为了在 session 超时时将用户重定向到我想要的 url,我最近在我的 spring 安全文件中添加了以下内容....
<http pattern="/resources/**" security="none"/>
<http pattern="/resources/js/**" security="none"/>
<http pattern="/resources/css/**" security="none"/>
<!-- excluded pages -->
<http pattern="/login.htm" security="none"/>
<http pattern="/j_spring_security_check" security="none"/>
<http pattern="/accessDenied.htm" security="none"/>
<http pattern="/error.htm" security="none"/>
<http use-expressions="true" auto-config="false" entry-point-ref="loginUrlAuthenticationEntryPoint">
<!-- custom filters -->
<custom-filter position="FORM_LOGIN_FILTER" ref="twoFactorAuthenticationFilter" />
<custom-filter after="SECURITY_CONTEXT_FILTER" ref="securityLoggingFilter"/>
<!-- session management -->
<session-management
invalid-session-url="/sessionExpired.htm"
session-authentication-error-url="/alreadyLoggedIn.htm">
<concurrency-control
max-sessions="1"
expired-url="/sessionExpiredDuplicateLogin.htm"
error-if-maximum-exceeded="false"
session-registry-alias="sessionRegistry"/>
</session-management>
当 session 在下一次单击时过期时,用户将被带到/sessionExpired.htm,这是期望的效果但是我现在在导航到登录页面 (login.htm) 时遇到问题,我被重定向到无效- session url (/sessionExpired.htm)。
显然这不是我想要发生的事情。我一直在阅读它,建议的解决方案之一似乎是像这样删除 jsessionid cookie,并将 invalidate-session 设置为 false(我现在在 logout.htm 的 Controller 方法中使 session 无效)...
<logout logout-success-url="/logout.htm" invalidate-session="false" delete-cookies="JSESSIONID"/>
我已经试过了,但似乎没有用。有人可以帮助我了解这里发生的事情以及我如何解决吗?好像当我进入登录页面时它试图记住我是谁。
谢谢
最佳答案
我在 Tomcat 中遇到了这个问题(不确定是否只适用于它)。
从 Tomcat 文档 (see here) 我们可以得出结论,为 session cookie 生成的路径有一个尾部斜杠:
Some browsers, such as IE, will send a session cookie for a context with a path of /foo with a request to /foobar. To prevent this, Tomcat will add a trailing slash to the path associated with the session cookie so, in the above example, the cookie path becomes /foo/. However, with a cookie path of /foo/, IE will no longer send the cookie with a request to /foo. This should not be a problem unless there is a servlet mapped to /*. In this case this feature will need to be disabled. The default value for this attribute is true. To disable this feature, set the attribute to false.
另一方面,spring-security 的 CookieClearingLogoutHandler将生成一个没有尾部斜杠的 cookie 路径。 set-cookie 响应 header 将发送到浏览器,但 cookie 路径将与路径不匹配,因为缺少尾部斜杠。
浏览器不会清除现有的 JSESSIONID cookie,因为路径不匹配。
我通过自定义实现 CookieClearingLogoutHandler 解决了我的问题。
关于spring-security - 导航到 spring security 登录页面重定向到 invalid-session-url,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/21423039/