Spring-boot Spring-Security 会话超时 [英] Spring-boot Spring-Security session timeout
本文介绍了Spring-boot Spring-Security 会话超时的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
更新的问题:
我有一个使用 EmbeddedTomcat 和 Spring-Security 的 spring-boot 1.1.3.RELEASE 项目.我不久前发布了这个,但这个问题没有得到回答(我为那些看到那个帖子的人道歉,它没有意义.希望这个更好)
I have a spring-boot 1.1.3.RELEASE project that is using EmbeddedTomcat and Spring-Security. I posted this a while back but that question wasn't answered (My apologies for those that saw that post and it didn't make sense. Hopefully this one is better)
这是我的设置:build.gradle:
project.ext {
springBootVersion = '1.1.3.RELEASE'
}
dependencies {
compile("org.springframework.boot:spring-boot-starter-web:$springBootVersion")
compile("org.springframework.boot:spring-boot-starter-thymeleaf")
compile("org.springframework.boot:spring-boot-starter-security")
compile("org.springframework.boot:spring-boot-starter-data-jpa:$springBootVersion")
compile("org.springframework.security:spring-security-web:4.0.0.M1")
compile("org.springframework.security:spring-security-config:4.0.0.M1")
compile('org.thymeleaf.extras:thymeleaf-extras-springsecurity3:2.1.1.RELEASE')
compile("org.hibernate:hibernate-core:4.3.4.Final")
compile("org.hibernate:hibernate-entitymanager:4.3.4.Final")
compile("org.hibernate:hibernate-validator")
compile("com.h2database:h2:1.3.172")
compile("joda-time:joda-time:2.3")
// compile("org.thymeleaf:thymeleaf-spring4")
compile("org.codehaus.groovy.modules.http-builder:http-builder:0.7.1")
compile('org.codehaus.groovy:groovy-all:2.2.1')
compile('org.jadira.usertype:usertype.jodatime:2.0.1')
compile("org.liquibase:liquibase-core")
testCompile('org.spockframework:spock-core:1.0-groovy-2.0-SNAPSHOT') {
exclude group: 'org.codehaus.groovy', module: 'groovy-all'
}
testCompile('org.spockframework:spock-spring:1.0-groovy-2.0-SNAPSHOT') {
exclude group: 'org.spockframework', module: 'spock-core'
exclude group: 'org.spockframework', module: 'spring-beans'
exclude group: 'org.spockframework', module: 'spring-test'
exclude group: 'org.codehaus.groovy', module: 'groovy-all'
}
testCompile("org.springframework.boot:spring-boot-starter-test:$springBootVersion")
testCompile('org.codehaus.groovy.modules.http-builder:http-builder:0.7+')
testCompile("junit:junit")
}
我的主要课程:
@ComponentScan
@EnableAutoConfiguration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class OFAC {
public static void main(String[] args) {
ApplicationContext ofac = SpringApplication.run( OFAC.class, args );
}
}
我的主要配置:
@Configuration
@EnableScheduling
public class OFAConfiguration {
@Autowired
private ConfigurationSettings configurationSettings;
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public EmbeddedServletContainerCustomizer servletContainerCustomizer() {
return new SessionTimeoutEmbeddedServletContainerCustomizer();
}
}
还有我 Marten 推荐的embeddedServletContainer:
And my embeddedServletContainer recommended by Marten:
public class SessionTimeoutEmbeddedServletContainerCustomizer implements EmbeddedServletContainerCustomizer {
@Autowired
private ConfigurationSettings configurationSettings;
@Override
public void customize(ConfigurableEmbeddedServletContainer configurableEmbeddedServletContainer) {
int port = 9000;
TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) configurableEmbeddedServletContainer;
if ( configurationSettings.getServerPort() != null ) {
port = Integer.parseInt( configurationSettings.getServerPort() );
}
tomcat.setPort( port );
tomcat.addErrorPages( new ErrorPage( HttpStatus.NOT_FOUND, "/notfound.html" ) );
}
}
还有我的安全配置:
@Configuration
@EnableWebMvcSecurity
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource datasource;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/resources/**").permitAll()
.antMatchers("/css/**").permitAll()
.antMatchers("/libs/**").permitAll();
http
.formLogin().failureUrl("/login?error")
.defaultSuccessUrl("/")
.loginPage("/login")
.permitAll()
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/")
.permitAll();
http
.sessionManagement()
.maximumSessions(1)
.expiredUrl("/login?expired")
.maxSessionsPreventsLogin(true)
.and()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.invalidSessionUrl("/");
http
.authorizeRequests().anyRequest().authenticated();
}
和
@Order(Ordered.HIGHEST_PRECEDENCE)
@Configuration
public class AuthenticationSecurity extends GlobalAuthenticationConfigurerAdapter {
// no code actually
}
在我的 application.properties 中,我有五分钟的超时时间:
In my application.properties I have a five minute timeout:
server.session-timeout=300
当我启动时,我看到以下日志消息:
When I start up, I see the following log messages:
2014-07-08 14:02:18.735 INFO 69422 --- [ main] ationConfigEmbeddedWebApplicationContext : Refreshing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@340b9eec: startup date [Tue Jul 08 14:02:18 MDT 2014]; root of context hierarchy
2014-07-08 14:02:20.827 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.scheduling.annotation.SchedulingConfiguration' of type [class org.springframework.scheduling.annotation.SchedulingConfiguration$$EnhancerBySpringCGLIB$$75b53f01] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:20.983 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration' of type [class org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration$$EnhancerBySpringCGLIB$$6ac51dc6] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.016 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'transactionAttributeSource' of type [class org.springframework.transaction.annotation.AnnotationTransactionAttributeSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.035 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'transactionInterceptor' of type [class org.springframework.transaction.interceptor.TransactionInterceptor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.047 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.transaction.config.internalTransactionAdvisor' of type [class org.springframework.transaction.interceptor.BeanFactoryTransactionAttributeSourceAdvisor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.097 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration' of type [class org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration$$EnhancerBySpringCGLIB$$38601c80] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.118 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'objectPostProcessor' of type [class org.springframework.security.config.annotation.configuration.AutowireBeanFactoryObjectPostProcessor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.120 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler@2f8ffdc4' of type [class org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.177 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'authenticationSecurity' of type [class com.edelweissco.ofac.configuration.AuthenticationSecurity$$EnhancerBySpringCGLIB$$85675816] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.199 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'enableGlobalAuthenticationAutowiredConfigurer' of type [class org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$EnableGlobalAuthenticationAutowiredConfigurer] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.218 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration' of type [class org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$$EnhancerBySpringCGLIB$$2da1b835] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.219 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration' of type [class org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration$$EnhancerBySpringCGLIB$$c09573b2] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.250 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'methodSecurityMetadataSource' of type [class org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.258 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'metaDataSourceAdvisor' of type [class org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.934 INFO 69422 --- [ main] .t.TomcatEmbeddedServletContainerFactory : Server initialized with port: 9001
2014-07-08 14:02:22.213 INFO 69422 --- [ main] o.apache.catalina.core.StandardService : Starting service Tomcat
2014-07-08 14:02:22.213 INFO 69422 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet Engine: Apache Tomcat/7.0.54
2014-07-08 14:02:22.363 INFO 69422 --- [ost-startStop-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2014-07-08 14:02:22.364 INFO 69422 --- [ost-startStop-1] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 3631 ms
2014-07-08 14:02:24.157 INFO 69422 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@6e3afd5, org.springframework.security.web.context.SecurityContextPersistenceFilter@96219e4, org.springframework.security.web.header.HeaderWriterFilter@12cad708, org.springframework.security.web.csrf.CsrfFilter@78688290, org.springframework.security.web.authentication.logout.LogoutFilter@655490cd, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@331b7b16, org.springframework.security.web.session.ConcurrentSessionFilter@5d42f8e3, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@750bff35, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1dd0a8c0, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@4e2ccc7b, org.springframework.security.web.session.SessionManagementFilter@7b54be6d, org.springframework.security.web.access.ExceptionTranslationFilter@5497e581, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@16254dd7]
2014-07-08 14:02:24.242 INFO 69422 --- [ost-startStop-1] o.s.b.c.e.ServletRegistrationBean : Mapping servlet: 'dispatcherServlet' to [/]
2014-07-08 14:02:24.244 INFO 69422 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'springSecurityFilterChain' to: [/*]
2014-07-08 14:02:24.244 INFO 69422 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'hiddenHttpMethodFilter' to: [/*]
..
2014-07-08 14:02:31.240 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/**/favicon.ico] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2014-07-08 14:02:31.357 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/about],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.AboutController.get(org.springframework.ui.Model)
2014-07-08 14:02:31.357 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/admin],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.AdminController.displayUpload(org.springframework.ui.Model)
2014-07-08 14:02:31.358 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/upload],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.CustomerDataController.displayUpload(org.springframework.ui.Model)
2014-07-08 14:02:31.358 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/customerFile],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.CustomerDataController.handleFileUpload(org.springframework.web.multipart.MultipartFile,org.springframework.ui.Model,org.springframework.security.core.Authentication)
2014-07-08 14:02:31.358 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/fileDownloadService],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.util.List<java.lang.String> com.edelweissco.ofac.controller.FileDownloadController.index()
2014-07-08 14:02:31.359 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/search],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.SearchController.getSearchCustomerForm(org.springframework.ui.Model)
2014-07-08 14:02:31.359 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/searchTreasuryData],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.SearchController.searchTreasury(com.edelweissco.ofac.model.SdnSearch,org.springframework.ui.Model)
2014-07-08 14:02:31.360 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/status],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.StatusController.get(org.springframework.ui.Model)
2014-07-08 14:02:31.360 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/refreshData],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.StatusController.searchCustomer(org.springframework.ui.Model)
2014-07-08 14:02:31.366 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/error],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.http.ResponseEntity<java.util.Map<java.lang.String, java.lang.Object>> org.springframework.boot.autoconfigure.web.BasicErrorController.error(javax.servlet.http.HttpServletRequest)
2014-07-08 14:02:31.366 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/error],methods=[],params=[],headers=[],consumes=[],produces=[text/html],custom=[]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.boot.autoconfigure.web.BasicErrorController.errorHtml(javax.servlet.http.HttpServletRequest)
2014-07-08 14:02:31.379 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/about] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/status] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/home] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/login] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/search] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/upload] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Root mapping to handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/admin] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.397 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2014-07-08 14:02:31.397 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/webjars/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2014-07-08 14:02:32.907 INFO 69422 --- [ main] o.s.j.e.a.AnnotationMBeanExporter : Registering beans for JMX exposure on startup
2014-07-08 14:02:33.112 INFO 69422 --- [ main] s.b.c.e.t.TomcatEmbeddedServletContainer : Tomcat started on port(s): 9001/http
2014-07-08
所以我可以登录.但是如果让它处于非活动状态,我仍然可以登录并能够使用完整的授权功能.我尝试使用来自两个不同浏览器的相同凭据登录,第二次尝试失败并显示无效的用户名/密码",因此我认为正在获取并发会话设置.FireBug 或浏览器开发工具没有接收到任何 AJAX 调用.
So i am able to log in. But if leave it inactive, I am still logged in and able to use full authorized functionality. I try to login with the same credentials from two different browsers and the second attempt fails with "invalid username/password" so I think the concurrent session setting is being picked up. There isn't any AJAX call being picked up by FireBug or browser dev tools.
谁能看到错误是什么?
推荐答案
因此,当您使用 server.session-timeout 值时,似乎要让嵌入式 Tomcat 遵守会话超时,在几分钟内使用它,而不是几秒钟.我之前的尝试是使用 server.session-timeout=300 并且在等待至少 45 分钟后,超时从未发生.但是,我在 sessionCreated() 和 sessionDestroyed() 上添加了带有 system.outs 的 HttpSessionListener bean.使用 server.session-timeout=5 的 application.properties 设置,我看到会话在 5 分钟不活动后就被破坏了.
So it would appear that to get the Embedded Tomcat to honor a session timeout, when you use the server.session-timeout value, use it in minutes, not seconds. My previous attempts were with server.session-timeout=300 and after waiting at least 45 minutes, the timeout never occurred. However, I added HttpSessionListener bean with system.outs to message on sessionCreated() and sessionDestroyed(). With an application.properties setting of server.session-timeout=5 I saw the session get destroyed just after 5 minutes of inactivity.
所以,我现在可以使用这些参数控制会话长度.感谢 M. Deinum 和 Dave Sayers 的帮助和建议.如果不出意外,你真的帮助我清理了我的代码,让我对 Spring 有了更多的了解.
So, I can now control the session length with these parameters. Thank you to M. Deinum and Dave Sayers for your help and advice. If nothing else, you really helped me clean up my code and understand Spring a bit more.
这篇关于Spring-boot Spring-Security 会话超时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
