java 如何使用 Spring security 获取会话超时消息
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/36708580/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to get session time out message using Spring security
提问by Prasanna Kumar H A
I want to get the session time out message when the session expires.Below is my spring-security.xml
我想在会话过期时获取会话超时消息。下面是我的spring-security.xml
<http auto-config="true" use-expressions="true">
<logout logout-success-url="/" invalidate-session="true" logout-url="/LogOut"/>
<form-login login-page="/Login" username-parameter="Name" password-parameter="Pwd"/>
<session-management invalid-session-url="/?timeout=true">
<concurrency-control max-sessions="1" expired-url="/Timeout?timeout=true" />
</session-management>
</http>
According to my knowledge using above code when the session expired it should redirect to /?timeout=true OR /Timeout?timeout=true. And on logout it should go to /. But in my case on logout also its redirecting to invalid-session-urlso I am always getting timeout true for both normal logout and session timeout.
根据我的知识,当会话过期时使用上面的代码应该重定向到/?timeout=true OR /Timeout?timeout=true. 在注销时它应该转到/. 但是在我的注销情况下,它也会重定向到,invalid-session-url因此对于正常注销和会话超时,我总是得到超时为真。
Please help me to differentiate this.
请帮我区分这一点。
UPDATE
更新
/logoutrequest contains
/logout请求包含
session = request.getSession();
session.invalidate();
session = null;
采纳答案by Prasanna Kumar H A
I Solved it! by writing a filter instead depending on Spring-security.
我解决了!通过编写过滤器而不是依赖于 Spring-security。
If any one is interested they can use the below code :-
如果有人感兴趣,他们可以使用以下代码:-
import java.io.IOException;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.text.MessageFormat;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.springframework.web.filter.OncePerRequestFilter;
public class FilterToGetTimeOut extends OncePerRequestFilter {
@Override
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException {
try {
if(request.getRequestURI().equals("/") || request.getRequestURI().equals("/Login/")){
if(request.getSession().getAttribute("login") != null && (Boolean)request.getSession().getAttribute("login") == true){
response.sendRedirect(URL); //After login page
}
} else if(request.getSession().getAttribute("login") == null && !request.getRequestURI().equals("/LogOut")){
response.sendRedirect(request.getContextPath()+"/?timeout=true"); //If timeout is true send session timeout error message to JSP
}
filterChain.doFilter(request, response);
} catch (Exception e) {
//Log Exception
}
}
}
Add this filter in web.xml.
在web.xml.
<filter>
<filter-name>FilterToGetTimeOut </filter-name>
<filter-class>package.FilterToGetTimeOut </filter-class>
</filter>
<filter-mapping>
<filter-name>FilterToGetTimeOut</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
So now session also invalidates and I can handle the session timeout too.
所以现在会话也失效了,我也可以处理会话超时。
回答by FreezY
I suggest you to logout using this:
我建议您使用以下方法注销:
HttpSession session= request.getSession(false);
SecurityContextHolder.clearContext();
if(session != null) {
session.invalidate();
}
for(Cookie cookie : request.getCookies()) {
cookie.setMaxAge(0);
}
回答by Eva Mariam
In your case what happens is when a user logout, the session is first invalidated then session management will get trigger. When session management come in, and found out the session has already gone, then sessionTimeout page will be redirect. So it will be better to set the invalidate-session of logout tag as false.
在您的情况下,当用户注销时,会话首先失效,然后会话管理将被触发。当会话管理进来时,发现会话已经消失,则 sessionTimeout 页面将被重定向。所以最好将logout标签的invalidate-session设置为false。
<logout logout-success-url="/" invalidate-session="false" logout-url="/LogOut"/>
回答by Kunwar Babu
Please define request mapping for logout-success url in your controller and from there redirect to home page. for example replace your mapping as below
请在您的控制器中定义注销成功 url 的请求映射,然后从那里重定向到主页。例如替换您的映射如下
<http auto-config="true" use-expressions="true">
<logout logout-success-url="/logoutSucess" invalidate-session="true" logout-url="/LogOut"/>
<form-login login-page="/Login" username-parameter="Name" password-parameter="Pwd"/>
<session-management invalid-session-url="/?timeout=true">
<concurrency-control max-sessions="1" expired-url="/Timeout?timeout=true" />
</session-management>
define this /logoutSucess in controller with @RequestMapping(value="/logoutSucess" method=RequestMethod.GET)
使用 @RequestMapping(value="/logoutSucess" method=RequestMethod.GET) 在控制器中定义这个 /logoutSucess
回答by Atul
I had similar issue, like
我有类似的问题,比如
- If you logged in with some user say zzzz
- You closed the browser
- Again you are trying to login with same user zzzz
- It failed to login with message for maximum session exceeded
- 如果您使用某个用户登录,请说 zzzz
- 你关闭了浏览器
- 您再次尝试使用相同的用户 zzzz 登录
- 登录失败并显示超出最大会话的消息
The code I have on my spring security file is:
我的 spring 安全文件中的代码是:
<session-management invalid-session-url="/?timeout=true">
<concurrency-control max-sessions="1" expired-url="/logout?timeout" />
I solved this issue by adding the session timeout entry in web.xml file. I put the session timeout value as 5 min, build the application and deployed. Its working fine.
我通过在 web.xml 文件中添加会话超时条目解决了这个问题。我将会话超时值设为 5 分钟,然后构建应用程序并进行部署。它的工作正常。
Might be this will help someone.
可能这会帮助某人。
Thanks, Atul
谢谢,阿图尔
