Logout / Session超时捕获spring security [英] Logout/Session timeout catching with spring security

问题描述

我正在使用spring / spring-security 3.1并希望在用户注销时（或者如果会话超时）采取某些操作。我设法为注销完成了操作，但是对于会话超时，我无法使其工作。

I'm using spring/spring-security 3.1 and want to take some action whenever the user logs out (or if the session is timed out). I managed to get the action done for logout but for session timeout, I can't get it working.

在web.xml中我只指定了ContextLoaderListener（可以是问题？）当然还有DelegatingFilterProxy。

In web.xml I only have the ContextLoaderListener specified ( can this be the issue? ) and of course the DelegatingFilterProxy.

我使用这样的自动配置。

I use the auto config like this.

    <security:http auto-config="false" use-expressions="false">
    <security:intercept-url pattern="/dialog/*"
        access="ROLE_USERS" />
    <security:intercept-url pattern="/boa/*"
        access="ROLE-USERS" />
    <security:intercept-url pattern="/*.html"
        access="ROLE-USERS" />

    <security:form-login login-page="/auth/login.html"
        default-target-url="/index.html" />
    <security:logout logout-url="/logout"
         invalidate-session="true"
        delete-cookies="JSESSIONID" success-handler-ref="logoutHandler" />
</security:http>

<bean id="logoutHandler" class="com.bla.bla.bla.LogoutHandler">
    <property name="logoutUrl" value="/auth/logout.html"/>
</bean>

当用户点击logout时会调用logout处理程序，这将调用数据库。

The logout handler is called when user clicks logout, which will make some calls to a database.

但是如何处理会话超时???

But how do I handle the session timeout ???

处理它的一种方法是在用户登录时将用户名注入会话，然后使用普通的httpsessionlistener并在会话超时时执行相同的操作。

One way to handle it would be to inject the username into the session when user logs in and then use an ordinary httpsessionlistener and do the same thing on session timeout.

Spring安全性是否有类似的方式，所以当spring发现会话超时时，我可以在那里挂钩，访问Authentication并从中获取UserDetails在那里做清理。

Is there a similar way with spring security, so that when spring discovers that the session is to timeout, I can hook in there, access the Authentication and get the UserDetails from there and do the clean up.

推荐答案

我有一个更简单的解决方案。这适用于注销和会话超时。

I've got a simpler solution. This works for both logout and session timeout.

@Component
public class LogoutListener implements ApplicationListener<SessionDestroyedEvent> {

    @Override
    public void onApplicationEvent(SessionDestroyedEvent event)
    {
        List<SecurityContext> lstSecurityContext = event.getSecurityContexts();
        UserDetails ud;
        for (SecurityContext securityContext : lstSecurityContext)
        {
            ud = (UserDetails) securityContext.getAuthentication().getPrincipal();
            // ...
        }
    }

}

web.xml：

<listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

这篇关于Logout / Session超时捕获spring security的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！