0

我正在使用 Spring Security 3.1,但我遇到了会话超时问题。我在web.xml
中设置了会话超时,如下所示:

<session-config>
    <session-timeout>
        45
    </session-timeout>
</session-config>

所以会话应该在 45 分钟后过期。
但是我注意到会话恰好在 2 分钟后过期!无论我是否正在使用应用程序。

这些是我的春季安全豆:

<bean id="ConcurrentSessionFilterAdmin" class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <property name="sessionRegistry" ref="sessionRegistry"/>
    <property name="logoutHandlers">
        <list>
            <ref bean = "logoutHandler"/>
        </list>
    </property>
    <property name="expiredUrl" value="/admin/login.jsp?error=expiredURL"/>
</bean>
<bean id="sessionRegistry"
    class="org.springframework.security.core.session.SessionRegistryImpl" autowire="byType" />

<bean id="logoutHandler"
    class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
</bean>

<bean id="securityContextPersistenceFilter"
    class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
    <property name="securityContextRepository" ref="securityContextRepository"/>
</bean>

<bean id="securityContextRepository"
    class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">
    <property name="allowSessionCreation" value="false" />
</bean>
<bean id="logoutFilterAdmin"
    class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <constructor-arg value="/admin/login.jsp" />
    <constructor-arg>
        <list>
            <ref bean="logoutHandler"/>
        </list>
    </constructor-arg>
    <property name="filterProcessesUrl" value="/admin/j_spring_security_logout"></property>
</bean>
<bean id="usernamePasswordAuthenticationFilterAdmin"
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <property name="usernameParameter" value="j_username"/>
    <property name="passwordParameter" value="j_password"/>
    <property name="allowSessionCreation" value="false"/>
    <property name="authenticationFailureHandler" ref="authenticationFailureHandlerAdmin"/>
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="authenticationSuccessHandler" ref="authenticationSuccessHandlerAdmin"/>
    <property name="continueChainBeforeSuccessfulAuthentication" value="false"/>
    <property name="filterProcessesUrl" value="/admin/j_spring_security_check"/>
    <property name="sessionAuthenticationStrategy" ref="sessionAuthenticationStrategy"/>
</bean>
<bean id="authenticationFailureHandlerAdmin"
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <property name="defaultFailureUrl" value="/admin/login.jsp?error=loginfailed" />
</bean>
<bean id="authenticationSuccessHandlerAdmin" 
    class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <property name="requestCache" ref="requestCache"/>
    <property name="defaultTargetUrl" value="/admin/index.html"/>
</bean>

<bean id="requestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache"/>

<bean id="sessionAuthenticationStrategy"
    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
    <property name="maximumSessions" value="1" />
    <property name="migrateSessionAttributes" value="true"/>
</bean>

<bean id="basicAuthenticationFilterAdmin"
    class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
    <property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
    <property name="authenticationManager" ref="authenticationManager"/>
</bean>
<bean id="authenticationDetailsSource"
    class="org.springframework.security.authentication.AuthenticationDetailsSourceImpl"/>
<bean id="requestCacheAwareFilter"
    class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter">
    <constructor-arg ref="requestCache"/>
</bean>

<bean id="securityContextHolderAwareRequestFilter"
    class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter">
    <property name="rolePrefix" value="ROLE_"/>
</bean>

<bean id="anonymousAuthenticationFilter"
    class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
    <constructor-arg value="KEY"/>
</bean>

<bean id="sessionManagementFilterAdmin" class="org.springframework.security.web.session.SessionManagementFilter">
    <constructor-arg ref="securityContextRepository"/>
    <constructor-arg ref="sessionAuthenticationStrategy"/> 
    <property name="authenticationFailureHandler" ref="authenticationFailureHandlerAdmin"/>
    <property name="invalidSessionStrategy" ref="invalidSessionStrategyAdmin"/>
</bean>
<bean id="invalidSessionStrategyAdmin"
    class="org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy">
    <constructor-arg value="/admin/login.jsp"/>
    <property name="createNewSession" value="false"/>
</bean>
<bean id="exceptionTranslationFilter"
    class="org.springframework.security.web.access.ExceptionTranslationFilter">     
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
    <property name="accessDeniedHandler" ref="accessDeniedHandler" />
    <property name="requestCache" ref="requestCache"/>
</bean>
<bean id="authenticationEntryPoint"
    class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
</bean>
<bean id="accessDeniedHandler"
    class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
</bean>
 <bean id="filterSecurityInterceptorAdmin"
    class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="securityMetadataSource" ref="myFilterInvocationSecurityMetadataSource" />
</bean>
<bean id="myFilterInvocationSecurityMetadataSource" class="com.datx.security.model.MyFilterSecurityMetadataSource" autowire="byName" scope="prototype">
</bean>


两分钟后,我被重定向到/admin/login.jsp?error=expiredURL第一个 bean 配置中设置的位置。(这意味着会话已过期)

问题是这些 bean 中的哪一个负责会话过期?我没有设置什么属性导致这个问题?

4

1 回答 1

0

Spring Security 依赖于底层容器,即管理会话超时的容器(请添加有关您正在使用的容器的信息)。但是,我相信如果服务器兼容 Java EE,web.xml 设置通常应该具有更高的优先级。

此外,可以通过调用HttpSession.setMaxInactiveInterval()方法动态调整单个会话超时,或者可以通过调用invalidate()使会话无效。

在某些情况下,Spring Security 可能会使会话无效(例如,在登录后,用户会获得一个新的 HttpSession)。

此外,Spring Security 并发会话控制机制也可能导致会话失效,例如,如果指定了 max-sessions 值。

您可以通过为org.springframework.security.*命名空间设置DEBUG日志记录级别 来检查 Spring Security 何时使会话无效,因为 Spring 通常将此类信息写入记录器。

于 2012-08-05T17:14:19.337 回答