如何在 Spring security 中编辑定时注销
我试图找出 Spring 的轻安全性的定时注销功能所在的位置,以及如何编辑它以使用我的自定义注销方法。 我的理解是,确实存在可编辑的定时注销功能,但到目前为止我还无法找到它,并且当/如果我找到它时,我不确定如何使其使用我的注销序列。
谢谢, MirroredFate
为了清晰起见编辑:
它是一个 Web/servlet 应用程序。我正在使用 acegi 安全性。
我现在正在使用 Spring 会话超时:
In web.xml:
<session-config>
<session-timeout>5</session-timeout>
</session-config>
我需要一种方法来在发生超时时执行一些代码。但是,我不知道该怎么做。
如果我无法使用此方法执行代码,我的理解是 acegi 有办法使会话超时;但是,我也不知道该怎么做。我已经能够使用 acegi 在正常注销时执行代码:
<security:logout invalidate-session="true"
success-handler-ref="Logout"
logout-url="/logout.html" />
</security:http>
那么,本质上,我如何使用 acegi 定时注销或发生会话超时时执行相同的操作?
I am trying to figure out where the timed-logout function of Spring's light security is located, and how to edit it to use my custom logout method.
My understanding is that there does exist an editable timed-logout function, I have just thus far been unable to find it, and when/if I do, I am unsure how to make it use my logout sequence.
Thanks,
MirroredFate
EDIT FOR CLARITY:
It is a web/servlet application. I am using acegi security.
I am using the Spring session timeout right now:
In web.xml:
<session-config>
<session-timeout>5</session-timeout>
</session-config>
I need a way to execute some code when this timeout occurs. However, I have NO idea how to do this.
If I am unable to execute code using this method, my understanding is that acegi has a way to make a session timeout; however, I have no idea how to do that either. I already have the ability to execute the code on a normal logout using acegi:
<security:logout invalidate-session="true"
success-handler-ref="Logout"
logout-url="/logout.html" />
</security:http>
So, essentially, how do I do this same thing either with an acegi timed logout or when a session timeout occurs?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
HttpSessionListener可能就是您正在寻找的。依赖 Spring 的会话管理的问题是,如果用户只是关闭浏览器而不注销,则永远不会到达 invalid-session-url(因为他们永远不会发出另一个请求)。像这样:
然后在
web.xml中:这样每次会话被销毁时都会调用您的代码,而不仅仅是当用户在超时后尝试访问页面时。希望有帮助。
The
HttpSessionListenermight be what you are looking for. The problem with depending on Spring's session management is that if a user simply closes his browser without logging out, the invalid-session-url will never be reached (because they never make another request).Something like this:
Then in
web.xml:That way your code will be called every time a session is destroyed, not just when a user tries to access a page after timing out. Hope that helps.
会话超时期限由您的应用程序服务器管理(就像您现在在
web.xml中一样)。可以在 Spring 中指定会话超时时的处理方式。例如,Spring 3.0 可以指定当用户在会话失效后发出请求时将用户重定向到哪个页面。见下文。The session timeout period is managed by your application server (just as you have it now in the
web.xml). The handling for what happens when the session timeout occurs can be specified in Spring. For instance, Spring 3.0 can specify what page to redirect the user to when they make a request after their session has been invalidated. See below.