1. 首頁
  2. 問答
  3. 如何在Spring Security中設置自定義無效會話策略

如何在Spring Security中設置自定義無效會話策略

2014-09-12 67 views
3

我正在開發基於Spring-Boot-1.1.6,Spring-Security -3.2.5等的Web應用程序。如何在Spring Security中設置自定義無效會話策略

我使用基於Java的配置:

@Configuration 
@EnableWebMvcSecurity 
public class SecurityCtxConfig extends WebSecurityConfigurerAdapter { 


    @Bean 
    DelegatingAuthenticationEntryPoint delegatingAuthenticationEntryPoint() { 
     LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> map = new LinkedHashMap<RequestMatcher, AuthenticationEntryPoint>(); 
     Http403ForbiddenEntryPoint defaultEntryPoint = new Http403ForbiddenEntryPoint(); 
     map.put(AnyRequestMatcher.INSTANCE, defaultEntryPoint); 
     DelegatingAuthenticationEntryPoint retVal = new DelegatingAuthenticationEntryPoint(map); 
     retVal.setDefaultEntryPoint(defaultEntryPoint); 
     return retVal; 
    } 


    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling = http.exceptionHandling(); 
     exceptionHandling.authenticationEntryPoint(delegatingAuthenticationEntryPoint()); 
     http.logout().logoutSuccessHandler(new LogoutSuccessHandler() { 

      @Override 
      public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication arg2) 
        throws IOException, ServletException { 
       response.setStatus(HttpServletResponse.SC_OK); 
      } 
     }); 
    } 

}

的要求是在會話cookie無效或丟失(無論原因) 情況下,返回HTTP狀態401我看到了InvalidSessionStrategy,但我請勿在SessionManagementFilter上找到設置它的方法。 有人可以請我安裝如何實現我的計劃或另一個將滿足要求

來源

2014-09-12 Modi

+0

你找到一個方法來做到這一點? – domi 2014-11-14 11:15:28

回答

0

由於我使用AspectJ(我的意思是編譯時編織而不是Spring AOP),所以很容易破解SessionManagementFilter創作由SessionManagementFilter後設定我的自定義InvalidSessionStrategy構造:

@Aspect 
public class SessionManagementAspect { 
    private static final Log logger = LogFactory.getLog(); 

    @AfterReturning("execution(org.springframework.security.web.session.SessionManagementFilter.new(..))&&this(smf)") 
    public void creation(JoinPoint pjp, SessionManagementFilter smf) throws Throwable { 
     logger.debug("Adding/Replacing the invalid session detection policy to return 401 in case of an invalid session"); 
     smf.setInvalidSessionStrategy(new InvalidSessionStrategy() { 

      @Override 
      public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { 
       logInvalidSession(request, "invalid cookie"); 
       if (!response.isCommitted()) 
        response.sendError(HttpStatus.UNAUTHORIZED.value()); 
      } 
     }); 
    } 
}

如果不使用AspectJ,嘗試添加@Component和這方面添加到您的背景下,如果SessionManagementFilter是一個bean它可能工作(由於春節-AOP applias只限於春豆)

來源

2014-11-14 15:24:08 Modi

5

我們有完全相同的問題,我做了這個黑客解決它(是的,我知道,這是一個黑客,因此名稱......)。 我創建了一個BeanPostProcessor和搜索SessionManagementFilter重新配置它...

@Bean 
public HackyBeanPostProcessor myBeanPostProcessor() { 
    return new HackyBeanPostProcessor(); 
} 

protected static class HackyBeanPostProcessor implements BeanPostProcessor { 

    @Override 
    public Object postProcessBeforeInitialization(Object bean, String beanName) { 
     // FIXME check if a new spring-security version allows this in an 
     // other way (current: 3.2.5.RELEASE) 
     if (bean instanceof SessionManagementFilter) { 
      SessionManagementFilter filter = (SessionManagementFilter) bean; 
      filter.setInvalidSessionStrategy(new InvalidSessionStrategy() { 

       @Override 
       public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { 
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED); 
       } 
      }); 
     } 
     return bean; 
    } 

    @Override 
    public Object postProcessAfterInitialization(Object bean, String beanName) { 
     return bean; 
    } 
}

來源

2014-11-26 10:53:40 domi

+0

該解決方案可以工作,應該作爲解決方案提及 – 2015-10-02 13:12:38

3

使用SpringBoot這個工作對我來說:

@Configuration 
@EnableWebSecurity 
public class UISecurityConfig extends WebSecurityConfigurerAdapter { 
    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     ... 
     http.addFilterAfter(expiredSessionFilter(), SessionManagementFilter.class); 
     ... 
    } 

    private Filter expiredSessionFilter() { 
     SessionManagementFilter smf = new SessionManagementFilter(new HttpSessionSecurityContextRepository()); 
     smf.setInvalidSessionStrategy((request, response) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Session go BOOM!"));    
     return smf; 
    } 
}

來源

2015-12-10 19:43:32 pedorro

+0

從Spring Security 4,2+開始,這可以在XML配置中完成,在安全http部分中使用元素session-management和invalid-session-strategy-ref屬性完成。 – antgar9 2017-12-22 13:27:44

相關問題

 相關問題