我正在使用 Spring 开发一个网站,并使用 Spring Security 进行身份验证。 我遇到了无法解决的问题:
<div sec:authorize="!isAuthenticated()" id="login">
SHOW IF NOT AUTHENTICATED
</div>
<div sec:authorize="isAuthenticated()">
Hi <span th:text="${session.user.email}"></span>
</div>
当 session 被破坏时,例如通过 WebSecurityConfigurerAdapter 中的更改,会显示第二个 div,从而导致内部服务器错误,因为 session.user 对象为 null。
当用户的 session 被破坏时,如何使用户“未经身份验证”?
编辑:安全配置
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
.sessionAuthenticationErrorUrl("/login?error")
.maximumSessions(1)
.maxSessionsPreventsLogin(false)
.expiredUrl("/login?expired")
.and()
.sessionFixation().newSession();
http.authorizeRequests()
.antMatchers("/css/**", "/img/**", "/fonts/**", "/js/**", "/", "/home", "/prizes", "/login").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").loginProcessingUrl("/dologin")
.usernameParameter("username").passwordParameter("password")
.defaultSuccessUrl("/loginsuccessful").failureUrl("/login?invalid").permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/")
.permitAll();
}
调用/logout时的Spring Security日志
************************************************************
Request received for GET '/logout':
org.apache.catalina.connector.RequestFacade@1512eefb
servletPath:/logout
pathInfo:null
headers:
host: localhost:8080
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding: gzip, deflate
referer: http://localhost:8080/
cookie: JSESSIONID=0179284CCE4040DA16C9F16D9AB14AF2
dnt: 1
connection: keep-alive
upgrade-insecure-requests: 1
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
UsernamePasswordAuthenticationFilter
ConcurrentSessionFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
2017-05-10 12:45:44.079 INFO 12028 --- [nio-8080-exec-2] Spring Security Debugger :
************************************************************
Request received for GET '/':
org.apache.catalina.connector.RequestFacade@1512eefb
servletPath:/
pathInfo:null
headers:
host: localhost:8080
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding: gzip, deflate
referer: http://localhost:8080/
cookie: JSESSIONID=0179284CCE4040DA16C9F16D9AB14AF2
dnt: 1
connection: keep-alive
upgrade-insecure-requests: 1
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
UsernamePasswordAuthenticationFilter
ConcurrentSessionFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
最佳答案
好吧,我无法使其与 isAuthenticated() 一起使用,因此我通过在 preHandle() 方法(在拦截器处)手动检查 session 中的每个用户对象来修复它
关于java - Spring Security - 用户在 session 销毁时保持身份验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/43887724/