spring security - expiredUrl not working
I need to configure expired-url in my Spring MVC application. Here is my effort, but has no effect:
@Override
protected void configure(HttpSecurity
-
ConcurrentSessionFilter will redirect to
expiredUrl, if the valid session ID is marked as expired in SessionRegistry, see Spring Security reference:- expired-url The URL a user will be redirected to if they attempt to use a session which has been "expired" by the concurrent session controller because the user has exceeded the number of allowed sessions and has logged in again elsewhere. Should be set unless
exception-if-maximum-exceededis set. If no value is supplied, an expiry message will just be written directly back to the response.SessionManagementFilter will redirect to
invalidSessionUrl, if the session ID is not valid (timeout or wrong ID), see Spring Security reference:If the user is not currently authenticated, the filter will check whether an invalid session ID has been requested (because of a timeout, for example) and will invoke the configured
InvalidSessionStrategy, if one is set. The most common behaviour is just to redirect to a fixed URL and this is encapsulated in the standard implementationSimpleRedirectInvalidSessionStrategy. The latter is also used when configuring an invalid session URL through the namespace,as described earlier.Both URLs (
expiredUrl,invalidSessionUrl) have to be configured aspermitAll().BTW: If you want to use Concurrent Session Control with
maximumSessionsyou have to add HttpSessionEventPublisher to yourweb.xml:Concurrent Session Control
If you wish to place constraints on a single user’s ability to log in to your application, Spring Security supports this out of the box with the following simple additions. First you need to add the following listener to your
web.xmlfile to keep Spring Security updated about session lifecycle events:org.springframework.security.web.session.HttpSessionEventPublisher
加载中...
- 热议问题