春天的自定义会话超时,以从sessionRegistry中删除sessionInformation

时间:2019-06-08 01:55:42

标签: java spring spring-mvc grails spring-security

我有一个带有春季安全插件的grails 3.3.5应用程序(org.grails.plugins:spring-security-core:3.2.2)。

我想在会话超时后删除会话信息吗?

我尝试添加 CustomSecurityContextLogoutHandler ,但是一旦会话超时,它就不会触发。

resources.groovy 

beans = {
    sessionRegistry(SessionRegistryImpl)
    customSessionLogoutHandler(CustomSessionLogoutHandler, ref('sessionRegistry'))
    customSecurityContextLogoutHandler(CustomSecurityContextLogoutHandler, ref('sessionRegistry'))

    sessionFixationProtectionStrategy(SessionFixationProtectionStrategy) {
        migrateSessionAttributes = true
        alwaysCreateSession = true
    }

    concurrentSingleSessionAuthenticationStrategy(ConcurrentSingleSessionAuthenticationStrategy,ref('sessionRegistry'))

    registerSessionAuthenticationStrategy(RegisterSessionAuthenticationStrategy, ref('sessionRegistry'))
    sessionAuthenticationStrategy(CompositeSessionAuthenticationStrategy, [ref('concurrentSingleSessionAuthenticationStrategy'), ref('sessionFixationProtectionStrategy'), ref('registerSessionAuthenticationStrategy')])
    concurrentSessionFilter(ConcurrentSessionFilter, ref('sessionRegistry'))

application.groovy 

grails.plugin.springsecurity.logout.handlerNames = ['customSessionLogoutHandler', 'customSecurityContextLogoutHandler']

CustomSecurityContextLogoutHandler.groovy 

package com.test

import org.springframework.security.core.session.SessionRegistry
import org.springframework.security.web.authentication.logout.LogoutHandler

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.Assert;

public class CustomSecurityContextLogoutHandler implements LogoutHandler {
    protected final Log logger = LogFactory.getLog(this.getClass());

    private final SessionRegistry sessionRegistry;
    private boolean invalidateHttpSession = true;
    private boolean clearAuthentication = true;

    public CustomSecurityContextLogoutHandler(SessionRegistry sessionRegistry) {
        Assert.notNull(sessionRegistry, "sessionRegistry cannot be null");
        this.sessionRegistry = sessionRegistry;
    }

    public void logout(HttpServletRequest request, HttpServletResponse response,
                       Authentication authentication) {
        Assert.notNull(request, "HttpServletRequest required");
        if (invalidateHttpSession) {
            HttpSession session = request.getSession(false);
            if (session != null) {
                println "Invalidating session: " + session.getId()
                logger.info("Invalidating session: " + session.getId())
                this.sessionRegistry.removeSessionInformation(session.getId());
                session.invalidate();
            }
        }

        if (clearAuthentication) {
            SecurityContext context = SecurityContextHolder.getContext();
            context.setAuthentication(null);
        }

        SecurityContextHolder.clearContext();
    }
}

CustomSecurityContextLogoutHandler.groovy 

package com.test

import org.springframework.security.core.session.SessionRegistry
import org.springframework.security.web.authentication.logout.LogoutHandler

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.Assert;

public class CustomSecurityContextLogoutHandler implements LogoutHandler {
    protected final Log logger = LogFactory.getLog(this.getClass());

    private final SessionRegistry sessionRegistry;
    private boolean invalidateHttpSession = true;
    private boolean clearAuthentication = true;

    public CustomSecurityContextLogoutHandler(SessionRegistry sessionRegistry) {
        Assert.notNull(sessionRegistry, "sessionRegistry cannot be null");
        this.sessionRegistry = sessionRegistry;
    }

    public void logout(HttpServletRequest request, HttpServletResponse response,
                       Authentication authentication) {
        Assert.notNull(request, "HttpServletRequest required");
        if (invalidateHttpSession) {
            HttpSession session = request.getSession(false);
            if (session != null) {
                println "Invalidating session: " + session.getId()
                logger.info("Invalidating session: " + session.getId())
                this.sessionRegistry.removeSessionInformation(session.getId());
                session.invalidate();
            }
        }

        if (clearAuthentication) {
            SecurityContext context = SecurityContextHolder.getContext();
            context.setAuthentication(null);
        }

        SecurityContextHolder.clearContext();
    }
}

我希望一旦会话超时/无效,输出将删除会话注册表的会话信息

0 个答案:

没有答案
相关问题
最新问题