HttpSessionListener 不起作用
[英]HttpSessionListener doesn't work
问题描述
I have implemented HttpSessionListiner but it doesn't work.
我已经实现了 HttpSessionListiner,但它不起作用。 Checked it with debuger - new session creates after entering servlet, JSESSION_ID changes after login, but session.getCreateTime() stays the same(session stays the same?).用调试器检查 - 新的 session 在进入 servlet 后创建,JSESSION_ID 在登录后发生变化,但 session.getCreateTime() 保持不变(会话保持不变?)。 Using annotations, Spring Security.使用注释,Spring 安全。 Maybe i missed some config in spring security?也许我错过了 spring 安全性中的一些配置?
import javax.servlet.annotation.WebListener;
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
import org.apache.log4j.Logger;
@WebListener
public class SessionListener implements HttpSessionListener {
private static int totalActiveSessions;
private static final Logger log = Logger.getLogger(SessionListener.class);
@Override
public void sessionCreated(HttpSessionEvent se) {
totalActiveSessions++;
log.warn("sessionCreated - add one session into counter");
}
@Override
public void sessionDestroyed(HttpSessionEvent se) {
totalActiveSessions--;
log.debug("sessionDestroyed - deleted one session from counter");
}
}
3 个解决方案
解决方案1
3 已采纳 2015-09-24 12:21:24
@Bean
public ServletListenerRegistrationBean<HttpSessionListener> sessionListener() {
return new ServletListenerRegistrationBean<HttpSessionListener>(new sessionListener());
}
This bean registrated my listener. 这个豆注册了我的听众。 I haven't found another solution. 我还没有找到另一个解决方案。
解决方案2
0 2019-08-27 19:32:41
While not the poster's specific issue, another issue is that sessions aren't actually getting created, meaning your listeners are rightfully not triggered. 虽然不是海报的具体问题,但另一个问题是会话实际上并未创建,这意味着您的听众没有被触发。 If you use Spring Security, the default session creation policy is SessionCreationPolicy.IF_REQUIRED. 如果使用Spring Security,则默认会话创建策略为SessionCreationPolicy.IF_REQUIRED。
You can change this in your web security java configuration depending on your needs: 您可以根据需要在Web安全性Java配置中更改此设置:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
}
}
Source: https://www.baeldung.com/spring-security-session 资料来源: https : //www.baeldung.com/spring-security-session
解决方案3
0 2022-11-14 22:23:49
To avoid a session fixation attack, Spring changes the session ID after the user is authenticated.为了避免session固定攻击,Spring在用户通过身份验证后更改了session ID。 You must also implement HttpSessionIdListener :您还必须实施HttpSessionIdListener :
public class SessionListener implements HttpSessionListener, HttpSessionIdListener {
private static final Logger LOGGER = LoggerFactory.getLogger(SessionListener.class);
public SessionListener() {
}
@Override
public void sessionCreated(final HttpSessionEvent event) {
logIt(event.getSession(), "CREATED ");
}
@Override
public void sessionDestroyed(final HttpSessionEvent event) {
logIt(event.getSession(), "DESTROYED");
}
private void logIt(HttpSession session, String action) {
LOGGER.info("{}: {}, {}", action, session.getId(), Long.valueOf(session.getCreationTime()));
}
@Override
public void sessionIdChanged(HttpSessionEvent event, String oldSessionId) {
HttpSession session = event.getSession();
LOGGER.info("CHANGED : {} --> {}, {}", oldSessionId, session.getId(), Long.valueOf(session.getCreationTime()));
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.