spring 安全会话超时 [英] spring security session timeout
问题描述
我在我的 JSF2 web 应用程序中使用 Spring Security 3.
I use Spring Security 3 in my JSF2 webapp.
我有一个提供会话超时的安全规则:
I have a security rule to provide session timeouts:
<session-management invalid-session-url="/faces/paginas/autenticacion/login.xhtml?error=1" />
这样当会话过期并且用户点击任何链接时,他将被重定向到登录页面.在此页面中,我检查错误参数,并向用户显示一条消息,说明会话已过期.
So that when the session has expired and the user clicks on any link, he is redirected to the login page. In this page I check for the error param, and show a message to the user saying the session has expired.
但我有两个问题:
(1) 当我第一次启动应用程序时(它试图显示主页),我被重定向到登录页面,说会话已过期.我认为这可能是因为您第一次运行应用程序时,会话是一个新会话,并且 Spring Security 可能认为"他已经过期(不区分新会话和超时).
(1) When I startup the app the first time (it tries to show the home page), I'm redirected to the login page saying session has expired. I think that this may be happening because the 1st time you run the app, the session is a new one, and Spring Security perhaps "thinks" he has expired (doesn't distinguish betwen a new session and a timeout).
(2) 如果匿名用户的会话已过期(尚未通过身份验证),我也会被重定向到登录页面超时.我不希望未经身份验证的用户出现这种行为,我只想检查经过身份验证的用户的超时.
(2) If the session has expired for anonymous users (not yet authenticated), I'm redirected to the login page timeout too. I don't want this behaviour for non-authenticated users, I just want to check the timeouts for authenticated users.
我该如何解决这两个问题?
How can I solve both of these problems?
提前致谢.
推荐答案
您想对过期会话使用 expired-session-url
属性,而不是 invalid-session-url代码>.它们用于两种不同的事情.
You want to use the expired-session-url
property for expired sessions, not the invalid-session-url
. They are for two different things.
这篇关于spring 安全会话超时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!