在 Spring Security & 中禁用记住我雄猫 [英] Disable Remember-Me in Spring Security & Tomcat
问题描述
我想知道,有没有办法在 Spring Security 中禁用记住我?我想要实现的场景很常见:关闭浏览器窗口后,我希望用户的会话过期.看起来很奇怪,但它不适用于 Tomcat 7 &春季安全 3.1.我们在 Spring Security 配置文件中使用了 auto-config,但是没有 remember-me 元素.
I wonder, is there any way to disable remember-me in Spring Security? Scenario I want to implement is pretty common: after closing browser window I would like user's session to expire. Seems weird, but it doesn't work with Tomcat 7 & Spring Security 3.1. We use auto-config in Spring Security configuration file, but there is no remember-me element.
让它工作的最佳解决方案是什么?提前致谢!
What is the best solution to get it working? Thanks in advance!
更新以下是阐明我的问题的使用场景:
Update Here is the usage scenario to clarify my problem:
- 用户登录到限制区域,例如/secure.html
- 然后他关闭浏览器而不手动退出.
- 他再次打开浏览器并直接转到/secure.html.
- 当前 Spring 的行为:页面显示成功.预期行为:重定向到登录页面.
鉴别诊断的
新症状:用户可能会重新验证,因为浏览器关闭/打开之间的 JSESSIONID 相同.我如何才能让 Tomcat 或 Spring 为每个浏览器会话生成一个新会话?
New symptoms for differential diagnosis: User is probable reathenticated because JSESSIONID in the same between browser close/open. How I could forse Tomcat or Spring to generate a new session for every browser session?
更新 Spring Security 配置片段:
Update Fragment of Spring Security configuration:
<http auto-config="true">
<anonymous key="anonymous-security" />
<intercept-url pattern="/auth/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_ADMIN" />
<form-login login-page="/auth/login.html"
default-target-url="/auth/default.html"
authentication-failure-url="/auth/failed.html" />
<logout logout-success-url="/auth/logout.html" delete-cookies="JSESSIONID" />
</http>
更新 文档声称 自 3.0(我们使用 3.1)以来,auto-config="true" 中没有默认的记住我配置:
Update Documentation claims that there is no default remember-me configuration in auto-config="true" since 3.0 (we use 3.1):
在 3.0 之前的版本中,此列表还包括记住我功能.这可能会导致一些令人困惑的错误配置并在 3.0 中移除.
In versions prior to 3.0, this list also included remember-me functionality. This could cause some confusing errors with some configurations and was removed in 3.0.
我的网络应用有什么问题?
What's wrong with my web app?
推荐答案
问题说明:
我遇到了同样的问题:我的浏览器会记住我的用户.
Problem clarification:
I ran into the same issue: my browser would remember my user.
通常情况下:登录访问限制区域后,关闭浏览器,然后重新打开浏览器并进入相同的限制区域,当我希望系统提示输入凭据时,它会让我访问它.
Typically: after logging in to access a restricted area, closing the browser, then reopen it and enter the same restricted area it would let me access it when I expected to be prompted for credentials.
玩完之后我注意到一件重要的事情:这种行为在不同浏览器中不一致:
After playing around I noticed one important thing: this behavior is NOT consistent across browsers:
- Eclipse 的底层浏览器在关闭后确实记得
- Chrome 在关闭后确实记得
- IE (9) 关闭后不记得
- Firefox (16.0.1) 关闭后不记得
- Safari(Windows 5.1.7)关闭后不记得
更多浏览器类型和版本可以测试...
More browser types & versions could be tested...
- 解决方法可能是尝试检测用户何时关闭浏览器,并在发生这种情况时触发注销.不过不太确定这有多可行.
可能有更好的解决方案,如果找到我会更新此答案.
There might be a better solution, I'll update this answer if I find it.
这篇关于在 Spring Security & 中禁用记住我雄猫的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!