堆栈内存溢出
  简体   繁体   English

Spring Security - 用户在会话销毁时保持身份验证

[英]Spring Security - User keeps authenticated on session destroy

 原文  2017-05-10 08:52:40       java/ spring/ spring-security

问题描述

I'm developing a website with Spring and I use Spring Security for authentication. 我正在使用Spring开发一个网站,我使用Spring Security进行身份验证。 I got a problem that I'm not able to fix: 我遇到了一个我无法解决的问题: 

<div sec:authorize="!isAuthenticated()" id="login">
    SHOW IF NOT AUTHENTICATED
</div>
<div sec:authorize="isAuthenticated()">
    Hi <span th:text="${session.user.email}"></span>
</div>

When session gets destroyed, for example by a change in WebSecurityConfigurerAdapter, the second div is displayed causing an internal server error since session.user object is null. 当会话被破坏时,例如通过WebSecurityConfigurerAdapter中的更改,显示第二个div导致内部服务器错误,因为session.user对象为null。

How can I make user "unauthenticated" when his session is destroyed? 当会话被销毁时,如何让用户“未经身份验证”?

EDIT: SecurityConfig 编辑:SecurityConfig 

@Override
    protected void configure(HttpSecurity http) throws Exception {

        http.sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
        .sessionAuthenticationErrorUrl("/login?error")
        .maximumSessions(1)
        .maxSessionsPreventsLogin(false)
        .expiredUrl("/login?expired")
        .and()
        .sessionFixation().newSession();

        http.authorizeRequests()
        .antMatchers("/css/**", "/img/**", "/fonts/**", "/js/**", "/", "/home", "/prizes", "/login").permitAll()
        .anyRequest().authenticated()
        .and()
        .formLogin().loginPage("/login").loginProcessingUrl("/dologin")
        .usernameParameter("username").passwordParameter("password")
        .defaultSuccessUrl("/loginsuccessful").failureUrl("/login?invalid").permitAll()
        .and()
        .logout()
        .logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/")
        .permitAll();
    }

Spring Security Log when calling /logout 调用/注销时的Spring Security日志 

************************************************************

Request received for GET '/logout':

org.apache.catalina.connector.RequestFacade@1512eefb

servletPath:/logout
pathInfo:null
headers: 
host: localhost:8080
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding: gzip, deflate
referer: http://localhost:8080/
cookie: JSESSIONID=0179284CCE4040DA16C9F16D9AB14AF2
dnt: 1
connection: keep-alive
upgrade-insecure-requests: 1


Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  CsrfFilter
  LogoutFilter
  UsernamePasswordAuthenticationFilter
  ConcurrentSessionFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]


************************************************************


2017-05-10 12:45:44.079  INFO 12028 --- [nio-8080-exec-2] Spring Security Debugger                 : 

************************************************************

Request received for GET '/':

org.apache.catalina.connector.RequestFacade@1512eefb

servletPath:/
pathInfo:null
headers: 
host: localhost:8080
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding: gzip, deflate
referer: http://localhost:8080/
cookie: JSESSIONID=0179284CCE4040DA16C9F16D9AB14AF2
dnt: 1
connection: keep-alive
upgrade-insecure-requests: 1


Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  CsrfFilter
  LogoutFilter
  UsernamePasswordAuthenticationFilter
  ConcurrentSessionFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]


************************************************************

1 个解决方案

解决方案1
 0  2017-05-10 12:41:14

好吧,我无法使用isAuthenticated(),所以我通过在preHandle()方法(在拦截器)手动检查会话中的每个用户对象来修复它

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring安全性:用户未通过身份验证时,会话无效 - Spring security: Session is invalidated when user isn't authenticated Spring Security 3检查用户是否通过身份验证 - Spring Security 3 check if user is authenticated 如何将Spring Security与具有会话复制的群集一起使用以对经过身份验证的用户进行故障转移? - How can I use Spring Security with a cluster with session replication to fail-over an authenticated user? Spring Security预认证用户登录 - spring security pre authenticated user login Spring 安全性:在方法中获取经过身份验证的用户 - Spring security: get Authenticated user in method 对于经过身份验证且未经过身份验证的用户,Spring Security会在休息服务中获取用户信息 - Spring Security get user info in rest service, for authenticated and not authenticated users Spring安全匿名用户和具有弹簧安全性的经过身份验证的用户 - spring secuirty anonymous user and authenticated user with spring security 使用Spring Security加载用户会话 - Load user session with spring security Cometd,春季安全性:当前已通过身份验证的用户在侦听器中不可用 - Cometd, Spring-security : Currently authenticated user not available inside a Listener Spring Security + Thymeleaf-如果未通过身份验证,则向用户隐藏特定数据 - Spring Security + Thymeleaf - hide specific data from user if not authenticated
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM