spring 安全会话超时 [英] spring security session timeout

问题描述

我在我的 JSF2 web 应用程序中使用 Spring Security 3.

I use Spring Security 3 in my JSF2 webapp.

我有一个提供会话超时的安全规则:

I have a security rule to provide session timeouts:

<session-management invalid-session-url="/faces/paginas/autenticacion/login.xhtml?error=1" />

这样当会话过期并且用户点击任何链接时，他将被重定向到登录页面.在此页面中，我检查错误参数，并向用户显示一条消息，说明会话已过期.

So that when the session has expired and the user clicks on any link, he is redirected to the login page. In this page I check for the error param, and show a message to the user saying the session has expired.

但我有两个问题:

(1) 当我第一次启动应用程序时(它试图显示主页)，我被重定向到登录页面，说会话已过期.我认为这可能是因为您第一次运行应用程序时，会话是一个新会话，并且 Spring Security 可能认为"他已经过期(不区分新会话和超时).

(1) When I startup the app the first time (it tries to show the home page), I'm redirected to the login page saying session has expired. I think that this may be happening because the 1st time you run the app, the session is a new one, and Spring Security perhaps "thinks" he has expired (doesn't distinguish betwen a new session and a timeout).

(2) 如果匿名用户的会话已过期(尚未通过身份验证)，我也会被重定向到登录页面超时.我不希望未经身份验证的用户出现这种行为，我只想检查经过身份验证的用户的超时.

(2) If the session has expired for anonymous users (not yet authenticated), I'm redirected to the login page timeout too. I don't want this behaviour for non-authenticated users, I just want to check the timeouts for authenticated users.

我该如何解决这两个问题?

How can I solve both of these problems?

提前致谢.

推荐答案

您想对过期会话使用 expired-session-url 属性，而不是 invalid-session-url.它们用于两种不同的事情.

You want to use the expired-session-url property for expired sessions, not the invalid-session-url. They are for two different things.

这篇关于spring 安全会话超时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！