java - Spring添加web.xml配置时Session总是过期

Question

我有一个使用 Spring MVC 和 Spring Security 的 Web 应用程序。当我将以下配置添加到 web.xml 时，它变得不可能登录，它只是使 session 过期并且我无法进行身份验证:

<session-config>
      <session-timeout>15</session-timeout>
      <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
        <max-age>31536000</max-age>
      </cookie-config>
      <tracking-mode>COOKIE</tracking-mode>
</session-config>

如果我删除以下内容，工作正常:

<cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
        <max-age>31536000</max-age>
</cookie-config>

和Spring配置有冲突吗？以下是我的 spring-security.xml:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/context
    http://www.springframework.org/schema/context/spring-context-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <context:component-scan base-package="com.blank.controller"/>

    <global-method-security secured-annotations="enabled"/>

    <http auto-config="false" use-expressions="true">

        <intercept-url pattern="/usuario**" access="hasRole('ROLE_USER')" />
        <intercept-url pattern="/usuario/**" access="hasRole('ROLE_USER')" />

        <!-- Access denied page -->
        <access-denied-handler error-page="/403" />

        <form-login login-page="/login" default-target-url="/index"
            always-use-default-target="true" authentication-failure-url="/login?error"
            username-parameter="username" password-parameter="password" />
        <logout logout-success-url="/login?logout" invalidate-session="true" delete-cookies="JSESSIONID" />

        <!-- Proteção contra Cross Site Request Forgery (CSRF) -->
        <csrf />

        <session-management invalid-session-url="/invalidate.do" session-fixation-protection="migrateSession" session-authentication-error-url="/login?error">
            <concurrency-control error-if-maximum-exceeded="true" expired-url="/login?expire" max-sessions="1"/>
        </session-management>
        <remember-me key="terror-key"/>
    </http>

    <authentication-manager>
        <authentication-provider>
            <jdbc-user-service data-source-ref="dataSource"
                users-by-username-query="select usuario as username, senha as password, ativo as enabled from usuario where usuario = ?"
                authorities-by-username-query="select u.usuario as username, r.nome as perfil from usuario u, perfil r, usuario_perfil ur where ur.usuario = u.id and ur.perfil = r.id and u.usuario = ?" />

            <password-encoder ref="encoder" />
        </authentication-provider>
    </authentication-manager>

    <beans:bean id="encoder"
        class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
        <beans:constructor-arg name="strength" value="11" />
    </beans:bean>

</beans:beans>

有什么想法吗？

提前致谢。

Answer 1

经过一些研究，我意识到这仅适用于启用 HTTPS 的情况。