发表新帖
发表新帖

Disable SpringSecurity's SavedRequest storing logic

前端 未结
关注
5 1097
感动是毒
感动是毒 2021-02-09 08:25

We are using Spring Security for managing authentication. The issue we are seeing is that when a user\'s session is timed out between bringing up a GET form and hitting the sav

相关标签:
5条回答
  • 我在风中等你
    2021-02-09 09:07

    There are two scenarios: 1) If you want that after relogin, user should always get forwarded to the default target URL instead of the orginal requested URL then put always-use-default-target="true" in your security.xml like 

    <http auto-config="true"> 
.....
<form-login login-page="/login" always-use-default-target="true" default-target-url="/xyz" 
        authentication-failure-url="/login?error=true" login-processing-url="/j_security_check"/>
</http>

    1) If you want that on session timeout after relogin, user should forward to the orginal requested URL but you do not want to resubmit the form then put session-fixation-protection="newSession" in your security.xml like 

    <http auto-config="true">
<session-management session-fixation-protection="newSession"/> 
.....
</http>

    Please put session-management tag as first line in http configuration.

    0 讨论(0)
  • 温柔的废话
    2021-02-09 09:10

    Based on Nathan's comment on Raghuram's answer, with namespaced XML it's something like this:

    <security:http>
    <security:request-cache ref="nullRequestCache" />
    <!-- ... -->
</security:http>

<bean id="nullRequestCache" class="org.springframework.security.web.savedrequest.NullRequestCache" />
    0 讨论(0)
  • 天命终不由人
    2021-02-09 09:24

    I guess this jira issue of spring security describes your problem and how to handle this.

    0 讨论(0)
  • 旧时难觅i
    2021-02-09 09:32

    It looks like the session-fixation-protection="newSession" attribute on (2.0) or (3.0) will also resolve the issue

    0 讨论(0)
  • [愿得一人]
    2021-02-09 09:32

    With Spring 4.2.5 I ran into this too.

    My case was almost identical: display GET form, wait for session timeout, then POST the form. In my app after re-authentication a start page is displayed. However, if the user then navigates to this GET form, and POSTs it, then the previous POST parameters are remembered and concatenated to the current request, resulting in comma separated values in the @RequestParam variables.

    I dumped the session in my authentication controller and indeed I saw a "SPRING_SECURITY_SAVED_REQUEST" named key.

    The spring documentation says that by default a "SavedRequestAwareAuthenticationSuccessHandler" is used for retrieving the saved request data from the session and apply it to the request.

    I tried to use a do-nothing successHandler but couldn't make it work.

    I also tried applying

    http.sessionManagement().sessionFixation().newSession();

    to the security config but that didn't help.

    However

    http.requestCache().requestCache(new NullRequestCache());

    solved the issue.

    0 讨论(0)
 看不清?
提交回复
热议问题