弹簧安全会话超时

Question

我使用弹簧安全4.1，我面对的问题是当我尝试登录时，我几次发送回会话过期页面。我已经试过许多东西，如添加我自己也HttpSessionListener加入 org.springframework.security.web.session.HttpSessionEventPublisher 但会不断到期。我在其中一个问题中读到了这种行为的解释 “在某些情况下，Spring Security有可能使会话无效（例如，登录后，用户获得新的HttpSession）。” 我使用Fiddler工具来查看发生了什么，我看到用户已通过身份验证，但立即被重定向到会话过期页面。我想让同一个用户登录尽可能多的次数。我还在一些地方看过它将有助于转向3.x版本，但我认为它可能适用于使用旧版本弹簧的情况。请提出 。谢谢

<http auto-config="true" use-expressions="true" 
    authentication-manager-ref="authenticationManager"> 
    <session-management 
    invalid-session-url="/login?eventType=sessionTimedOut" 
    session-fixation-protection="none" 
    /> 
    <intercept-url pattern="/login" access="permitAll" /> 

    <intercept-url pattern="/*"  access="hasAnyAuthority('FF_USER','FF_ADMIN')" /> 

    <form-login login-page="/login" 
     authentication-success-handler-ref="authenticationSuccessHandler" 
     authentication-failure-handler-ref="customAuthenticationFailureHandler" 
     login-processing-url="/j_spring_security_check" 
     username-parameter="j_username" 
     password-parameter="j_password" 
     /> 

    <logout invalidate-session="false" logout-success-url="/login?eventType=logout" 
     logout-url="/j_spring_security_logout" delete-cookies="JSESSIONID"/> 

    <csrf token-repository-ref="csrfTokenRepository" /> 

</http> 

<beans:bean id="csrfTokenRepository" 
    class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository"> 
    <beans:property name="headerName" value="X-XSRF-TOKEN" /> 
</beans:bean> 

<beans:bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"> 
    <beans:property name="defaultTargetUrl" value="/home"/> 
    <beans:property name="alwaysUseDefaultTargetUrl" value="true"/> 
</beans:bean> 

<beans:bean id="customAuthenticationFailureHandler" class="*.*.CustomAuthenticationFailureHandler"> 
    <beans:property name="defaultFailureUrl" value="/login?eventType=error"></beans:property> 
    <beans:property name="baseFailureUrl" value="/login?eventType=error"></beans:property> 
</beans:bean> 

<beans:bean id="authenticationManager" 
    class="org.springframework.security.authentication.ProviderManager"> 
    <beans:constructor-arg> 
     <beans:list> 
      <beans:ref bean="ldapAuthenticationProvider" /> 
     </beans:list> 
    </beans:constructor-arg> 
    <beans:property name="eraseCredentialsAfterAuthentication" 
     value="true" /> 
</beans:bean> 

Answer 1

<http> 
    <logout delete-cookies="JSESSIONID" /> 
    </http> 

Unfortunately this can't be guaranteed to work with every servlet container, so you will need to test it in your environment[8].

所以你需要添加一个实现LogoutHandler到LogoutFilter处理客户注销处理。

<http auto-config="true" use-expressions="true" authentication-manager-ref="authenticationManager"> 
... 
<custom-filter ref="logoutFilter" position="LOGOUT_FILTER" /> 
... 
</http> 


<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> 
     <constructor-arg name="logoutSuccessUrl" value="/login?eventType=logout" /> 
     <!-- implement LogoutHandler, Websphere log out --> 
     <constructor-arg name="handlers" ref="{customer logout }" /> 
     <property name="filterProcessesUrl" value="/j_spring_security_logout" /> 
</bean>