我需要配置expired-url
在我的 Spring MVC 应用程序中。这是我的努力,但没有效果:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterBefore(adminAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(customerAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
.csrf()
.disable()
.authorizeRequests()
.antMatchers("...", "...", "...").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/admin/login")
.and()
.logout()
.addLogoutHandler(customLogoutHandler())
.logoutSuccessHandler(customLogoutSuccessHandler())
.logoutUrl("/logout")
.deleteCookies("remove")
.invalidateHttpSession(true)
.permitAll()
.and()
.sessionManagement()
.maximumSessions(1)
.expiredUrl("/expired");
}
这没有任何效果,当用户的会话超时时,spring不会将他重定向到/expired
url 并将他重定向到/admin/login
url.
Update:
我尝试了评论和答案中建议的解决方案,但没有看到任何效果。我还删除了addLogoutHandler()
, logoutSuccessHandler()
和两个addFilterBefore()
在方法开始时,但不起作用。
我还尝试了另一种解决方案:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterBefore(sessionManagementFilter(), SessionManagementFilter.class)
.csrf()
.disable()
.authorizeRequests()
.antMatchers("...", "...", "...").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/admin/login")
.and()
.logout()
.logoutUrl("/logout")
.deleteCookies("remove")
.invalidateHttpSession(true)
.permitAll();
}
@Bean
public SessionManagementFilter sessionManagementFilter() {
SessionManagementFilter sessionManagementFilter = new SessionManagementFilter(httpSessionSecurityContextRepository());
sessionManagementFilter.setInvalidSessionStrategy(simpleRedirectInvalidSessionStrategy());
return sessionManagementFilter;
}
@Bean
public SimpleRedirectInvalidSessionStrategy simpleRedirectInvalidSessionStrategy() {
SimpleRedirectInvalidSessionStrategy simpleRedirectInvalidSessionStrategy = new SimpleRedirectInvalidSessionStrategy("/expired");
return simpleRedirectInvalidSessionStrategy;
}
@Bean
public HttpSessionSecurityContextRepository httpSessionSecurityContextRepository(){
HttpSessionSecurityContextRepository httpSessionSecurityContextRepository = new HttpSessionSecurityContextRepository();
return httpSessionSecurityContextRepository;
}
有人能帮我解决这个问题吗?
ConcurrentSessionFilter http://docs.spring.io/spring-security/site/docs/4.0.4.RELEASE/apidocs/org/springframework/security/web/session/ConcurrentSessionFilter.html将重定向到expiredUrl
,如果valid http://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html#isRequestedSessionIdValid--会话 ID 被标记为过期SessionRegistry http://docs.spring.io/autorepo/docs/spring-security/4.0.4.RELEASE/apidocs/org/springframework/security/core/session/SessionRegistry.html, see Spring安全参考 http://docs.spring.io/autorepo/docs/spring-security/4.0.4.RELEASE/reference/htmlsingle/#nsa-concurrency-control-attributes:
- 过期网址如果用户尝试使用已被并发会话控制器“过期”的会话(因为用户已超出允许的会话数并已在其他地方再次登录),则用户将被重定向到的 URL。应设置除非exception-if-maximum-exceeded
已设置。如果未提供任何值,则到期消息将直接写回到响应中。
SessionManagementFilter http://docs.spring.io/autorepo/docs/spring-security/4.0.4.RELEASE/apidocs/org/springframework/security/web/session/SessionManagementFilter.html将重定向到invalidSessionUrl
,如果会话 ID 不是valid http://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html#isRequestedSessionIdValid--(超时或者ID错误),参见Spring安全参考 http://docs.spring.io/autorepo/docs/spring-security/4.0.4.RELEASE/reference/htmlsingle/#sessionmanagementfilter:
如果用户当前未经过身份验证,过滤器将检查是否请求了无效的会话 ID(例如,由于超时),并调用配置的InvalidSessionStrategy
,如果已设置。最常见的行为只是重定向到固定的 URL,这已封装在标准实现中SimpleRedirectInvalidSessionStrategy
。如前所述,通过命名空间配置无效会话 URL 时也会使用后者。
两个网址(expiredUrl
, invalidSessionUrl
)必须配置为permitAll()
.
顺便说一句:如果你想使用并发会话控制 http://docs.spring.io/autorepo/docs/spring-security/4.0.4.RELEASE/reference/htmlsingle/#ns-concurrent-sessions with maximumSessions
你必须添加HttpSessionEventPublisher https://docs.spring.io/spring-security/site/docs/4.0.4.RELEASE/apidocs/org/springframework/security/web/session/HttpSessionEventPublisher.html给你的web.xml
:
并发会话控制
如果您希望限制单个用户登录应用程序的能力,Spring Security 通过以下简单的添加即可开箱即用地支持此操作。首先,您需要将以下侦听器添加到您的web.xml
文件以使 Spring Security 更新有关会话生命周期事件的信息:
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)