1. 首頁
  2. 問答
  3. 使用Spring Security時,會話比預期更早超時

使用Spring Security時,會話比預期更早超時

2012-08-05 93 views
0

我正在使用Spring Security 3.1,並且遇到會話超時問題。
我設置會話超時在web.xml中如下:
使用Spring Security時,會話比預期更早超時

<session-config> 
    <session-timeout> 
     45 
    </session-timeout> 
</session-config>

因此會議應該在45分鐘後至到期。
但是我注意到會話已過期恰好在2分鐘後!無論我是否在使用應用程序。

這是我的春天安全豆類:

<bean id="ConcurrentSessionFilterAdmin" class="org.springframework.security.web.session.ConcurrentSessionFilter"> 
    <property name="sessionRegistry" ref="sessionRegistry"/> 
    <property name="logoutHandlers"> 
     <list> 
      <ref bean = "logoutHandler"/> 
     </list> 
    </property> 
    <property name="expiredUrl" value="/admin/login.jsp?error=expiredURL"/> 
</bean> 
<bean id="sessionRegistry" 
    class="org.springframework.security.core.session.SessionRegistryImpl" autowire="byType" /> 

<bean id="logoutHandler" 
    class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"> 
</bean> 

<bean id="securityContextPersistenceFilter" 
    class="org.springframework.security.web.context.SecurityContextPersistenceFilter"> 
    <property name="securityContextRepository" ref="securityContextRepository"/> 
</bean> 

<bean id="securityContextRepository" 
    class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"> 
    <property name="allowSessionCreation" value="false" /> 
</bean> 
<bean id="logoutFilterAdmin" 
    class="org.springframework.security.web.authentication.logout.LogoutFilter"> 
    <constructor-arg value="/admin/login.jsp" /> 
    <constructor-arg> 
     <list> 
      <ref bean="logoutHandler"/> 
     </list> 
    </constructor-arg> 
    <property name="filterProcessesUrl" value="/admin/j_spring_security_logout"></property> 
</bean> 
<bean id="usernamePasswordAuthenticationFilterAdmin" 
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> 
    <property name="usernameParameter" value="j_username"/> 
    <property name="passwordParameter" value="j_password"/> 
    <property name="allowSessionCreation" value="false"/> 
    <property name="authenticationFailureHandler" ref="authenticationFailureHandlerAdmin"/> 
    <property name="authenticationManager" ref="authenticationManager"/> 
    <property name="authenticationSuccessHandler" ref="authenticationSuccessHandlerAdmin"/> 
    <property name="continueChainBeforeSuccessfulAuthentication" value="false"/> 
    <property name="filterProcessesUrl" value="/admin/j_spring_security_check"/> 
    <property name="sessionAuthenticationStrategy" ref="sessionAuthenticationStrategy"/> 
</bean> 
<bean id="authenticationFailureHandlerAdmin" 
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> 
    <property name="defaultFailureUrl" value="/admin/login.jsp?error=loginfailed" /> 
</bean> 
<bean id="authenticationSuccessHandlerAdmin" 
    class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"> 
    <property name="requestCache" ref="requestCache"/> 
    <property name="defaultTargetUrl" value="/admin/index.html"/> 
</bean> 

<bean id="requestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache"/> 

<bean id="sessionAuthenticationStrategy" 
    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> 
    <constructor-arg name="sessionRegistry" ref="sessionRegistry" /> 
    <property name="maximumSessions" value="1" /> 
    <property name="migrateSessionAttributes" value="true"/> 
</bean> 

<bean id="basicAuthenticationFilterAdmin" 
    class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter"> 
    <property name="authenticationDetailsSource" ref="authenticationDetailsSource"/> 
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/> 
    <property name="authenticationManager" ref="authenticationManager"/> 
</bean> 
<bean id="authenticationDetailsSource" 
    class="org.springframework.security.authentication.AuthenticationDetailsSourceImpl"/> 
<bean id="requestCacheAwareFilter" 
    class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter"> 
    <constructor-arg ref="requestCache"/> 
</bean> 

<bean id="securityContextHolderAwareRequestFilter" 
    class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter"> 
    <property name="rolePrefix" value="ROLE_"/> 
</bean> 

<bean id="anonymousAuthenticationFilter" 
    class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter"> 
    <constructor-arg value="KEY"/> 
</bean> 

<bean id="sessionManagementFilterAdmin" class="org.springframework.security.web.session.SessionManagementFilter"> 
    <constructor-arg ref="securityContextRepository"/> 
    <constructor-arg ref="sessionAuthenticationStrategy"/> 
    <property name="authenticationFailureHandler" ref="authenticationFailureHandlerAdmin"/> 
    <property name="invalidSessionStrategy" ref="invalidSessionStrategyAdmin"/> 
</bean> 
<bean id="invalidSessionStrategyAdmin" 
    class="org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy"> 
    <constructor-arg value="/admin/login.jsp"/> 
    <property name="createNewSession" value="false"/> 
</bean> 
<bean id="exceptionTranslationFilter" 
    class="org.springframework.security.web.access.ExceptionTranslationFilter">  
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint" /> 
    <property name="accessDeniedHandler" ref="accessDeniedHandler" /> 
    <property name="requestCache" ref="requestCache"/> 
</bean> 
<bean id="authenticationEntryPoint" 
    class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"> 
</bean> 
<bean id="accessDeniedHandler" 
    class="org.springframework.security.web.access.AccessDeniedHandlerImpl"> 
</bean> 
<bean id="filterSecurityInterceptorAdmin" 
    class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> 
    <property name="authenticationManager" ref="authenticationManager" /> 
    <property name="accessDecisionManager" ref="accessDecisionManager" /> 
    <property name="securityMetadataSource" ref="myFilterInvocationSecurityMetadataSource" /> 
</bean> 
<bean id="myFilterInvocationSecurityMetadataSource" class="com.datx.security.model.MyFilterSecurityMetadataSource" autowire="byName" scope="prototype"> 
</bean>


經過兩次分鐘,我重定向到這是在第一個bean的配置設置/admin/login.jsp?error=expiredURL。 (這意味着會話已過期)

問題是哪些bean負責會話過期?我沒有設置什麼財產導致這個問題?

來源

2012-08-05 Matin Kh

+0

我相信問題是* invalidSessionStrategyAdmin * bean。 – 2012-08-05 09:45:55

+0

你可以嘗試設置allowSessionCreation爲真 – Ravi 2012-08-06 02:49:18

+0

之前完成。由於應用程序完全基於寧靜的Web服務,如果我[再次]這樣做,那麼對於創建新會話的每個請求,我都會遇到更多麻煩,並且這會導致「每個請求都有一個登錄頁面」。 – 2012-08-06 05:32:11

回答

0

Spring Security依賴於底層容器,即它是管理會話超時的容器(請添加關於您正在使用的容器的信息)。不過,如果服務器符合Java EE標準,我相信web.xml設置通常應該具有更高的優先級。

也可以通過調用HttpSession.setMaxInactiveInterval()方法來動態調整個別會話超時,或通過調用invalidate()使會話失效。

在某些情況下,Spring Security有可能使會話失效(例如,登錄後,用戶獲得新的HttpSession)。

會話失效也可能由Spring Security併發會話控制機制引起,例如,如果指定了max-sessions值。

您可以檢查時的Spring Security通過設置DEBUG日誌記錄級別org.springframework.security無效的會話。*命名空間,如春天一般寫這樣的信息的記錄。

來源

2012-08-05 17:14:19

+0

你可以向我解釋一下,我怎樣才能啓用這個DEBUG日誌的東西。一個簡短的提示就足夠了。 – 2012-08-06 04:33:17

+1

例如,如果您使用logback,請參見[參考](http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/overview.html)的1.3.2節將 %d {HH:mm:ss.SSS} [%thread]%-5level%logger {36} - %msg %n in logback xml – 2012-08-06 06:12:11

+0

令人驚訝的是,你明白了。由於我的同事和我在同一時間登錄,所以同時進行會話控制對此負責。謝謝您的幫助。 – 2012-08-06 09:17:45

相關問題

 相關問題