spring-security - 如何在 Spring Security 中设置自定义无效 session 策略

我正在开发基于 Spring-Boot - 1.1.6、Spring -Security -3.2.5 等的 Web 应用程序。

我正在使用基于 Java 的配置:

@Configuration
@EnableWebMvcSecurity
public class SecurityCtxConfig extends WebSecurityConfigurerAdapter {


    @Bean
    DelegatingAuthenticationEntryPoint delegatingAuthenticationEntryPoint() {
        LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> map = new LinkedHashMap<RequestMatcher, AuthenticationEntryPoint>();
        Http403ForbiddenEntryPoint defaultEntryPoint = new Http403ForbiddenEntryPoint();
        map.put(AnyRequestMatcher.INSTANCE, defaultEntryPoint);
        DelegatingAuthenticationEntryPoint retVal = new DelegatingAuthenticationEntryPoint(map);
        retVal.setDefaultEntryPoint(defaultEntryPoint);
        return retVal;
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling = http.exceptionHandling();
        exceptionHandling.authenticationEntryPoint(delegatingAuthenticationEntryPoint());
        http.logout().logoutSuccessHandler(new LogoutSuccessHandler() {

            @Override
            public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication arg2)
                    throws IOException, ServletException {
                response.setStatus(HttpServletResponse.SC_OK);
            }
        });
    }

}

要求是在 session cookie无效或丢失的情况下返回Http状态401(无论原因)
我看到了 InvalidSessionStrategy但我没有找到在 SessionManagementFilter 上设置它的方法.
有人可以指导我如何实现我的计划或另一个满足要求的计划吗

最佳答案

使用 SpringBoot 这对我有用:

@Configuration
@EnableWebSecurity
public class UISecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        ...
        http.addFilterAfter(expiredSessionFilter(), SessionManagementFilter.class);
        ...
    }

    private Filter expiredSessionFilter() {
        SessionManagementFilter smf = new SessionManagementFilter(new HttpSessionSecurityContextRepository());
        smf.setInvalidSessionStrategy((request, response) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Session go BOOM!"));               
        return smf;
    }
}

关于spring-security - 如何在 Spring Security 中设置自定义无效 session 策略，我们在Stack Overflow上找到一个类似的问题： https://stackoverflow.com/questions/25809367/

spring-security - 如何在 Spring Security 中设置自定义无效 session 策略

上一篇：svn - Xcode 4.3 如何使用 SVN 合并来自两个开发人员的 Storyboard更改？

下一篇：caSTLe-windsor - 无需配置即可自动注册所有内容(非通用)的 IoC 容器(程序集到程序集)