如何使用Spring Security和jQuery处理过期的会话? [英] How to handle expired session using Spring Security and jQuery?
问题描述
我在我的应用程序中使用Spring Security和jQuery.主页使用通过AJAX将内容动态加载到选项卡中.一切正常,但是有时我的选项卡中有登录页面,如果键入凭据,我将被重定向到没有选项卡的内容页面.
I'm using Spring Security and jQuery in my application. Main page uses loading content dynamically into tabs via AJAX. And all is OK, however sometimes I've got the login page inside my tab and if I type credentials I will be redirected to the content page without tabs.
所以我想处理这种情况.我知道有些人使用AJAX身份验证,但是我不确定它是否适合我,因为它对我来说看起来很复杂,并且我的应用程序不允许未经登录就无法进行任何访问.我只想为所有AJAX响应编写一个全局处理程序,如果需要进行身份验证,它将执行window.location.reload().我认为在这种情况下,出现401错误而不是标准登录表单更好,因为它更易于处理.
So I'd like to handle this situation. I know some of the people use AJAX authentication, but I'm not sure it's suitable for me because it looks quite complicated for me and my application doesn't allow any access without log into before. I would like to just write a global handler for all AJAX responses that will do window.location.reload() if we need to authenticate. I think in this case it's better to get 401 error instead of standard login form because it's easier to handle.
所以
1)是否可以为所有jQuery AJAX请求编写全局错误处理程序?
1) Is it possible to write global error handler for all jQuery AJAX requests?
2)我该如何自定义Spring Security的行为,以便针对AJAX请求发送401错误,但对于常规请求却像往常一样显示标准登录页面?
2) How can I customize behavior of Spring Security to send 401 error for AJAX requests but for regular requests to show standard login page as usual?
3)也许您有更优雅的解决方案?请分享.
3) May be you have more graceful solution? Please share it.
谢谢.
推荐答案
我认为这是一种非常简单的方法.这是我在此站点上观察到的多种方法的组合.我写了一篇关于它的博客文章: http://yoyar.com/blog/2012 /06/处理弹簧安全性ajax会话超时问题/
Here's an approach that I think is quite simple. It's a combination of approaches that I've observed on this site. I wrote a blog post about it: http://yoyar.com/blog/2012/06/dealing-with-the-spring-security-ajax-session-timeout-problem/
基本思想是使用上面建议的api url前缀(即/api/secured)以及身份验证入口点.简单而且有效.
The basic idea is to use an api url prefix (i.e. /api/secured) as suggested above along with an authentication entry point. It's simple and works.
这是身份验证入口点:
package com.yoyar.yaya.config;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import javax.servlet.ServletException;
import javax.servlet.http.*;
import java.io.IOException;
public class AjaxAwareAuthenticationEntryPoint
extends LoginUrlAuthenticationEntryPoint {
public AjaxAwareAuthenticationEntryPoint(String loginUrl) {
super(loginUrl);
}
@Override
public void commence(
HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException)
throws IOException, ServletException {
boolean isAjax
= request.getRequestURI().startsWith("/api/secured");
if (isAjax) {
response.sendError(403, "Forbidden");
} else {
super.commence(request, response, authException);
}
}
}
这是您的Spring上下文xml中的内容:
And here's what goes in your spring context xml:
<bean id="authenticationEntryPoint"
class="com.yoyar.yaya.config.AjaxAwareAuthenticationEntryPoint">
<constructor-arg name="loginUrl" value="/login"/>
</bean>
<security:http auto-config="true"
use-expressions="true"
entry-point-ref="authenticationEntryPoint">
<security:intercept-url pattern="/api/secured/**" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/login" access="permitAll"/>
<security:intercept-url pattern="/logout" access="permitAll"/>
<security:intercept-url pattern="/denied" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/" access="permitAll"/>
<security:form-login login-page="/login"
authentication-failure-url="/loginfailed"
default-target-url="/login/success"/>
<security:access-denied-handler error-page="/denied"/>
<security:logout invalidate-session="true"
logout-success-url="/logout/success"
logout-url="/logout"/>
</security:http>
这篇关于如何使用Spring Security和jQuery处理过期的会话?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
