Spring安全会话超时 - 清除浏览器缓存

时间:2012-02-01 14:45:54

标签: spring jboss spring-security jboss5.x

我目前有一个使用JBoss 5服务器上托管的Spring Security的Web应用程序。

我的问题是,如果用户闲置几分钟,那么由于web.xml设置,他们的会话超时。有一段时间,当他们的会话无效时尝试点击webapp时会出现404错误。浏览器可以看到Web应用程序的唯一方法是用户清除其浏览器缓存。

有没有办法修复此问题,以便用户无需清除浏览器缓存?

这是我的spring security xml 

<security:http auto-config="true" use-expressions="true">
    <security:intercept-url pattern="/login" access="permitAll" />
    <security:intercept-url pattern="/resources/**" access="permitAll" />
    <security:intercept-url pattern="/import/trades" access="permitAll" />
    <!-- 
        The roles are prefix with the word ROLE 
        and it is upper case due to ldapAuthoritiesPopulator config section 
    -->
    <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_NBFIEPN_USERS', 'ROLE_NBFIEPN_DEVELOPERS')" />        

    <security:form-login login-page="/login" authentication-failure-url="/login?error=true"/>

    <security:logout />
</security:http>

这是我的web.xml文件。我目前已将会话超时设置为1分钟以复制问题。

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                        http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

    <display-name>TBA Web Application</display-name>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring/security-config.xml
        </param-value>
    </context-param>
    <servlet>
        <servlet-name>horizon</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>
                /WEB-INF/spring/applicationContext.xml
                /WEB-INF/spring/applicationContext-service.xml
                /WEB-INF/spring/mvc-config.xml
            </param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>horizon</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <!-- Session Timeout in minutes -->  
    <session-config> 
        <session-timeout>1</session-timeout> 
    </session-config>

</web-app>

1 个答案:

答案 0 :(得分:5)

将此配置添加到Spring安全配置

<security:http...>
   ...
  <security:session-management invalid-session-url="/login"/>
</security:http>

invalid-session-url参数的描述:

  

如果用户提交无效的会话标识符,将重定向到的URL。通常用于检测会话超时。

它应该通过登录页面的无效会话来指导用户。

相关问题
最新问题