[英]Spring security doesn't redirect to last requested page login after a session timeout
I'm using Spring Security 4.2.2.RELEASEin my application. 我在我的应用程序中使用Spring Security 4.2.2.RELEASE。 Once timeout happens and then user click any URL, it gets redirected to logout page and once the authentication is a success, it redirects to the default Home page, not the requested page. 一旦发生超时,然后用户点击任何URL,它就会被重定向到注销页面,一旦认证成功,它就会重定向到默认的主页,而不是请求的页面。
The web xml is as follows: web xml如下:
<bean id="logoutSuccessHandler"
class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
<property name="useReferer" value="true"/>
</bean>
<security:form-login
login-page="/login"
authentication-failure-url="/login_error"
username-parameter="username"
password-parameter="password"
default-target-url="/home"
always-use-default-target="false"
/>
I want it to redirect to the requested page once the authentication is correct. 我希望它在身份验证正确后重定向到请求的页面。 I have read that this feature is provided default with Spring Security. 我已经读过Spring Security默认提供此功能。 But it was not working , so i was trying to implement using SimpleUrlLogoutSuccessHandler. 但它没有用,所以我试图使用SimpleUrlLogoutSuccessHandler来实现。 But still couldnt find way around it. 但仍无法找到方法。 So what could be gone wrong here? 那么这里可能出现什么问题?
Well, you need to implement SimpleUrlAuthenticationSuccessHandler
. 那么,您需要实现SimpleUrlAuthenticationSuccessHandler
。 This help you in handling the redirections. 这有助于您处理重定向。
<http>
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/**" access="isAuthenticated()"/>
<form-login authentication-success-handler-ref="refererHandler" />
</http>
<beans:bean
class="RefererRedirectionAuthenticationSuccessHandler"
name="refererHandler"/>
And implementing like this: 并执行如下:
public class RefererRedirectionAuthenticationSuccessHandler
extends SimpleUrlAuthenticationSuccessHandler
implements AuthenticationSuccessHandler {
public RefererRedirectionAuthenticationSuccessHandler() {
super();
setUseReferer(true);
}
}
First enabling the concurrent session-control support is to add the following listener in the web.xml
: 首先启用并发会话控制支持是在web.xml
添加以下侦听器:
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
After the session has timed out, if the user sends a request with an expired session id, they will be redirected to a configurable URL. 会话超时后,如果用户发送的会话ID已过期,则会将其重定向到可配置的URL。 Similarly, if the user sends a request with a session id which is not expired, but entirely invalid, they will also be redirected to a configurable URL: security.xml
同样,如果用户发送的会话ID未过期但完全无效,则它们也会被重定向到可配置的URL: security.xml
<session-management invalid-session-url="/sessionexpiredPage.htm" session-authentication-error-url="/forms/common/login.jsp?error=alreadyLoggedin" session-fixation-protection="none" >
<concurrency-control expired-url="/sessionexpiredPage.htm" max-sessions="5" error-if-maximum-exceeded="true" />
</session-management>
Corresponding Java code: 对应的Java代码:
@Audit(option = "Session Expire", action = "Session Expired")
@RequestMapping(value = "/sessionexpiredPage.htm")
public ModelAndView sessionExpired(HttpSession session, HttpServletRequest request) {
clLogger.logMethodEntry("sessionexpiredPage");
ModelAndView model = new ModelAndView();
String userId = (String) session.getAttribute("USER_ID");
if(userId == null) {
model.setViewName("sessionexpiredPage");
}else {
model.setViewName("getHomePage");
}
clLogger.logMethodExit("sessionexpiredPage");
return model;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.