Spring 安全无效会话重定向 [英] Spring security invalid session redirect

问题描述

我在 spring boot 1.2.3 web 应用程序中使用 spring security 4.0.1(还有 spring-session 1.0.1，但这与案例无关).

I'm using spring security 4.0.1 inside a spring boot 1.2.3 web application ( and also with spring-session 1.0.1, but this is irrelevant for the case ).

我确实有一个私人区域和一个所有用户都可以访问的所有访问区域(/about"、/"、/contact"……超过 20 页).(就像一个网店)

I do have a private area, and an all access area ( "/about", "/","/contact",... more than 20 pages ) for which every user can access. ( it's like a web-shop )

每当 已登录 的用户会话过期时，Spring 都会检测到无效会话并将用户重定向到 '.invalidSessionUrl("/session/error/invalid")'

Whenever a logged-in user session expires,Spring detects an invalid session and redirects the user to the '.invalidSessionUrl("/session/error/invalid")'

然而，如果目标链接在私人区域内，我只想被重定向，而不是公共区域.

However, i only want to be redirected if the target link in inside the private area, nor the public one.

我怎样才能避免这种情况?

How can i avoid that ?

谢谢.

这是我的(java)配置:(更新后看到帖子)

This is my (java) config : ( updated after seen post )

 http
            .authorizeRequests()
            .anyRequest()
                .permitAll()
            .antMatchers("/privado/**")
                .authenticated()
            .and()
                .formLogin()
                .loginPage("/login")
                .failureUrl("/login?error")
                .defaultSuccessUrl("/")
                .successHandler(new SessionSuccessHandler())
            .and()
                .logout()
                .logoutSuccessUrl("/")
                .deleteCookies("JSESSIONID", "SESSION")
            .and()
                .sessionManagement()
                .invalidSessionUrl("/session/error/invalid")
            .sessionFixation()
            .changeSessionId()
            .maximumSessions(1)
            .expiredUrl("/session/error/expired")
            .and()
            .and()
                .csrf()
                .ignoringAntMatchers("/jolokia/**", "/v1.0/**");

我怎样才能做到这一点?

How can i achieve that ?

非常感谢.

推荐答案

@RobWinch - 这似乎是一个非常常见的用例，您提出的解决方案似乎在我运行的测试中不起作用，并且还发表了评论.提出了类似的问题，我相信 http://forum.spring.io/forum/spring-projects/security/94772-redirect-to-invalid-session-url-only-when-user-accesses-secured-resource 并且它似乎从未解决过.我的想法是有多个http设置(使用xml配置)

@RobWinch - This seem like a pretty common use case and the solution you propose does not seem to work from the test I ran and also comments. Similar issue was raised I believe in http://forum.spring.io/forum/spring-projects/security/94772-redirect-to-invalid-session-url-only-when-user-accesses-secured-resource and it appears it was never resolved. My thinking is to have multiple http settings (using xml config)

<http pattern="/aboutUs**" security="none" />
<http pattern="/contact**" security="none" />
etc

当有相当多的不安全页面并且添加新的不安全页面需要配置更新时，这似乎并不理想.如果我们能为这个用例提供一个理想"的解决方案，那就太好了.随着 Spring security 4.1 的发布，似乎仍然没有明确的方法来做到这一点.

This does not seem ideal when having quite a number unsecured pages and also adding a new unsecured page requires a configuration update. It will be nice if we can have an "ideal" solution for this use case. With Spring security 4.1 release, it appears there is still no clear way to do this.

这篇关于Spring 安全无效会话重定向的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！