如何在Spring-security 3.2中处理会话超时3.2

Question

我是弹簧安全新手。我想重定向的URL登录页面上点击会话超时后的任何选项卡/链接

我有以下的配置在我的安全上下文

<global-method-security pre-post-annotations="enabled" 
    secured-annotations="enabled"> 
    <!-- <expression-handler ref="expressionHandler"/> --> 
</global-method-security> 

<security:http pattern="/pages/common/UnAuthorized.html*" 
    security="none" /> 
<security:http pattern="/resources/images/*" security="none" /> 
<security:http pattern="/Logout.html*" 
    security="none" /> 
<security:http pattern="/SessionTimeout.html*" 
    security="none" /> 

<security:http auto-config="false" use-expressions="true" 
    entry-point-ref="http403EntryPoint"> 
    <security:intercept-url pattern="/**" 
     access="fullyAuthenticated" /> 
    <security:custom-filter position="PRE_AUTH_FILTER" 
     ref="siteminderFilter" /> 
    <security:logout delete-cookies="JSESSIONID,SMSESSION" 
     invalidate-session="true" logout-url="/logout" logout-success-url="/Logout.html" /> 
    <security:session-management 
     invalid-session-url="/SessionTimeout.html"> 
     <security:concurrency-control expired-url="/pages/common/SessionTimeout.html" /> 
    </security:session-management> 
</security:http> 

<security:authentication-manager alias="authenticationManager"> 
    <security:authentication-provider 
     ref="customAuthenticationProvider"> 
    </security:authentication-provider> 
</security:authentication-manager> 

<beans:bean id="sessionRegistry" 
    class="org.springframework.security.core.session.SessionRegistryImpl" /> 
<beans:bean id="http403EntryPoint" 
    class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" /> 

并与会话一起在web.xml中注册事件超时配置

<session-config> 
    <session-timeout>2</session-timeout> 
    <cookie-config> 
     <http-only>true</http-only> 
     <secure>true</secure> 
    </cookie-config> 
    <tracking-mode>COOKIE</tracking-mode> 
</session-config> 

<listener> 
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> 
</listener> 
<filter> 
    <filter-name>localDeploymentFilter</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
</filter> 
<filter> 
<filter-name>springSecurityFilterChain</filter-name> 
<filter-class> 
       org.springframework.web.filter.DelegatingFilterProxy 
</filter-class> 
</filter> 
<servlet> 
<servlet-name>spring-dispatcher</servlet-name> 
    <servlet-class> 
     org.springframework.web.servlet.DispatcherServlet 
    </servlet-class> 
    <load-on-startup>1</load-on-startup> 
</servlet> 

我不知道我在这里失踪。但是url没有被重定向到sessiontimeout页面。

当我试图调试弹簧代码时，我看到只有“RegisterSessionAuthenticationStrategy”被调用，并且使用现有会话创建新的会话。我期待一些代码将重定向到会话到期URL。但是在调试过程中我没有找到任何东西。

Answer 1

你的web.xml文件应该是这样的：

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
     http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> 

     <display-name>Local-Dev Timeout POC</display-name> 

    <filter> 
      <filter-name>springSecurityFilterChain</filter-name> 
      <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
    </filter> 

    <filter-mapping> 
      <filter-name>springSecurityFilterChain</filter-name> 
      <url-pattern>/*</url-pattern> 
    </filter-mapping> 

    <servlet> 
      <servlet-name>spring-web</servlet-name> 
      <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
    </servlet> 

    <servlet-mapping> 
      <servlet-name>spring-web</servlet-name> 
      <url-pattern>/</url-pattern> 
    </servlet-mapping> 

    <session-config> 
      <session-timeout>1</session-timeout> 
      <tracking-mode>COOKIE</tracking-mode> 
    </session-config> 

你的Spring配置应该是这样的

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc" 
     xmlns:context="http://www.springframework.org/schema/context" xmlns:security="http://www.springframework.org/schema/security" 
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd 
     http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd 
     http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd 
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"> 

     <security:http auto-config="true"> 

      <security:intercept-url pattern="/keep-alive" access="permitAll" /> 
      <security:intercept-url pattern="/*" access="hasRole('USER')" /> 
      <security:form-login authentication-failure-url="/denied" /> 
      <security:session-management> 
        <security:concurrency-control max-sessions="10" expired-url="/expired" error-if-maximum-exceeded="true" /> 
      </security:session-management> 
    </security:http> 

    <security:authentication-manager> 
      <security:authentication-provider> 
        <security:user-service> 
          <security:user name="greg" password="password" authorities="ROLE_USER" /> 
        </security:user-service> 
      </security:authentication-provider> 
    </security:authentication-manager> 

    <context:component-scan base-package="net.isban" /> 

    <context:property-placeholder location="classpath:application.properties" /> 

    <mvc:annotation-driven /> 

    <mvc:resources mapping="/resources/**" location="/resources/" /> 

    <bean id="templateResolver" class="org.thymeleaf.templateresolver.ServletContextTemplateResolver"> 
      <property name="prefix" value="/WEB-INF/views/" /> 
      <property name="suffix" value=".html" /> 
      <property name="templateMode" value="HTML5" /> 
    </bean> 

    <bean id="templateEngine" class="org.thymeleaf.spring4.SpringTemplateEngine"> 
      <property name="templateResolver" ref="templateResolver" /> 
    </bean> 

    <bean class="org.thymeleaf.spring4.view.ThymeleafViewResolver"> 
      <property name="templateEngine" ref="templateEngine" /> 
    </bean> 

如果他们没有登录，因为会话已过期，他们将被重定向到登录。