1. 首页
  2. 问答
  3. 使用Spring Security时,会话比预期更早超时

使用Spring Security时,会话比预期更早超时

2012-08-05 92 views
0

我正在使用Spring Security 3.1,并且遇到会话超时问题。
我设置会话超时在web.xml中如下:
使用Spring Security时,会话比预期更早超时

<session-config> 
    <session-timeout> 
     45 
    </session-timeout> 
</session-config>

因此会议应该在45分钟后至到期。
但是我注意到会话已过期恰好在2分钟后!无论我是否在使用应用程序。

这是我的春天安全豆类:

<bean id="ConcurrentSessionFilterAdmin" class="org.springframework.security.web.session.ConcurrentSessionFilter"> 
    <property name="sessionRegistry" ref="sessionRegistry"/> 
    <property name="logoutHandlers"> 
     <list> 
      <ref bean = "logoutHandler"/> 
     </list> 
    </property> 
    <property name="expiredUrl" value="/admin/login.jsp?error=expiredURL"/> 
</bean> 
<bean id="sessionRegistry" 
    class="org.springframework.security.core.session.SessionRegistryImpl" autowire="byType" /> 

<bean id="logoutHandler" 
    class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"> 
</bean> 

<bean id="securityContextPersistenceFilter" 
    class="org.springframework.security.web.context.SecurityContextPersistenceFilter"> 
    <property name="securityContextRepository" ref="securityContextRepository"/> 
</bean> 

<bean id="securityContextRepository" 
    class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"> 
    <property name="allowSessionCreation" value="false" /> 
</bean> 
<bean id="logoutFilterAdmin" 
    class="org.springframework.security.web.authentication.logout.LogoutFilter"> 
    <constructor-arg value="/admin/login.jsp" /> 
    <constructor-arg> 
     <list> 
      <ref bean="logoutHandler"/> 
     </list> 
    </constructor-arg> 
    <property name="filterProcessesUrl" value="/admin/j_spring_security_logout"></property> 
</bean> 
<bean id="usernamePasswordAuthenticationFilterAdmin" 
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> 
    <property name="usernameParameter" value="j_username"/> 
    <property name="passwordParameter" value="j_password"/> 
    <property name="allowSessionCreation" value="false"/> 
    <property name="authenticationFailureHandler" ref="authenticationFailureHandlerAdmin"/> 
    <property name="authenticationManager" ref="authenticationManager"/> 
    <property name="authenticationSuccessHandler" ref="authenticationSuccessHandlerAdmin"/> 
    <property name="continueChainBeforeSuccessfulAuthentication" value="false"/> 
    <property name="filterProcessesUrl" value="/admin/j_spring_security_check"/> 
    <property name="sessionAuthenticationStrategy" ref="sessionAuthenticationStrategy"/> 
</bean> 
<bean id="authenticationFailureHandlerAdmin" 
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> 
    <property name="defaultFailureUrl" value="/admin/login.jsp?error=loginfailed" /> 
</bean> 
<bean id="authenticationSuccessHandlerAdmin" 
    class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"> 
    <property name="requestCache" ref="requestCache"/> 
    <property name="defaultTargetUrl" value="/admin/index.html"/> 
</bean> 

<bean id="requestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache"/> 

<bean id="sessionAuthenticationStrategy" 
    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> 
    <constructor-arg name="sessionRegistry" ref="sessionRegistry" /> 
    <property name="maximumSessions" value="1" /> 
    <property name="migrateSessionAttributes" value="true"/> 
</bean> 

<bean id="basicAuthenticationFilterAdmin" 
    class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter"> 
    <property name="authenticationDetailsSource" ref="authenticationDetailsSource"/> 
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/> 
    <property name="authenticationManager" ref="authenticationManager"/> 
</bean> 
<bean id="authenticationDetailsSource" 
    class="org.springframework.security.authentication.AuthenticationDetailsSourceImpl"/> 
<bean id="requestCacheAwareFilter" 
    class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter"> 
    <constructor-arg ref="requestCache"/> 
</bean> 

<bean id="securityContextHolderAwareRequestFilter" 
    class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter"> 
    <property name="rolePrefix" value="ROLE_"/> 
</bean> 

<bean id="anonymousAuthenticationFilter" 
    class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter"> 
    <constructor-arg value="KEY"/> 
</bean> 

<bean id="sessionManagementFilterAdmin" class="org.springframework.security.web.session.SessionManagementFilter"> 
    <constructor-arg ref="securityContextRepository"/> 
    <constructor-arg ref="sessionAuthenticationStrategy"/> 
    <property name="authenticationFailureHandler" ref="authenticationFailureHandlerAdmin"/> 
    <property name="invalidSessionStrategy" ref="invalidSessionStrategyAdmin"/> 
</bean> 
<bean id="invalidSessionStrategyAdmin" 
    class="org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy"> 
    <constructor-arg value="/admin/login.jsp"/> 
    <property name="createNewSession" value="false"/> 
</bean> 
<bean id="exceptionTranslationFilter" 
    class="org.springframework.security.web.access.ExceptionTranslationFilter">  
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint" /> 
    <property name="accessDeniedHandler" ref="accessDeniedHandler" /> 
    <property name="requestCache" ref="requestCache"/> 
</bean> 
<bean id="authenticationEntryPoint" 
    class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"> 
</bean> 
<bean id="accessDeniedHandler" 
    class="org.springframework.security.web.access.AccessDeniedHandlerImpl"> 
</bean> 
<bean id="filterSecurityInterceptorAdmin" 
    class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> 
    <property name="authenticationManager" ref="authenticationManager" /> 
    <property name="accessDecisionManager" ref="accessDecisionManager" /> 
    <property name="securityMetadataSource" ref="myFilterInvocationSecurityMetadataSource" /> 
</bean> 
<bean id="myFilterInvocationSecurityMetadataSource" class="com.datx.security.model.MyFilterSecurityMetadataSource" autowire="byName" scope="prototype"> 
</bean>


经过两次分钟,我重定向到这是在第一个bean的配置设置/admin/login.jsp?error=expiredURL。 (这意味着会话已过期)

问题是哪些bean负责会话过期?我没有设置什么财产导致这个问题?

来源

2012-08-05 Matin Kh

+0

我相信问题是* invalidSessionStrategyAdmin * bean。 – 2012-08-05 09:45:55

+0

你可以尝试设置allowSessionCreation为真 – Ravi 2012-08-06 02:49:18

+0

之前完成。由于应用程序完全基于宁静的Web服务,如果我[再次]这样做,那么对于创建新会话的每个请求,我都会遇到更多麻烦,并且这会导致“每个请求都有一个登录页面”。 – 2012-08-06 05:32:11

回答

0

Spring Security依赖于底层容器,即它是管理会话超时的容器(请添加关于您正在使用的容器的信息)。不过,如果服务器符合Java EE标准,我相信web.xml设置通常应该具有更高的优先级。

也可以通过调用HttpSession.setMaxInactiveInterval()方法来动态调整个别会话超时,或通过调用invalidate()使会话失效。

在某些情况下,Spring Security有可能使会话失效(例如,登录后,用户获得新的HttpSession)。

会话失效也可能由Spring Security并发会话控制机制引起,例如,如果指定了max-sessions值。

您可以检查时的Spring Security通过设置DEBUG日志记录级别org.springframework.security无效的会话。*命名空间,如春天一般写这样的信息的记录。

来源

2012-08-05 17:14:19

+0

你可以向我解释一下,我怎样才能启用这个DEBUG日志的东西。一个简短的提示就足够了。 – 2012-08-06 04:33:17

+1

例如,如果您使用logback,请参见[参考](http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/overview.html)的1.3.2节将 %d {HH:mm:ss.SSS} [%thread]%-5level%logger {36} - %msg %n in logback xml – 2012-08-06 06:12:11

+0

令人惊讶的是,你明白了。由于我的同事和我在同一时间登录,所以同时进行会话控制对此负责。谢谢您的帮助。 – 2012-08-06 09:17:45

相关问题

 相关问题