1
我正在使用Spring開發網站,並使用Spring Security進行身份驗證。 我得到了我不能夠解決一個問題:Spring Security - 用戶通過會話破壞進行身份驗證
<div sec:authorize="!isAuthenticated()" id="login">
SHOW IF NOT AUTHENTICATED
</div>
<div sec:authorize="isAuthenticated()">
Hi <span th:text="${session.user.email}"></span>
</div>
當會話被通過WebSecurityConfigurerAdapter的改變破壞,例如,第二個div被顯示的造成內部服務器錯誤,因爲session.user對象空值。
當他的會話被銷燬時,如何讓用戶「未經身份驗證」?
編輯:SecurityConfig
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
.sessionAuthenticationErrorUrl("/login?error")
.maximumSessions(1)
.maxSessionsPreventsLogin(false)
.expiredUrl("/login?expired")
.and()
.sessionFixation().newSession();
http.authorizeRequests()
.antMatchers("/css/**", "/img/**", "/fonts/**", "/js/**", "/", "/home", "/prizes", "/login").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").loginProcessingUrl("/dologin")
.usernameParameter("username").passwordParameter("password")
.defaultSuccessUrl("/loginsuccessful").failureUrl("/login?invalid").permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/")
.permitAll();
}
春季安全日誌時調用/註銷
************************************************************
Request received for GET '/logout':
[email protected]
servletPath:/logout
pathInfo:null
headers:
host: localhost:8080
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding: gzip, deflate
referer: http://localhost:8080/
cookie: JSESSIONID=0179284CCE4040DA16C9F16D9AB14AF2
dnt: 1
connection: keep-alive
upgrade-insecure-requests: 1
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
UsernamePasswordAuthenticationFilter
ConcurrentSessionFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
2017-05-10 12:45:44.079 INFO 12028 --- [nio-8080-exec-2] Spring Security Debugger :
************************************************************
Request received for GET '/':
[email protected]
servletPath:/
pathInfo:null
headers:
host: localhost:8080
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding: gzip, deflate
referer: http://localhost:8080/
cookie: JSESSIONID=0179284CCE4040DA16C9F16D9AB14AF2
dnt: 1
connection: keep-alive
upgrade-insecure-requests: 1
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
UsernamePasswordAuthenticationFilter
ConcurrentSessionFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
應該有一個會話偵聽器,用於偵聽即將銷燬的會話並清理用戶資源。這是用戶註銷或會話超時。 –
@MinhKieu我應該怎麼把sessionDestroyed清理春季安全會議? – JRAR
@JRAR - 如果會話被破壞,那麼會話將爲空。在調用Session.user之前,您不能檢查Session not NULL嗎? –