Disable SpringSecurity's SavedRequest storing logic

前端 未结 5 1109
感动是毒
感动是毒 2021-02-09 08:25

We are using Spring Security for managing authentication. The issue we are seeing is that when a user\'s session is timed out between bringing up a GET form and hitting the sav

相关标签:
5条回答
  • 2021-02-09 09:07

    There are two scenarios: 1) If you want that after relogin, user should always get forwarded to the default target URL instead of the orginal requested URL then put always-use-default-target="true" in your security.xml like

    <http auto-config="true"> 
    .....
    <form-login login-page="/login" always-use-default-target="true" default-target-url="/xyz" 
            authentication-failure-url="/login?error=true" login-processing-url="/j_security_check"/>
    </http>
    

    1) If you want that on session timeout after relogin, user should forward to the orginal requested URL but you do not want to resubmit the form then put session-fixation-protection="newSession" in your security.xml like

    <http auto-config="true">
    <session-management session-fixation-protection="newSession"/> 
    .....
    </http>
    

    Please put session-management tag as first line in http configuration.

    0 讨论(0)
  • 2021-02-09 09:10

    Based on Nathan's comment on Raghuram's answer, with namespaced XML it's something like this:

    <security:http>
        <security:request-cache ref="nullRequestCache" />
        <!-- ... -->
    </security:http>
    
    <bean id="nullRequestCache" class="org.springframework.security.web.savedrequest.NullRequestCache" />
    
    0 讨论(0)
  • 2021-02-09 09:24

    I guess this jira issue of spring security describes your problem and how to handle this.

    0 讨论(0)
  • 2021-02-09 09:32

    It looks like the session-fixation-protection="newSession" attribute on (2.0) or (3.0) will also resolve the issue

    0 讨论(0)
  • 2021-02-09 09:32

    With Spring 4.2.5 I ran into this too.

    My case was almost identical: display GET form, wait for session timeout, then POST the form. In my app after re-authentication a start page is displayed. However, if the user then navigates to this GET form, and POSTs it, then the previous POST parameters are remembered and concatenated to the current request, resulting in comma separated values in the @RequestParam variables.

    I dumped the session in my authentication controller and indeed I saw a "SPRING_SECURITY_SAVED_REQUEST" named key.

    The spring documentation says that by default a "SavedRequestAwareAuthenticationSuccessHandler" is used for retrieving the saved request data from the session and apply it to the request.

    I tried to use a do-nothing successHandler but couldn't make it work.

    I also tried applying

    http.sessionManagement().sessionFixation().newSession();

    to the security config but that didn't help.

    However

    http.requestCache().requestCache(new NullRequestCache());

    solved the issue.

    0 讨论(0)
提交回复
热议问题