spring boot security 配置session失效
1.启动类文件夹中加入一个filter
| package com.mozi.hip.empi.web.config;
import java.io.IOException;
import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse;
import org.springframework.web.filter.GenericFilterBean;
import com.mozi.hip.empi.web.constant.Constant;
/** * @Package com.hokai.hiip.web.filter * @ClassName: ExpiredSessionFilter * @Description: session过期过滤器 * @author zhaoyan * @date 2016年6月24日 下午3:10:31 */ public class ExpiredSessionFilter extends GenericFilterBean {
@Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; Object obj = request.getSession().getAttribute(Constant.LOGIN_USER); if(obj == null) { //如果是ajax请求响应头会有,x-requested-with if(request.getHeader("x-requested-with") != null && request.getHeader("x-requested-with").equalsIgnoreCase("XMLHttpRequest")) { response.setHeader("sessionstatus", "timeout");//在响应头设置session状态 } }
chain.doFilter(request, response); } } |
2.在secutity的webConfig启动类中配置session过滤器
| package com.mozi.hip.empi.web.config;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
@Configuration @EnableWebSecurity //@EnableGlobalMethodSecurity(prePostEnabled = true)//开启security注解 public class WebSecurityConfig extends WebSecurityConfigurerAdapter{ @Autowired private UserDetailsService userDetailsService;
@Autowired LoginSuccessHandler loginSuccessHandler; @Autowired LoginFailureHandler loginFailureHandler;
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf() .disable() .authorizeRequests() //指定放开的路径,包括登录页面,样式路径,登录请求路径 .antMatchers("/login","/css/**","/images/**","/plugins/**","/scripts/**").permitAll() //其他地址的访问均需验证权限 .anyRequest().authenticated() .and() .formLogin() // 指定登陆页是login .loginPage("/login") .permitAll() .successHandler(loginSuccessHandler) .failureHandler(loginFailureHandler) .and() .logout() .logoutUrl("/logout") .logoutSuccessUrl("/login") .permitAll() .deleteCookies("remember-me") // 数据库中必须存在名为persistence_logins的表 //.invalidateHttpSession(false) .and() // 登陆以后记住用户,下次自动登陆 .rememberMe() // 两周有效 .tokenValiditySeconds(1209600); //加入session过期过滤器 http.addFilterBefore(new ExpiredSessionFilter(),BasicAuthenticationFilter.class); // 指定登陆信息所使用的数据源 // .tokenRepository(tokenRepository); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { //用户认证与密码认证 auth.userDetailsService(userDetailsService).passwordEncoder( new BCryptPasswordEncoder()); auth.eraseCredentials(false); } } |
3.登录成功后放入session
| package com.mozi.hip.empi.web.config;
import java.io.IOException;
import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.stereotype.Component;
import com.mozi.hip.empi.web.constant.Constant; import com.mozi.hip.empi.web.domain.CurrentUser;
@Component public class LoginSuccessHandler implements AuthenticationSuccessHandler{ @Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException { // 获取当前用户(domain接收) CurrentUser user = (CurrentUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); request.getSession().setAttribute(Constant.LOGIN_USER, user.getUser().getUserId()); //转发到index页面 response.sendRedirect(request.getContextPath() +"/index"); }
}
|
4.前台页面加入session失效判断 注意jquery.js的引用
|
|