如何使用Spring安全性获取会话超时消息

I want to get the session time out message when the session expires.Below is my spring-security.xml

我希望在会话到期时获得会话超时消息.Below是我的spring-security.xml

<http auto-config="true" use-expressions="true">
    <logout logout-success-url="/" invalidate-session="true" logout-url="/LogOut"/>
    <form-login login-page="/Login" username-parameter="Name" password-parameter="Pwd"/>
    <session-management invalid-session-url="/?timeout=true">
        <concurrency-control max-sessions="1" expired-url="/Timeout?timeout=true" />
    </session-management>
</http>

According to my knowledge using above code when the session expired it should redirect to /?timeout=true OR /Timeout?timeout=true. And on logout it should go to /. But in my case on logout also its redirecting to invalid-session-url so I am always getting timeout true for both normal logout and session timeout.

根据我的知识,当会话到期时使用上面的代码它应该重定向到/?timeout = true OR / Timeout?timeout = true。退出时应该转到/。但在我注销的情况下,它也会重定向到invalid-session-url,所以我总是在正常注销和会话超时时都获得超时。

Please help me to differentiate this.

请帮我区分一下。

UPDATE

/logout request contains

/ logout请求包含

session = request.getSession();
session.invalidate();
session = null;

5 个解决方案

#1

I Solved it! by writing a filter instead depending on Spring-security.

我解决了!通过编写过滤器来取决于Spring-security。

If any one is interested they can use the below code :-

如果有人感兴趣,可以使用以下代码: -

import java.io.IOException;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.text.MessageFormat;

import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.log4j.Logger;
import org.springframework.web.filter.OncePerRequestFilter;

public class FilterToGetTimeOut extends OncePerRequestFilter {

    @Override
    public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException {
        try {
            if(request.getRequestURI().equals("/") || request.getRequestURI().equals("/Login/")){
                if(request.getSession().getAttribute("login") != null && (Boolean)request.getSession().getAttribute("login") == true){
                    response.sendRedirect(URL);     //After login page
                }
            } else if(request.getSession().getAttribute("login") == null && !request.getRequestURI().equals("/LogOut")){
                response.sendRedirect(request.getContextPath()+"/?timeout=true");   //If timeout is true send session timeout error message to JSP
            }
            filterChain.doFilter(request, response);
        } catch (Exception e) {
            //Log Exception

        }
    }
}

Add this filter in web.xml.

在web.xml中添加此过滤器。

    <filter>
        <filter-name>FilterToGetTimeOut </filter-name> 
        <filter-class>package.FilterToGetTimeOut </filter-class> 
    </filter>
    <filter-mapping> 
        <filter-name>FilterToGetTimeOut</filter-name> 
        <url-pattern>/*</url-pattern> 
    </filter-mapping>

So now session also invalidates and I can handle the session timeout too.

所以现在会话也无效,我也可以处理会话超时。

#2

I suggest you to logout using this:

我建议你用这个注销:

HttpSession session= request.getSession(false);
    SecurityContextHolder.clearContext();
        if(session != null) {
            session.invalidate();
        }
        for(Cookie cookie : request.getCookies()) {
            cookie.setMaxAge(0);
        }

#3

In your case what happens is when a user logout, the session is first invalidated then session management will get trigger. When session management come in, and found out the session has already gone, then sessionTimeout page will be redirect. So it will be better to set the invalidate-session of logout tag as false.

在您的情况下,发生的情况是当用户注销时,会话首先失效,然后会话管理将获得触发器。当会话管理进入并发现会话已经消失时,sessionTimeout页面将被重定向。因此,最好将logout标记的invalidate-session设置为false。

<logout logout-success-url="/" invalidate-session="false" logout-url="/LogOut"/>

#4

Please define request mapping for logout-success url in your controller and from there redirect to home page. for example replace your mapping as below

请在控制器中定义logout-success url的请求映射,然后从那里重定向到主页。例如,替换您的映射如下

<http auto-config="true" use-expressions="true">
<logout logout-success-url="/logoutSucess" invalidate-session="true" logout-url="/LogOut"/>
<form-login login-page="/Login" username-parameter="Name" password-parameter="Pwd"/>
<session-management invalid-session-url="/?timeout=true">
    <concurrency-control max-sessions="1" expired-url="/Timeout?timeout=true" />
</session-management>

define this /logoutSucess in controller with @RequestMapping(value="/logoutSucess" method=RequestMethod.GET)

使用@RequestMapping(value =“/ logoutSucess”方法= RequestMethod.GET)在控制器中定义this / logoutSucess

#5

I had similar issue, like

我有类似的问题,比如

If you logged in with some user say zzzz

如果您使用某个用户登录zzzz登录

You closed the browser

你关闭了浏览器

Again you are trying to login with same user zzzz

您再次尝试使用相同的用户zzzz登录

It failed to login with message for maximum session exceeded

它无法使用消息登录以超出最大会话数

The code I have on my spring security file is:

我在Spring安全文件中的代码是:

<session-management invalid-session-url="/?timeout=true">
<concurrency-control max-sessions="1" expired-url="/logout?timeout" />

I solved this issue by adding the session timeout entry in web.xml file. I put the session timeout value as 5 min, build the application and deployed. Its working fine.

我通过在web.xml文件中添加会话超时条目来解决此问题。我将会话超时值设为5分钟,构建应用程序并进行部署。它的工作正常。

Might be this will help someone.

可能这会帮助某人。

Thanks, Atul

#1