyzSpringSecurityConfig.loginEntryPoint())
                .accessDeniedHandler(XyzSpringSecurityConfig.customAccessDeniedHandler())
                .and()
                .logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/Logout"))
                .logoutUrl(PropertyMgr.getXyzURL() + XyzConstants.LOGOUT_PAGE)
                .invalidateHttpSession(true)
            .and()
                .addFilterAfter(XyzSpringSecurityConfig.forceLogoutFilter(), XyzPreAuthenticationFilter.class)
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                .invalidSessionUrl(PropertyMgr.getXyzURL() + XyzConstants.LOGOUT_PAGE)
                .invalidSessionStrategy(new InvalidSessionStrategy() {
                    @Override
                    public void onInvalidSessionDetected(HttpServletRequest httpServletRequest,
                                                         HttpServletResponse httpServletResponse)
                            throws IOException, ServletException {
                        logger.info("*****************Invalid session strategy called ***********************");
                        httpServletResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);

                    }
                })
            .and()
                .headers().xssProtection().disable();

我是否需要为HTTP会话超时期间的重定向创建过滤器?弹簧安全性不可能吗?

0 个答案:

没有答案
相关问题
最新问题