1. 首页
  2. 问答
  3. 如何在Spring Security中设置自定义无效会话策略

如何在Spring Security中设置自定义无效会话策略

2014-09-12 44 views
3

我正在开发基于Spring-Boot-1.1.6,Spring-Security -3.2.5等的Web应用程序。如何在Spring Security中设置自定义无效会话策略

我使用基于Java的配置:

@Configuration 
@EnableWebMvcSecurity 
public class SecurityCtxConfig extends WebSecurityConfigurerAdapter { 


    @Bean 
    DelegatingAuthenticationEntryPoint delegatingAuthenticationEntryPoint() { 
     LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> map = new LinkedHashMap<RequestMatcher, AuthenticationEntryPoint>(); 
     Http403ForbiddenEntryPoint defaultEntryPoint = new Http403ForbiddenEntryPoint(); 
     map.put(AnyRequestMatcher.INSTANCE, defaultEntryPoint); 
     DelegatingAuthenticationEntryPoint retVal = new DelegatingAuthenticationEntryPoint(map); 
     retVal.setDefaultEntryPoint(defaultEntryPoint); 
     return retVal; 
    } 


    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling = http.exceptionHandling(); 
     exceptionHandling.authenticationEntryPoint(delegatingAuthenticationEntryPoint()); 
     http.logout().logoutSuccessHandler(new LogoutSuccessHandler() { 

      @Override 
      public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication arg2) 
        throws IOException, ServletException { 
       response.setStatus(HttpServletResponse.SC_OK); 
      } 
     }); 
    } 

}

的要求是在会话cookie无效或丢失(无论原因) 情况下,返回HTTP状态401我看到了InvalidSessionStrategy,但我请勿在SessionManagementFilter上找到设置它的方法。 有人可以请我安装如何实现我的计划或另一个将满足要求

来源

2014-09-12 Modi

+0

你找到一个方法来做到这一点? – domi 2014-11-14 11:15:28

回答

0

由于我使用AspectJ(我的意思是编译时编织而不是Spring AOP),所以很容易破解SessionManagementFilter创作由SessionManagementFilter后设定我的自定义InvalidSessionStrategy构造:

@Aspect 
public class SessionManagementAspect { 
    private static final Log logger = LogFactory.getLog(); 

    @AfterReturning("execution(org.springframework.security.web.session.SessionManagementFilter.new(..))&&this(smf)") 
    public void creation(JoinPoint pjp, SessionManagementFilter smf) throws Throwable { 
     logger.debug("Adding/Replacing the invalid session detection policy to return 401 in case of an invalid session"); 
     smf.setInvalidSessionStrategy(new InvalidSessionStrategy() { 

      @Override 
      public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { 
       logInvalidSession(request, "invalid cookie"); 
       if (!response.isCommitted()) 
        response.sendError(HttpStatus.UNAUTHORIZED.value()); 
      } 
     }); 
    } 
}

如果不使用AspectJ,尝试添加@Component和这方面添加到您的背景下,如果SessionManagementFilter是一个bean它可能工作(由于春节-AOP applias只限于春豆)

来源

2014-11-14 15:24:08 Modi

5

我们有完全相同的问题,我做了这个黑客解决它(是的,我知道,这是一个黑客,因此名称......)。 我创建了一个BeanPostProcessor和搜索SessionManagementFilter重新配置它...

@Bean 
public HackyBeanPostProcessor myBeanPostProcessor() { 
    return new HackyBeanPostProcessor(); 
} 

protected static class HackyBeanPostProcessor implements BeanPostProcessor { 

    @Override 
    public Object postProcessBeforeInitialization(Object bean, String beanName) { 
     // FIXME check if a new spring-security version allows this in an 
     // other way (current: 3.2.5.RELEASE) 
     if (bean instanceof SessionManagementFilter) { 
      SessionManagementFilter filter = (SessionManagementFilter) bean; 
      filter.setInvalidSessionStrategy(new InvalidSessionStrategy() { 

       @Override 
       public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { 
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED); 
       } 
      }); 
     } 
     return bean; 
    } 

    @Override 
    public Object postProcessAfterInitialization(Object bean, String beanName) { 
     return bean; 
    } 
}

来源

2014-11-26 10:53:40 domi

+0

该解决方案可以工作,应该作为解决方案提及 – 2015-10-02 13:12:38

3

使用SpringBoot这个工作对我来说:

@Configuration 
@EnableWebSecurity 
public class UISecurityConfig extends WebSecurityConfigurerAdapter { 
    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     ... 
     http.addFilterAfter(expiredSessionFilter(), SessionManagementFilter.class); 
     ... 
    } 

    private Filter expiredSessionFilter() { 
     SessionManagementFilter smf = new SessionManagementFilter(new HttpSessionSecurityContextRepository()); 
     smf.setInvalidSessionStrategy((request, response) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Session go BOOM!"));    
     return smf; 
    } 
}

来源

2015-12-10 19:43:32 pedorro

+0

从Spring Security 4,2+开始,这可以在XML配置中完成,在安全http部分中使用元素session-management和invalid-session-strategy-ref属性完成。 – antgar9 2017-12-22 13:27:44

相关问题

 相关问题