jsf spring安全会话超时viewExpiredException

发布于 2025-01-08 00:03:01 字数 1822 浏览 1 评论 0原文

我在使用 JSF 的 Spring Security 中遇到以下超时问题：

我自定义了会话管理过滤器，以便仅当请求的页面受到保护时（即仅允许经过身份验证的用户），用户才会被重定向到 invalidSessionUrl。我放入 Spring Security 提供的会话管理过滤器中的自定义代码是：

if (invalidSessionUrl != null) {
     String pagSolicitada = UtilSpringSecurity.extraerPagina(request);
     if ( UtilSpringSecurity.paginaAutenticada(pagSolicitada ) ) {
          request.getSession();
          redirectStrategy.sendRedirect(request, response, invalidSessionUrl);
          return;
     }
     //the requested page doesn't require the user to be authenticated
     //so i just skip this filter and continue with the filter chain
     chain.doFilter(request, response);
     return;
}

方法“UtilSpringSecurity.extraerPagina(request)”以这种方式返回请求的页面：

public static String extraerPagina (HttpServletRequest request) {
     String uri = request.getRequestURI().toLowerCase();
     String cPath = request.getContextPath().toLowerCase();
     // uri = cPath + pagina
     int longCPath = cPath.length();
     String pagina = uri.substring(longCPath);
     return pagina;
}

并且方法“UtilSpringSecurity.paginaAutenticada(pagSolicitada)”返回 true 如果参数是一个要求用户进行身份验证的页面（我使用 IF 进行检查，考虑到我的 xml 安全配置文件的拦截 url 元素具有属性access="isAuthenticated()")：

public static boolean paginaAutenticada (String pagina) {

     if (pagina.startsWith("/faces/paginas/administracion/") || pagina.startsWith("/faces/paginas/barco/") ) {
          return true;
     }
     return false;
}

此解决方案有效，但只有一个问题：

如果我让浏览器在页面上保持空闲状态直到会话超时到期，然后我请求同一页面，然后我得到一个“viewExpiredException”。这是因为过滤器运行良好，它绕过了到 invalidSessionUrl 的重定向，但由于会话无论如何都过期了，然后我在尝试重新渲染同一页面时遇到了该异常。

如果我在会话超时过期时请求任何其他不安全的页面，它会正常工作，它会正确重定向到该页面，并且我不会收到 viewExpiredException。

有人知道如何解决这个问题吗？

先感谢您。

原文

I have the following problem with the timeouts in Spring Security with JSF:

I've customized the sessionmanagement filter so that the user is redirected to the invalidSessionUrl just if the requested page is secured (i.e. if it is allowed just for authenticated users). The custom code I put into the session management filter provided by Spring Security is:

if (invalidSessionUrl != null) {
     String pagSolicitada = UtilSpringSecurity.extraerPagina(request);
     if ( UtilSpringSecurity.paginaAutenticada(pagSolicitada ) ) {
          request.getSession();
          redirectStrategy.sendRedirect(request, response, invalidSessionUrl);
          return;
     }
     //the requested page doesn't require the user to be authenticated
     //so i just skip this filter and continue with the filter chain
     chain.doFilter(request, response);
     return;
}

The method "UtilSpringSecurity.extraerPagina(request)" returns the requested page this way:

public static String extraerPagina (HttpServletRequest request) {
     String uri = request.getRequestURI().toLowerCase();
     String cPath = request.getContextPath().toLowerCase();
     // uri = cPath + pagina
     int longCPath = cPath.length();
     String pagina = uri.substring(longCPath);
     return pagina;
}

And the method "UtilSpringSecurity.paginaAutenticada(pagSolicitada)" returns true if the the param is a page that requires the user to be authenticated (I do the check with IFs, considering the intercept-url elements of my xml security config file which have the attribute access="isAuthenticated()"):

public static boolean paginaAutenticada (String pagina) {

     if (pagina.startsWith("/faces/paginas/administracion/") || pagina.startsWith("/faces/paginas/barco/") ) {
          return true;
     }
     return false;
}

This solution works, but it has just one problem:

If I leave the browser staying idle at a page until the session timeout expires, and then I request the same page, then I get a "viewExpiredException". This is because the filter worked well, it bypassed the redirection to the invalidSessionUrl, but as the session expired anyway, then I get that exception trying to re-render the same page.

If I request any other unsecured page when the session timout has expired, it works well, it redirects correctly to the page and I don't get the viewExpiredException.

Anyone knows how to solve this?

Thank you in advance.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

屋顶上的小猫咪 2025-01-15 00:03:01

Spring security 应该为未经身份验证的用户提供对页面集的匿名访问。下面是我的 XML 配置的摘录，说明了我如何实现这一目标。

<http auto-config="true" access-denied-page="/unauthorized.xhtml" >
    <intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
    <intercept-url pattern="/app/**" access="ROLE_USER,ROLE_ADMIN" />
    <intercept-url pattern="/*.xhtml" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <form-login login-page="/login.xhtml" login-processing-url="/j_spring_security_check"
        authentication-success-handler-ref="authenticationSuccessBean"
        authentication-failure-handler-ref="authenticationFailureBean"  />
    <session-management invalid-session-url="/login.xhtml" >
    </session-management>
</http>

我本质上使用 intercept-url 标签来声明某些相对上下文中的页面只能由以下角色访问。您可以看到 Web 应用程序默认上下文中的所有页面都可供匿名用户使用。如果用户无权查看该页面，那么他们将被重定向到访问拒绝页面。

唯一的问题是您的 User bean 必须实现 UserDetails 接口，并具有返回实现 GrantedAuthority 接口的角色 bean 的属性。 Spring 将查找具有 GrantedAuthority 属性的 UserDetails 来确定角色是什么。如果该用户不存在、未经身份验证或未知，则它将默认为匿名角色。

Spring security should give you anonymous access to sets of pages for an un-authenticated user. Below is an excerpt of my XML configuration for how I achieved this.

<http auto-config="true" access-denied-page="/unauthorized.xhtml" >
    <intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
    <intercept-url pattern="/app/**" access="ROLE_USER,ROLE_ADMIN" />
    <intercept-url pattern="/*.xhtml" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <form-login login-page="/login.xhtml" login-processing-url="/j_spring_security_check"
        authentication-success-handler-ref="authenticationSuccessBean"
        authentication-failure-handler-ref="authenticationFailureBean"  />
    <session-management invalid-session-url="/login.xhtml" >
    </session-management>
</http>

I essentially use intercept-url tags to claim that pages within certain relative contexts can only be accessed by the following roles. You can see that all pages at the web application default context are available to anonymous users. If the user is unauthorized to view the page then they will be redirected to access-denied-page.

The only catch is that your User bean has to implement the UserDetails interface and have a property that returns a role bean which implements the GrantedAuthority interface. Spring will look for a UserDetails to have a GrantedAuthority property to determine what the role is. If this user does not exist, is unauthenticated, or unknown then it will default to anonymous role.

回复收藏 0 原文

白鸥掠海 2025-01-15 00:03:01

最后我解决了。这是一个 JSF 问题，与 Spring Security 无关。

我以这种方式重写了 jsf 的 RestoreView 方法：

@Override
public UIViewRoot restoreView(FacesContext facesContext, String viewId) {
     UIViewRoot root = wrapped.restoreView(facesContext, viewId);
     if(root == null) {
          root = createView(facesContext, viewId);
     }
     return root;
}

现在的问题是，如果页面有参数，当我向最近创建的视图发送帖子时，我会丢失它们，但这是再次处理 JSF 的另一个明显问题（PRG 模式）。

Finally I solved it. It's a JSF issue, nothing to do with Spring Security.

I've overriden the restoreView method of jsf this way:

@Override
public UIViewRoot restoreView(FacesContext facesContext, String viewId) {
     UIViewRoot root = wrapped.restoreView(facesContext, viewId);
     if(root == null) {
          root = createView(facesContext, viewId);
     }
     return root;
}

Now the problem is that if the page had parameters, I lost them when I do the post to the recently created view, but that's another distinct issue (PRG pattern) dealing again with JSF.

回复收藏 0 原文

~没有更多了~