Spring Security 会话超时 - 清除浏览器缓存
我目前有一个 Web 应用程序,它使用托管在 JBoss 5 服务器上的 Spring Security。
我的问题是,如果用户空闲几分钟,那么他们的会话会由于 web.xml 设置而超时。有时,当他们的会话无效时尝试访问 Web 应用程序时,他们会收到 404 错误。浏览器可以看到 Web 应用程序的唯一方式是当用户清除浏览器缓存时。
有没有办法解决此问题,以便用户不必清除浏览器缓存?
这是我的 spring security xml
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/resources/**" access="permitAll" />
<security:intercept-url pattern="/import/trades" access="permitAll" />
<!--
The roles are prefix with the word ROLE
and it is upper case due to ldapAuthoritiesPopulator config section
-->
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_NBFIEPN_USERS', 'ROLE_NBFIEPN_DEVELOPERS')" />
<security:form-login login-page="/login" authentication-failure-url="/login?error=true"/>
<security:logout />
</security:http>
这是我的 web.xml 文件。我目前已将会话超时设置为 1 分钟来重现该问题。
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>TBA Web Application</display-name>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/security-config.xml
</param-value>
</context-param>
<servlet>
<servlet-name>horizon</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/applicationContext.xml
/WEB-INF/spring/applicationContext-service.xml
/WEB-INF/spring/mvc-config.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>horizon</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Session Timeout in minutes -->
<session-config>
<session-timeout>1</session-timeout>
</session-config>
</web-app>
I currently have a web application that is utilizing Spring Security hosted on a JBoss 5 server.
My issue is that if a user is idle for a few minutes then their session times out due to web.xml setting. Once in a while they when try to hit the webapp when their session is invalid they get a 404 error. The only way the browser can see the web app is when the user clears their browser cache.
Is there a way a fix for this so that the user doesn't have to clear out their browser cache?
Here is my spring security xml
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/resources/**" access="permitAll" />
<security:intercept-url pattern="/import/trades" access="permitAll" />
<!--
The roles are prefix with the word ROLE
and it is upper case due to ldapAuthoritiesPopulator config section
-->
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_NBFIEPN_USERS', 'ROLE_NBFIEPN_DEVELOPERS')" />
<security:form-login login-page="/login" authentication-failure-url="/login?error=true"/>
<security:logout />
</security:http>
Here's my web.xml file. I have currently set the session timeout to 1 minute to replicate the issue.
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>TBA Web Application</display-name>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/security-config.xml
</param-value>
</context-param>
<servlet>
<servlet-name>horizon</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/applicationContext.xml
/WEB-INF/spring/applicationContext-service.xml
/WEB-INF/spring/mvc-config.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>horizon</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Session Timeout in minutes -->
<session-config>
<session-timeout>1</session-timeout>
</session-config>
</web-app>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
将此配置添加到您的 Spring Security 配置中
invalid-session-url参数的说明:它应该引导具有无效会话的用户进入登录页面。
Add this configuration to your spring security configuration
Desription for
invalid-session-urlparameter:It should guid the user with an invalid session to the login page.