简体繁体 English

存储和使来自其他用户的Java HttpSession无效

[英]Store and invalidate Java HttpSession from different user

原文 2012-12-09 23:45:03 9 2 java/ session/ jetty/ invalidation/ httpsession

Okay. 好的。 What I want to do is be able to, when I update a user, invalidate any session that they currently have in order to force a refresh of credentials. 我想要做的是能够在更新用户时使他们当前具有的任何会话无效，以强制刷新凭据。 I don't care about being able to directly access the session-specific user data. 我不在乎能够直接访问特定于会话的用户数据。 Ideally, I would also be able to restrict users to one session by a similar manner. 理想情况下，我也可以通过类似的方式将用户限制为一个会话。

What I tried doing is creating a HashMap using the username as key and HttpSession as the value (my actual setup is a little more involved, but after repeated seemingly inexplicable failures, I boiled it down to this simple test). 我尝试做的是使用用户名作为键并使用HttpSession作为值来创建HashMap（我的实际设置涉及更多点，但是在反复出现似乎莫名其妙的失败之后，我将其简化为这个简单的测试）。 However, whenever I attempt to tell the retrieved HttpSession to invalidate, it seems to be invalidating the current [admin] session. 但是，每当我尝试告诉检索到的HttpSession无效时，似乎都在使当前的[admin]会话无效。 Is HttpSession inextricably bound to the current request? HttpSession是否不可分割地绑定到当前请求？

Or is there an entirely different way to deal with this? 还是有一种完全不同的方式来处理此问题？

If it happens to matter, I'm using Jetty 6.1.26. 如果发生问题，我正在使用Jetty 6.1.26。

2 个解决方案

There's no straight forward way. 没有直接的方法。 The easiest way I can think of is to keep a flag on the database (or a cahche) and check it's validity on each request. 我想到的最简单的方法是在数据库（或cahche）上保留一个标志，并在每次请求时检查其有效性。

Or you can implement a HTTP Session listener and keep a HashMap of user sessions that can be accessed and invalidated. 或者，您可以实现HTTP会话侦听器，并保留可访问和无效的用户会话的HashMap。

I haven't tried any of these out so I don't know of any performance issues. 我还没有尝试过这些，所以我不知道任何性能问题。 But it should be acceptable for most applications. 但这对于大多数应用程序应该是可以接受的。

Well, as far as I can tell, there's no way around it. 好吧，据我所知，这是没有办法的。 Using a request-scoped bean didn't work as I expected (although it did give me good insights into how Spring operates, intercepting field accesses). 使用请求范围的bean不能按我预期的方式工作（尽管它确实使我对Spring的工作方式（拦截字段访问）有很好的了解）。 I ended up using a dirty flag on my SessionHandler (a session-scoped bean) with a very high-priority aspect checking and, if necessary, calling invalidate() on the session in the user's next request. 我最终在SessionHandler（一个会话范围的Bean）上使用了一个脏标志，并进行了非常高优先级的方面检查，并在必要时在用户的下一个请求中的会话上调用了invalidate（）。 I still ended up having all my SessionHandlers register with a SessionManager, and a @PreDestroy method to unregister them in order to avoid a bunch of null entries in the map. 我仍然最终将所有SessionHandlers注册到SessionManager，并使用@PreDestroy方法取消注册它们，以避免在映射中出现一堆空条目。