我正在使用Spring Security 3.1,并且遇到会话超时问题。
我设置会话超时在web.xml中如下:
使用Spring Security时,会话比预期更早超时
<session-config>
<session-timeout>
45
</session-timeout>
</session-config>
因此会议应该在45分钟后至到期。
但是我注意到会话已过期恰好在2分钟后!无论我是否在使用应用程序。
这是我的春天安全豆类:
<bean id="ConcurrentSessionFilterAdmin" class="org.springframework.security.web.session.ConcurrentSessionFilter">
<property name="sessionRegistry" ref="sessionRegistry"/>
<property name="logoutHandlers">
<list>
<ref bean = "logoutHandler"/>
</list>
</property>
<property name="expiredUrl" value="/admin/login.jsp?error=expiredURL"/>
</bean>
<bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" autowire="byType" />
<bean id="logoutHandler"
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
</bean>
<bean id="securityContextPersistenceFilter"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<property name="securityContextRepository" ref="securityContextRepository"/>
</bean>
<bean id="securityContextRepository"
class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">
<property name="allowSessionCreation" value="false" />
</bean>
<bean id="logoutFilterAdmin"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="/admin/login.jsp" />
<constructor-arg>
<list>
<ref bean="logoutHandler"/>
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/admin/j_spring_security_logout"></property>
</bean>
<bean id="usernamePasswordAuthenticationFilterAdmin"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="usernameParameter" value="j_username"/>
<property name="passwordParameter" value="j_password"/>
<property name="allowSessionCreation" value="false"/>
<property name="authenticationFailureHandler" ref="authenticationFailureHandlerAdmin"/>
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="authenticationSuccessHandlerAdmin"/>
<property name="continueChainBeforeSuccessfulAuthentication" value="false"/>
<property name="filterProcessesUrl" value="/admin/j_spring_security_check"/>
<property name="sessionAuthenticationStrategy" ref="sessionAuthenticationStrategy"/>
</bean>
<bean id="authenticationFailureHandlerAdmin"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/admin/login.jsp?error=loginfailed" />
</bean>
<bean id="authenticationSuccessHandlerAdmin"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="requestCache" ref="requestCache"/>
<property name="defaultTargetUrl" value="/admin/index.html"/>
</bean>
<bean id="requestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache"/>
<bean id="sessionAuthenticationStrategy"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<property name="maximumSessions" value="1" />
<property name="migrateSessionAttributes" value="true"/>
</bean>
<bean id="basicAuthenticationFilterAdmin"
class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
<property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
<property name="authenticationManager" ref="authenticationManager"/>
</bean>
<bean id="authenticationDetailsSource"
class="org.springframework.security.authentication.AuthenticationDetailsSourceImpl"/>
<bean id="requestCacheAwareFilter"
class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter">
<constructor-arg ref="requestCache"/>
</bean>
<bean id="securityContextHolderAwareRequestFilter"
class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter">
<property name="rolePrefix" value="ROLE_"/>
</bean>
<bean id="anonymousAuthenticationFilter"
class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
<constructor-arg value="KEY"/>
</bean>
<bean id="sessionManagementFilterAdmin" class="org.springframework.security.web.session.SessionManagementFilter">
<constructor-arg ref="securityContextRepository"/>
<constructor-arg ref="sessionAuthenticationStrategy"/>
<property name="authenticationFailureHandler" ref="authenticationFailureHandlerAdmin"/>
<property name="invalidSessionStrategy" ref="invalidSessionStrategyAdmin"/>
</bean>
<bean id="invalidSessionStrategyAdmin"
class="org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy">
<constructor-arg value="/admin/login.jsp"/>
<property name="createNewSession" value="false"/>
</bean>
<bean id="exceptionTranslationFilter"
class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
<property name="accessDeniedHandler" ref="accessDeniedHandler" />
<property name="requestCache" ref="requestCache"/>
</bean>
<bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
</bean>
<bean id="accessDeniedHandler"
class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
</bean>
<bean id="filterSecurityInterceptorAdmin"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="securityMetadataSource" ref="myFilterInvocationSecurityMetadataSource" />
</bean>
<bean id="myFilterInvocationSecurityMetadataSource" class="com.datx.security.model.MyFilterSecurityMetadataSource" autowire="byName" scope="prototype">
</bean>
经过两次分钟,我重定向到这是在第一个bean的配置设置/admin/login.jsp?error=expiredURL
。 (这意味着会话已过期)
问题是哪些bean负责会话过期?我没有设置什么财产导致这个问题?
我相信问题是* invalidSessionStrategyAdmin * bean。 – 2012-08-05 09:45:55
你可以尝试设置allowSessionCreation为真 – Ravi 2012-08-06 02:49:18
之前完成。由于应用程序完全基于宁静的Web服务,如果我[再次]这样做,那么对于创建新会话的每个请求,我都会遇到更多麻烦,并且这会导致“每个请求都有一个登录页面”。 – 2012-08-06 05:32:11