在我的一个项目中,我已将Spring Security配置为处理用户身份验证。
我的配置文件如下所示:
<http use-expressions="true">
<intercept-url pattern="/" access="permitAll()" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login default-target-url="/main" login-page="/" always-use-default-target="true" username-parameter="userId" password-parameter="password" />
<custom-filter ref="customLogoutFilter" position="LOGOUT_FILTER"/-->
<session-management invalid-session-url="/" session-authentication-strategy-ref="sas" />
</http>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" />
<beans:bean id="customLogoutHandler" class="com.somepack.CustomLogoutHandler"/>
<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg index="0" ref="customLogoutHandler"/>
<beans:constructor-arg index="1" ref="customLogoutFilter"/>
<beans:property name="filterProcessesUrl" value="/"/>
</beans:bean>
<beans:bean id="customLogoutFilter" class="com.somepack.CustomLogoutFilter">
<beans:property name="reportDir" value="/tmp/reports"/>
</beans:bean>
我的CustomLogoutFilter类看起来像
public class CustomLogoutFilter implements LogoutHandler {
private String reportDir;
public String getReportDir() {
return reportDir;
}
public void setReportDir(String reportDir) {
this.reportDir = reportDir;
}
@Override
public void logout(HttpServletRequest request,
HttpServletResponse response, Authentication authentication) {
String userName = authentication.getName();
File folder = new File(reportDir, userName);
deleteDir(folder); //delete function to delete Logged User specific directory
logService.info("Logout", userName, EventCode.LOGOUT,
String.format("User %s logged out successfully", userName));
for (Cookie cookie : request.getCookies()) {
printcookies(cookie);
if (cookie.equals("JSESSIONID")) {
cookie.setMaxAge(0);
response.addCookie(cookie);
}
}
request.getSession().invalidate();
}
}
但是这段代码不能正常工作,因为在第一次登录页面请求时调用了过滤器(即使它可能会在每个请求中被调用)并且我得到一个NullPointerException String userName = authentication.getName()line。
事实上,如果我使用Logouthandler而不是使用LogoutFilter,我会得到同样的错误:
我的处理程序如下所示:
public class CustomLogoutHandler extends AbstractAuthenticationTargetUrlRequestHandler implements LogoutSuccessHandler{
private String reportDir;
public String getReportDir() {
return reportDir;
}
public void setReportDir(String reportDir) {
this.reportDir = reportDir;
}
@Override
public void onLogoutSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication) throws IOException,
ServletException {
String userName = authentication.getName();
File folder = new File(reportDir, userName);
deleteDir(folder);
logService.info("Logout", userName, EventCode.LOGOUT, String.format("User %s logged out successfully", userName));
super.handle(request, response, authentication);
}
并将配置文件更改为:
<http use-expressions="true">
<intercept-url pattern="/" access="permitAll()" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login default-target-url="/main" login-page="/" always-use-default-target="true" username-parameter="userId" password-parameter="password" />
<logout delete-cookies="JSESSIONID" invalidate-session="true" success-handler-ref="customLogoutHandler" logout-url="/logout" />
<session-management invalid-session-url="/" session-authentication-strategy-ref="sas" />
</http>
<beans:bean id="customLogoutHandler" class="sequent.ui.security.CustomLogoutHandler">
<beans:property name="reportDir" value="/tmp/reports" />
</beans:bean>
不确定如何解决此问题。
请帮忙。
简而言之,我的基本要求是,我需要在Logout机制中访问User Principal,当用户点击Logout按钮或会话到期时,该机制会触发。我需要用户信息,因为应用程序以登录用户的名义创建临时文件夹,我需要在他注销时删除。
请欣赏你的帮助!!
-Raul
答案 0 :(得分:0)
您已将filerProcessesUrl的{{1}}设置为“/”,这意味着每次用户浏览域根时,过滤器都会尝试注销该用户。使用特定的注销URL(或默认值)并在尝试注销之前检查用户是否实际经过身份验证(确保LogoutFilter实例不为空)。
如果您需要处理用户无法注销的会话超时,那么您还必须实现Authentication,该会话从会话中识别用户并执行您需要的任何清理。这将添加到您的HttpSessionListener文件中。请注意,在用户请求期间不会调用此类,因此您无法使用web.xml获取有关用户的信息,您必须从会话对象中获取它,该会话对象在会话之前传递给侦听器。无效。