使用 Spring Security 捕获注销/会话超时 [英] Logout/Session timeout catching with spring security

问题描述

我正在使用 spring/spring-security 3.1 并且希望在用户退出时(或会话超时)采取一些措施.我设法完成了注销操作，但由于会话超时，我无法使其正常工作.

I'm using spring/spring-security 3.1 and want to take some action whenever the user logs out (or if the session is timed out). I managed to get the action done for logout but for session timeout, I can't get it working.

在 web.xml 中，我只指定了 ContextLoaderListener(这可能是问题吗?)当然还有 DelegatingFilterProxy.

In web.xml I only have the ContextLoaderListener specified ( can this be the issue? ) and of course the DelegatingFilterProxy.

我使用这样的自动配置.

I use the auto config like this.

    <security:http auto-config="false" use-expressions="false">
    <security:intercept-url pattern="/dialog/*"
        access="ROLE_USERS" />
    <security:intercept-url pattern="/boa/*"
        access="ROLE-USERS" />
    <security:intercept-url pattern="/*.html"
        access="ROLE-USERS" />

    <security:form-login login-page="/auth/login.html"
        default-target-url="/index.html" />
    <security:logout logout-url="/logout"
         invalidate-session="true"
        delete-cookies="JSESSIONID" success-handler-ref="logoutHandler" />
</security:http>

<bean id="logoutHandler" class="com.bla.bla.bla.LogoutHandler">
    <property name="logoutUrl" value="/auth/logout.html"/>
</bean>

注销处理程序在用户单击注销时被调用，这将对数据库进行一些调用.

The logout handler is called when user clicks logout, which will make some calls to a database.

但是我如何处理会话超时???

But how do I handle the session timeout ???

处理它的一种方法是在用户登录时将用户名注入会话，然后使用普通的 httpsessionlistener 并在会话超时时执行相同的操作.

One way to handle it would be to inject the username into the session when user logs in and then use an ordinary httpsessionlistener and do the same thing on session timeout.

spring security 是否有类似的方法，以便当 spring 发现会话超时时，我可以挂在那里，访问 Authentication 并从那里获取 UserDetails 并进行清理.

Is there a similar way with spring security, so that when spring discovers that the session is to timeout, I can hook in there, access the Authentication and get the UserDetails from there and do the clean up.

推荐答案

我有一个更简单的解决方案.这适用于注销和会话超时.

I've got a simpler solution. This works for both logout and session timeout.

@Component
public class LogoutListener implements ApplicationListener<SessionDestroyedEvent> {

    @Override
    public void onApplicationEvent(SessionDestroyedEvent event)
    {
        List<SecurityContext> lstSecurityContext = event.getSecurityContexts();
        UserDetails ud;
        for (SecurityContext securityContext : lstSecurityContext)
        {
            ud = (UserDetails) securityContext.getAuthentication().getPrincipal();
            // ...
        }
    }

}

web.xml:

<listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

这篇关于使用 Spring Security 捕获注销/会话超时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！