我相信这个问题已经被问过很多次了,但我找不到一个好的解决方案。
当用户单击logout时,控件将转到/sessiontimeout而不是/logout。我已经看到了不同的解决方案,建议将值更改为invalidate-session到false。如果是这样,我们如何根据spring标准使会话无效?
我尝试了这个解决方案,但是如果我们尝试用相同的用户再次登录,它会给出一个本质,即前一个会话仍然存在。
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">
<context:property-placeholder location="classpath*:META-INF/spring/*.properties"/>
<context:component-scan base-package="blah.blah.blah" />
<http pattern="/resources/**" security="none"/>
<http access-decision-manager-ref="accessDecisionManager" use-expressions="true">
<http access-decision-manager-ref="accessDecisionManager" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/loginfailed" access="permitAll" />
<intercept-url pattern="/sessiontimeout" access="permitAll" />
<intercept-url pattern="/sessionTerminated" access="permitAll" />
<logout delete-cookies="JSESSIONID" logout-success-url="/login" logout-url="/logout" invalidate-session="true"/>
<session-management session-authentication-error-url="/loginfailed" session-fixation-protection="newSession" invalid-session-url="/sessiontimeout">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/sessionTerminated" session-registry-alias="sessionRegistry"/>
</session-management>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<jdbc-user-service data-source-ref="infrastructureDataSource"
authorities-by-username-query="//query//"
users-by-username-query="//query//" />
<password-encoder ref="passwordEncoder" />
</authentication-provider>
<authentication-provider ref="authService" />
</authentication-manager>
<beans:bean id="authService" class="blah.blah.blah.blah.AuthServiceImpl" />
<beans:bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<beans:bean id="customAuthenticationHandler" class="blah.blah.blah.CustomAuthenticationSuccessHandler" />
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<beans:bean id="customApplicationListener" class="blah.blah.blah.CustomApplicationListener" />
</beans:beans>
web . xml:
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID"
version="2.5"
metadata-complete="true">
<!-- Processes application requests -->
<servlet>
<servlet-name>appContext</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appContext</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<session-config>
<session-timeout>240</session-timeout>
</session-config>
<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/appContext-servlet.xml
/WEB-INF/spring/root-context.xml
/WEB-INF/spring/root-context-security.xml</param-value>
</context-param>
<!-- Filters -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<!-- some other stuff -->
在这里,我正在实现会话窃取(如果有人在不同的机器上使用相同的凭据登录,现有用户必须注销)和会话超时。
你们有解决这个问题的方法吗?
解决方案是这样的:
<!-- this is the pattern used in order to disable the filters for logout-success-url -->
<http pattern="/login**" security="none"></http>
<http pattern="/resources/**" security="none"/>
<http access-decision-manager-ref="accessDecisionManager" use-expressions="true">
<http access-decision-manager-ref="accessDecisionManager" use-expressions="true">
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/loginfailed" access="permitAll" />
<intercept-url pattern="/sessiontimeout" access="permitAll" />
也许您应该将logout-success-url="/login"更改为其他值。如果仍然不起作用,尝试从过滤器链中排除logout-success-url (set security = 'none')。
注:我测试了你的代码,似乎问题来自其他配置。你能把你所有的安全配置文件?根据您的实际配置,我正确地重定向到logout-success-url。