如何在带有(嵌入式Tomcat)的Spring Boot应用程序中使用java-config进行操作? 我希望这些设置在WebSecurityConfigurerAdapter中是声明性和可配置的,如下所示:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/api/*").permitAll()
.antMatchers("/login*","/signin/**","/signup/**").permitAll()
.antMatchers("/USER/**").hasAnyRole("USER")
.formLogin()
// setSessionMaxInactiveInterval(60*60);
}
但是没有这样的设置吗?
我能做到的唯一方法是扩展默认的SavedRequestAwareAuthenticationSuccessHandler(该行为非常适合我的应用程序)并以编程方式在其中添加所需的逻辑:
@Slf4j
@Component
public class SessionSettingsHandler extends SavedRequestAwareAuthenticationSuccessHandler {
private static final int MAX_INACTIVE_INTERVAL = 60; // sec
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {
super.onAuthenticationSuccess(request, response, authentication);
request.getSession().setMaxInactiveInterval(MAX_INACTIVE_INTERVAL);
log.debug("Session inactive interval: {}", MAX_INACTIVE_INTERVAL);
}
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/api/*").permitAll()
.antMatchers("/login*","/signin/**","/signup/**").permitAll()
.antMatchers("/USER/**").hasAnyRole("USER")
.formLogin()
.successHandler(sessionSettingsHandler);
}
这可行,但是我觉得这些设置应该在Spring Boot中存在吗?
我还尝试设置application.properties: spring.session.timeout = 3600
但是Spring Security似乎只是忽略了这些设置。