Spring Security + Ajax会话超时问题 [英] Spring security + Ajax session timeout issue
问题描述
我有一个使用Spring MVC构建的应用程序,并通过Spring安全性进行了安全保护,其中许多控制器都是受JSON保护的服务.我正在使用LoginUrlAuthenticationEntryPoint来检测AJAX请求,如果发生会话超时,则发送403 错误代码-所有其他请求都被重定向回登录页面.
I have an app build with Spring MVC and secured with Spring security, a bunch of the controllers are JSON rest services that are all protected. I'm using LoginUrlAuthenticationEntryPoint to detect AJAX requests and send 403 ERROR CODE if session timeout occurs - all other requests just get redirected back to login page.
下面是Spring Security XML代码段和authenticationEntryPoint Java类.
Below is the Spring Security XML snippet and the authenticationEntryPoint java class.
问题是会话超时后的第一个AJAX请求,Spring重定向到登录页面并返回登录页面HTML,如果我尝试再次执行AJAX请求(重定向发生后),则执行authenticationEntryPoint并返回HTTP错误代码403 .我已经尝试过使用这种机制进行相同的操作 http://distigme.wordpress.com/2012/11/01/ajax-and-spring-security-form-based-login/,并且发生了完全相同的事情(在第一个AJAX请求中,发生了重定向,所有后续的AJAX请求均返回HTTP 403).我不希望会话超时的AJAX请求重定向到登录页面.
The issue is that the first AJAX Request after session timeout, Spring redirects to login page and the returns login page HTML, if I attempt to do AJAX request again (after redirect happens) the authenticationEntryPoint executes and HTTP Error Code 403 is returned. I have attempted the same thing using this mechanism http://distigme.wordpress.com/2012/11/01/ajax-and-spring-security-form-based-login/ and the same exact thing happens (on first AJAX request a redirect occurs, all subsequent AJAX requests HTTP 403 is returned). I do not want to get Redirect to login page for AJAX requests where session is timed out.
有什么想法吗?
<beans:bean id="authenticationEntryPoint" class="mojo.ocs.web.AjaxAwareAuthenticationEntryPoint">
<beans:constructor-arg name="loginUrl" value="/login"/>
</beans:bean>
<!-- ENTRY POINT REF IMPLEMENTATION -->
<http auto-config="true" use-expressions="true" access-denied-page="/accessdenied" entry-point-ref="authenticationEntryPoint">
<intercept-url pattern="/login" access="isAnonymous()"/>
<intercept-url pattern="/loginfailed" access="isAnonymous()"/>
<intercept-url pattern="/welcome" access="isAuthenticated()" />
<intercept-url pattern="/" access="isAuthenticated()" />
<intercept-url pattern="/private_res/**" access="isAuthenticated()" />
<intercept-url pattern="/tne/**" access="isAuthenticated()" />
<intercept-url pattern="/team_reports/**" access="isAuthenticated()" />
<form-login login-page="/login" default-target-url="/welcome" always-use-default-target="true" authentication-failure-url="/loginfailed" />
<logout delete-cookies="JSESSIONID" logout-success-url="/logout" invalidate-session="true"/>
<session-management invalid-session-url="/login" />
</http>
这是LoginAuthenticationEntryPoint:
Here is the LoginAuthenticationEntryPoint:
public class AjaxAwareAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint
{
public AjaxAwareAuthenticationEntryPoint(String loginUrl) {
super(loginUrl);
}
@Override
public void commence(
HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException)
throws IOException, ServletException {
String ajaxHeader = ((HttpServletRequest) request).getHeader("X-Requested-With");
boolean isAjax = "XMLHttpRequest".equals(ajaxHeader);
if (isAjax) {
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Ajax REquest Denied (Session Expired)");
} else {
super.commence(request, response, authException);
}
}
}
推荐答案
我通过自己的自定义过滤器实现了此问题的解决,将其放在ANONYMOUS_FILTER之前,如果Spring主体不存在,则返回403.
I fixed this issue by implementing by own custom filter, placing it before ANONYMOUS_FILTER and return 403 if the Spring principal doesn't exist.
这篇关于Spring Security + Ajax会话超时问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
