如何在Java Web应用程序中过期会话时重定向到“登录”页面?
[英]How to redirect to Login page when Session is expired in Java web application?
问题描述
I'm running a web application in JBoss AS 5. I also have a servlet filter which intercepts all the requests to the server. 
我正在JBoss AS 5中运行一个Web应用程序。我还有一个servlet过滤器,它拦截了对服务器的所有请求。 Now, I want to redirect the users to the login page, if the session has expired. 现在,如果会话已过期,我想将用户重定向到登录页面。 I need to do this 'isSessionExpired()' check in the filter and need to redirect the user accordingly. 我需要执行此操作'isSessionExpired()'检查过滤器并需要相应地重定向用户。 How do I do it? 我该怎么做? I'm setting my session time limit in web.xml, as below: 我在web.xml中设置会话时间限制,如下所示:
<session-config>
<session-timeout>15</session-timeout>
</session-config>
9 个解决方案
解决方案1
55 已采纳 2009-06-22 14:42:43
You could use a Filter and do the following test: 您可以使用过滤器并执行以下测试:
HttpSession session = request.getSession(false);// don't create if it doesn't exist
if(session != null && !session.isNew()) {
chain.doFilter(request, response);
} else {
response.sendRedirect("/login.jsp");
}
The above code is untested . 以上代码未经测试 。
This isn't the most extensive solution however. 然而,这不是最广泛的解决方案。 You should also test that some domain-specific object or flag is available in the session before assuming that because a session isn't new the user must've logged in. Be paranoid ! 您还应该在会话中测试某个特定于域的对象或标志是否可用,然后再假设因为会话不是新用户必须已登录。 请偏执 !
解决方案2
18 2015-09-17 09:55:41
How to redirect to Login page when Session is expired in Java web application?
This is a wrong question. 这是一个错误的问题。 You should differentiate between the cases "User is not logged in" and "Session is expired". 您应该区分“用户未登录”和“会话已过期”的情况。 You basically want to redirect to login page when user is not logged in. Not when session is expired. 您基本上希望在用户未登录时重定向到登录页面。不在会话过期时。 The currently accepted answer only checks HttpSession#isNew() . 当前接受的答案仅检查HttpSession#isNew() 。 But this obviously fails when the user has sent more than one request in the same session when the session is implicitly created by the JSP or what not. 但是当用户在JSP隐式创建会话时在同一会话中发送了多个请求时,这显然会失败。 Eg when just pressing F5 on the login page. 例如,只需在登录页面上按F5即可。
As said, you should instead be checking if the user is logged in or not. 如上所述,您应该检查用户是否已登录。 Given the fact that you're asking this kind of question while standard authentication frameworks like j_security_check , Shiro, Spring Security, etc already transparently manage this (and thus there would be no need to ask this kind of question on them), that can only mean that you're using a homegrown authentication approach. 鉴于你在问这样的问题,而j_security_check ,Shiro,Spring Security等标准认证框架已经透明地管理了这个问题(因此没有必要对它们提出这样的问题),那只能意味着您正在使用自行开发的身份验证方法。
Assuming that you're storing the logged-in user in the session in some login servlet like below: 假设您将登录用户存储在某个登录servlet中,如下所示:
@WebServlet("/login")
public class LoginServlet extends HttpServlet {
@EJB
private UserService userService;
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.getRequestDispatcher("/WEB-INF/login.jsp").forward(request, response);
}
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter("username");
String password = request.getParameter("password");
User user = userService.find(username, password);
if (user != null) {
request.getSession().setAttribute("user", user);
response.sendRedirect(request.getContextPath() + "/home");
} else {
request.setAttribute("error", "Unknown login, try again");
doGet(request, response);
}
}
}
Then you can check for that in a login filter like below: 然后你可以在登录过滤器中检查,如下所示:
@WebFilter("/*")
public class LoginFilter implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
HttpSession session = request.getSession(false);
String loginURI = request.getContextPath() + "/login";
boolean loggedIn = session != null && session.getAttribute("user") != null;
boolean loginRequest = request.getRequestURI().equals(loginURI);
if (loggedIn || loginRequest) {
chain.doFilter(request, response);
} else {
response.sendRedirect(loginURI);
}
}
// ...
}
No need to fiddle around with brittle HttpSession#isNew() checks. 无需摆弄脆弱的HttpSession#isNew()检查。
解决方案3
8 2012-02-25 07:58:12
you can also do it with a filter like this: 你也可以使用这样的过滤器:
public class RedirectFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req=(HttpServletRequest)request;
//check if "role" attribute is null
if(req.getSession().getAttribute("role")==null) {
//forward request to login.jsp
req.getRequestDispatcher("/login.jsp").forward(request, response);
} else {
chain.doFilter(request, response);
}
}
}
解决方案4
5 2009-06-22 12:29:38
Check for session is new. 会话检查是新的。
HttpSession session = request.getSession(false);
if (!session.isNew()) {
// Session is valid
}
else {
//Session has expired - redirect to login.jsp
}
解决方案5
5 2012-02-16 18:10:58
Inside the filter inject this JavaScript which will bring the login page like this. 在过滤器内部注入这个JavaScript,这将带来这样的登录页面。 If you don't do this then in your AJAX call you will get login page and the contents of login page will be appended. 如果您不这样做,那么在您的AJAX调用中,您将获得登录页面,并且将附加登录页面的内容。
Inside your filter or redirect insert this script in response: 在您的过滤器或重定向内插入此脚本作为响应:
String scr = "<script>window.location=\""+request.getContextPath()+"/login.do\"</script>";
response.getWriter().write(scr);
解决方案6
4 2015-11-16 04:44:03
You need to implement the HttpSessionListener interface, server will notify session time outs. 您需要实现HttpSessionListener接口,服务器将通知会话超时。
like this; 像这样;
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
public class ApplicationSessionListener implements HttpSessionListener {
public void sessionCreated(HttpSessionEvent event) {
System.out.println("Session Created");
}
public void sessionDestroyed(HttpSessionEvent event) {
//write your logic
System.out.println("Session Destroyed");
}
}
Check this example for better understanding 请查看此示例以便更好地理解
http://www.myjavarecipes.com/how-to-catch-session-timeouts/
解决方案7
2 2015-05-13 10:13:08
Until the session timeout we get a normal request, after which we get an Ajax request. 在会话超时之前,我们得到一个正常的请求,然后我们得到一个Ajax请求。 We can identify it the following way: 我们可以通过以下方式识别它:
String ajaxRequestHeader = request.getHeader("X-Requested-With");
if ("XMLHttpRequest".equals(ajaxRequestHeader)) {
response.sendRedirect("/login.jsp");
}
解决方案8
0 2015-09-17 07:07:14
i found this posible solution: 我找到了这个可行的解决方案:
public void logout() {
ExternalContext ctx = FacesContext.getCurrentInstance().getExternalContext();
String ctxPath = ((ServletContext) ctx.getContext()).getContextPath();
try {
//Use the context of JSF for invalidate the session,
//without servlet
((HttpSession) ctx.getSession(false)).invalidate();
//redirect with JSF context.
ctx.redirect(ctxPath + "absolute/path/index.jsp");
} catch (IOException ex) {
System.out.println(ex.getMessage());
}
}
解决方案9
-2 2011-12-31 14:52:50
When the use logs in, put its username in the session: 当用户登录时,将其用户名放在会话中:
`session.setAttribute("USER", username);`
At the beginning of each page you can do this: 在每个页面的开头,您可以这样做:
<%
String username = (String)session.getAttribute("USER");
if(username==null)
// if session is expired, forward it to login page
%>
<jsp:forward page="Login.jsp" />
<% { } %>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.