spring boot security 配置session失效

1.启动类文件夹中加入一个filter

package com.mozi.hip.empi.web.config;

 

import java.io.IOException;

 

import javax.servlet.FilterChain;

import javax.servlet.ServletException;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

 

import org.springframework.web.filter.GenericFilterBean;

 

import com.mozi.hip.empi.web.constant.Constant;

 

/**

* @Package com.hokai.hiip.web.filter

* @ClassName: ExpiredSessionFilter

* @Description: session过期过滤器

* @author zhaoyan

* @date 2016年6月24日 下午3:10:31

*/

public class ExpiredSessionFilter extends GenericFilterBean {

 

@Override

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

 

HttpServletRequest request = (HttpServletRequest) req;

HttpServletResponse response = (HttpServletResponse) res;

Object obj = request.getSession().getAttribute(Constant.LOGIN_USER);

if(obj == null) {

//如果是ajax请求响应头会有,x-requested-with

if(request.getHeader("x-requested-with") != null &&

request.getHeader("x-requested-with").equalsIgnoreCase("XMLHttpRequest")) {

response.setHeader("sessionstatus", "timeout");//在响应头设置session状态  

}

}

 

chain.doFilter(request, response);

}

}

2.在secutity的webConfig启动类中配置session过滤器

package com.mozi.hip.empi.web.config;

 

 

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.context.annotation.Configuration;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;

import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

import org.springframework.security.core.userdetails.UserDetailsService;

import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;

 

 

 

@Configuration

@EnableWebSecurity

//@EnableGlobalMethodSecurity(prePostEnabled = true)//开启security注解

public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

@Autowired

private UserDetailsService userDetailsService;

 

@Autowired

LoginSuccessHandler loginSuccessHandler;

@Autowired

LoginFailureHandler loginFailureHandler;

 

@Override

protected void configure(HttpSecurity http) throws Exception {

http.csrf()

.disable()

.authorizeRequests()

//指定放开的路径,包括登录页面,样式路径,登录请求路径

.antMatchers("/login","/css/**","/images/**","/plugins/**","/scripts/**").permitAll()

//其他地址的访问均需验证权限

.anyRequest().authenticated()

.and()

.formLogin()

// 指定登陆页是login

.loginPage("/login")

.permitAll()

.successHandler(loginSuccessHandler)

.failureHandler(loginFailureHandler)

.and()

.logout()

.logoutUrl("/logout")

.logoutSuccessUrl("/login")

.permitAll()

.deleteCookies("remember-me")

// 数据库中必须存在名为persistence_logins的表

//.invalidateHttpSession(false)

.and()

// 登陆以后记住用户,下次自动登陆

.rememberMe()

// 两周有效

.tokenValiditySeconds(1209600);

//加入session过期过滤器

http.addFilterBefore(new ExpiredSessionFilter(),BasicAuthenticationFilter.class);

// 指定登陆信息所使用的数据源

// .tokenRepository(tokenRepository);

}

@Autowired

public void configureGlobal(AuthenticationManagerBuilder auth)

throws Exception { //用户认证与密码认证

auth.userDetailsService(userDetailsService).passwordEncoder(

new BCryptPasswordEncoder());

auth.eraseCredentials(false);

}

}

3.登录成功后放入session

package com.mozi.hip.empi.web.config;

 

import java.io.IOException;

 

 

import javax.servlet.ServletException;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

 

import org.springframework.security.core.Authentication;

import org.springframework.security.core.context.SecurityContextHolder;

import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

import org.springframework.stereotype.Component;

 

import com.mozi.hip.empi.web.constant.Constant;

import com.mozi.hip.empi.web.domain.CurrentUser;

 

@Component

public class LoginSuccessHandler implements AuthenticationSuccessHandler{

@Override

public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,

Authentication authentication) throws IOException, ServletException {

// 获取当前用户(domain接收)

CurrentUser user = (CurrentUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();

request.getSession().setAttribute(Constant.LOGIN_USER, user.getUser().getUserId());

//转发到index页面

response.sendRedirect(request.getContextPath() +"/index");

}

 

}

 

4.前台页面加入session失效判断 注意jquery.js的引用

 

你可能感兴趣的:(java,开发技术,笔记,security)