0

我最近遇到了一个问题,每次从 iOS 的主屏幕启动 Web 应用程序或将其置于前台时,我都会重新进行身份验证(我最初是从 Safari 将其添加到主屏幕)。当我直接在 Safari 中时,不会发生这种情况。

我的研究表明,这可以在 php 中通过创建/重新启动会话然后添加会话 cookie 来克服,如下所示:

// Start or resume session
session_start(); 

// Extend cookie life time by an amount of your liking
$cookieLifetime = 365 * 24 * 60 * 60; // A year in seconds
setcookie(session_name(),session_id(),time()+$cookieLifetime);

而不是以编程方式执行此操作,我想知道是否有办法通过 XML 配置执行此操作。否则,我怎么能用 Spring Security 完成类似的事情呢?

这是我的security-ctx.xml:

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:sec="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
    </bean>

    <sec:http auto-config="false" entry-point-ref="http403EntryPoint">
        <sec:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
    </sec:http>

    <bean id="siteminderFilter" class=
            "org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
        <property name="principalRequestHeader" value="x-paas-uid"/>
        <property name="authenticationManager" ref="authenticationManager"/>
    </bean>

    <bean id="preauthAuthProvider"
          class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
        <property name="preAuthenticatedUserDetailsService">
            <bean id="userDetailsServiceWrapper"
                  class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
                <property name="userDetailsService" ref="ldapUserDetailsService"/>
            </bean>
        </property>
    </bean>

    <sec:authentication-manager alias="authenticationManager">
        <sec:authentication-provider ref="preauthAuthProvider"/>
    </sec:authentication-manager>

    <!-- Example using LDAP, but will ultimately use database service -->
    <sec:ldap-server id="ldapServer" port="636" root="o=home"
                          url="ldaps://ldap.home.com"/>


    <sec:ldap-user-service id="ldapUserDetailsService" server-ref="ldapServer"
                           group-search-base="ou=groups,o=home"
                           role-prefix="ROLE_" group-role-attribute="cn"
                           user-search-base="ou=people,o=home" user-search-filter="uid={0}"/>
</beans>
4

1 回答 1

0

据我所知,Spring Security 不管理会话超时值。所以没有办法在开箱即用的安全xml中做到这一点。如果您想在系统范围内定义此值(适用于所有会话),请查看您的 servlet 容器/应用程序服务器文档。在 Tomcat 的情况下,您可以将以下代码段添加到web.xml描述符中:

<web-app ....>

    .....
    <session-config>
        <!-- value is in minutes -->
        <!-- 60x24x365 -->
        <session-timeout>525600</session-timeout>
    </session-config>
    ....
</web-app>
于 2013-03-20T17:46:00.463 回答