如果管理员禁用或删除了用户,即使他们有 Activity session ,我也希望用户注销。 我正在使用过滤器执行此操作,但我无法清除 session ,我什至不明白为什么?
我还在 web.xml 文件中添加了 HttpSessionEventPublisher
public class CheckUserFilter extends GenericFilterBean{
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
@Autowired
private UserService userService;
@Autowired
private SessionRegistryImpl sessionRegistryImpl;
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException{
boolean enabled = true;
HttpServletRequest req = (HttpServletRequest) request;
String ajaxHeader = ((HttpServletRequest) request).getHeader("X-Requested-With");
if ("XMLHttpRequest".equals(ajaxHeader)) {
if (!authenticationTrustResolver.isAnonymous(SecurityContextHolder.getContext().getAuthentication())) {
UserDetails loggedUser = (UserDetails) SecurityContextHolder.getContext()
.getAuthentication().getPrincipal();
enabled = userService.isUserEnabled(loggedUser.getUsername(), req);
if(!enabled){
//req.logout();
List<SessionInformation> sessions = sessionRegistryImpl.getAllSessions(SecurityContextHolder.getContext()
.getAuthentication().getPrincipal(), false);
sessionRegistryImpl.getSessionInformation(sessions.get(0).getSessionId()).expireNow();
request.getRequestDispatcher("/login").forward(request, response);
}
}
}
chain.doFilter(request, response);
}
}
最佳答案
HttpSession 对象具有使自身过期的 invalidate 方法。
https://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/http/HttpSession.html#invalidate()
关于java - 如何以编程方式使用户超时 session 过期,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58544240/